Strengthening OCI Security: Zero Trust Packet Routing (ZPR) Now Supported for Bastions

Oracle Cloud Infrastructure – Feature Release (November 19, 2025)

Oracle continues to advance its security-first cloud architecture with a significant enhancement: Zero Trust Packet Routing (ZPR) security attributes can now be added to Bastions. This update enables organizations to enforce fine-grained, identity-aware network controls directly at the packet level, enhancing secure access to critical resources.

With this capability, ZPR can now be used alongside or as a replacement for Network Security Groups (NSGs), giving architects greater flexibility in implementing Zero Trust principles—never trust, always verify.

What This Update Means

Bastions act as controlled and audited access points for administrators managing private resources. With ZPR support, OCI customers can now:

• Attach ZPR security attributes to Bastions
• Define attribute-based policies for resource-to-resource communication
• Enforce identity-aware packet routing across the network
• Maintain security even if underlying network configurations change

This elevates bastion security from traditional perimeter-based controls to a modern Zero Trust access model.

Prerequisites Before Enabling ZPR on Bastions

Before adding Zero Trust Packet Routing attributes to a bastion, ensure the following prerequisites are completed:

1. Enable Zero Trust Packet Routing in the OCI Region

ZPR must be enabled for your tenancy within the target region. Without this, you cannot attach security attributes or enforce ZPR-based traffic evaluations.

2. Create Zero Trust Packet Routing (ZPR) Policies

You must define ZPR policies that specify:

• Which resources can communicate

• What security attributes govern communication

• Allow/deny rules based on resource identity and attributes

These policies act as the foundation for how OCI evaluates traffic at the packet level.
Once ZPR is enabled and policies are in place, you can proceed to configure ZPR attributes on bastions.

How to Add ZPR Security Attributes to an OCI Bastion

OCI provides a simple console workflow to add, update, or remove security attributes.

Steps in the Console

1. Go to the Bastions List
   Open the Bastions list page and identify the bastion you want to configure.

2. Access the Actions Menu
   Click the three dots (…) next to the bastion and choose Manage security attributes.

3. Add or Update Security Attributes

   • To add: select Add security attribute (up to three attributes allowed).

   • To update: modify existing attributes in the row.

   • To remove: click Delete Row next to an attribute.

4. Save Your Changes
   Select Update to apply the configuration.

Once added, you can view and verify the security attributes under the Security tab of the bastion’s details page.

How ZPR Works in Practice

With security attributes applied:

• Client endpoints must present the matching ZPR attributes to gain access
• Every access request is evaluated continuously at the packet level
• ZPR enforcement remains consistent even if the VCN, NSGs, or subnet configurations change
• Identity-based controls limit lateral movement and reduce the risk from misconfigurations

This ensures a resilient security posture aligned with Zero Trust models.

Benefits for Cloud Architects and Security Teams

Enabling ZPR for bastions brings several advantages:

• Stronger identity-aware controls for administrative access
• Reduced dependence on static security rules
• Protection against misconfigurations and unintended access paths
• Greater alignment with modern Zero Trust frameworks
• Scalable, policy-driven architecture

Whether you're managing multi-tier applications, regulated workloads, or sensitive data environments, ZPR offers a consistent and secure foundation.

Conclusion

Oracle’s introduction of ZPR for Bastions marks an important evolution in cloud network security. By shifting from IP-based controls to attribute-based Zero Trust policies, OCI delivers a more dynamic, resilient, and secure way to manage access.

For organizations seeking to harden their OCI environments, this feature is a significant opportunity to adopt a stronger, more scalable Zero Trust architecture.