If you moved workloads to Oracle Cloud Infrastructure (OCI), you already know that opening a port is a multi-layer operation. OCI enforces a strong secure-by-default model.
The 3-layer blocking model
A packet must pass all three layers:
1. Network layer (VCN)
Traffic can be filtered by:
- Security Lists (subnet level)
- Network Security Groups (NSG) (VNIC level)
Common mistake: opening in Security List while instance is effectively governed by an NSG with missing rules.
2. Operating system firewall
Official images often ship with restrictive defaults. If your ACCEPT rule is below a broad REJECT rule, traffic is still blocked.
3. Application binding
If a service binds only to 127.0.0.1, it is local-only. External access needs 0.0.0.0 or ::.
Step-by-step solution
Step 1: OCI console
Go to Networking > Virtual Cloud Networks > [VCN] > Security Lists and add an ingress rule:
- Source CIDR:
0.0.0.0/0(or a restricted IP) - Protocol: TCP/UDP
- Destination port: single or range (e.g.
443,1514-1515)
Step 2: Linux firewall
RHEL / Oracle Linux
Insert rule at top:
sudo iptables -I INPUT 1 -p tcp --dport [YOUR_PORT] -j ACCEPT
sudo iptables-save | sudo tee /etc/sysconfig/iptablesDebian / Ubuntu
sudo ufw allow [YOUR_PORT]/tcpStep 3: Verify service binding
sudo ss -tulpn | grep [YOUR_PORT]Correct:
0.0.0.0:[PORT]:::[PORT]
Wrong:
127.0.0.1:[PORT]
Quick troubleshooting map
External check with nc or telnet:
- Connection Timeout: blocked at OCI layer (Security List/NSG).
- Connection Refused: packet reached host, rejected by OS firewall/service.
- Connected: path is open.
OCI connectivity issues are solved by checking all layers in order:
- OCI network policy (VCN/NSG)
- OS firewall
- Application binding
If one layer is misconfigured, the service remains unreachable.
This post is licensed under CC BY-NC.
Comments
Join the discussion below.
Comments are not configured yet. Add Cusdis settings in /assets/json/config/blog-comments-config.json.