Claude
Skills
Sign in
Back

oraclecloud-core-workflow-b

Included with Lifetime
$97 forever

Build OCI networking from scratch — VCN, subnets, gateways, and security rules. Use when creating a new VCN, debugging connectivity issues, or setting up security lists and NSGs. Trigger with "oci networking", "vcn setup", "security list", "nsg rules", "oci subnet".

Securitysaasoraclecloudoci

What this skill does

# OCI Networking — VCN, Subnets & Security Rules

## Overview

Build a working OCI network from scratch using the Python SDK. OCI networking (VCN, subnets, security lists, NSGs, gateways) has more moving parts than AWS VPC. A misconfigured security list silently drops traffic with no error — just timeouts. This skill creates a complete network topology with public and private subnets, internet and NAT gateways, route tables, and Network Security Groups (NSGs).

**Purpose:** Build a production-ready VCN with proper routing and security rules that actually works on first deploy.

## Prerequisites

- **OCI Python SDK** — `pip install oci`
- **Config file** at `~/.oci/config` with fields: `user`, `fingerprint`, `tenancy`, `region`, `key_file`
- **IAM policy** — `Allow group Developers to manage virtual-network-family in compartment <name>`
- **Python 3.8+**

## Instructions

### Step 1: Create the VCN

```python
import oci

config = oci.config.from_file("~/.oci/config")
network = oci.core.VirtualNetworkClient(config)

vcn = network.create_vcn(
    oci.core.models.CreateVcnDetails(
        compartment_id=config["tenancy"],
        display_name="app-vcn",
        cidr_blocks=["10.0.0.0/16"],
        dns_label="appvcn",
    )
).data
print(f"VCN created: {vcn.id}")
```

### Step 2: Create Internet Gateway and NAT Gateway

The internet gateway handles inbound/outbound traffic for public subnets. The NAT gateway gives private subnets outbound-only internet access.

```python
# Internet Gateway (for public subnets)
igw = network.create_internet_gateway(
    oci.core.models.CreateInternetGatewayDetails(
        compartment_id=config["tenancy"],
        vcn_id=vcn.id,
        display_name="app-igw",
        is_enabled=True,
    )
).data

# NAT Gateway (for private subnets — outbound only)
nat = network.create_nat_gateway(
    oci.core.models.CreateNatGatewayDetails(
        compartment_id=config["tenancy"],
        vcn_id=vcn.id,
        display_name="app-nat",
    )
).data
print(f"IGW: {igw.id}\nNAT: {nat.id}")
```

### Step 3: Create Route Tables

```python
# Public route table — all traffic via internet gateway
public_rt = network.create_route_table(
    oci.core.models.CreateRouteTableDetails(
        compartment_id=config["tenancy"],
        vcn_id=vcn.id,
        display_name="public-rt",
        route_rules=[
            oci.core.models.RouteRule(
                network_entity_id=igw.id,
                destination="0.0.0.0/0",
                destination_type="CIDR_BLOCK",
            )
        ],
    )
).data

# Private route table — all traffic via NAT gateway
private_rt = network.create_route_table(
    oci.core.models.CreateRouteTableDetails(
        compartment_id=config["tenancy"],
        vcn_id=vcn.id,
        display_name="private-rt",
        route_rules=[
            oci.core.models.RouteRule(
                network_entity_id=nat.id,
                destination="0.0.0.0/0",
                destination_type="CIDR_BLOCK",
            )
        ],
    )
).data
```

### Step 4: Create Network Security Group (NSG)

**Use NSGs instead of security lists.** NSGs attach to VNICs (per-instance) while security lists apply to entire subnets. NSGs are easier to manage and the OCI-recommended approach.

```python
nsg = network.create_network_security_group(
    oci.core.models.CreateNetworkSecurityGroupDetails(
        compartment_id=config["tenancy"],
        vcn_id=vcn.id,
        display_name="app-nsg",
    )
).data

# Add ingress rules — SSH, HTTP, HTTPS
rules = [
    oci.core.models.AddSecurityRuleDetails(
        direction="INGRESS",
        protocol="6",  # TCP
        source="0.0.0.0/0",
        source_type="CIDR_BLOCK",
        tcp_options=oci.core.models.TcpOptions(
            destination_port_range=oci.core.models.PortRange(min=port, max=port)
        ),
        description=desc,
    )
    for port, desc in [(22, "SSH"), (80, "HTTP"), (443, "HTTPS")]
]

# Add egress rule — allow all outbound
rules.append(
    oci.core.models.AddSecurityRuleDetails(
        direction="EGRESS",
        protocol="all",
        destination="0.0.0.0/0",
        destination_type="CIDR_BLOCK",
        description="Allow all outbound",
    )
)

network.add_network_security_group_security_rules(
    network_security_group_id=nsg.id,
    add_network_security_group_security_rules_details=oci.core.models.AddNetworkSecurityGroupSecurityRulesDetails(
        security_rules=rules
    ),
)
print(f"NSG created with {len(rules)} rules: {nsg.id}")
```

### Step 5: Create Public and Private Subnets

```python
identity = oci.identity.IdentityClient(config)
ad = identity.list_availability_domains(compartment_id=config["tenancy"]).data[0].name

# Public subnet
public_subnet = network.create_subnet(
    oci.core.models.CreateSubnetDetails(
        compartment_id=config["tenancy"],
        vcn_id=vcn.id,
        display_name="public-subnet",
        cidr_block="10.0.1.0/24",
        route_table_id=public_rt.id,
        dns_label="pubsub",
        prohibit_public_ip_on_vnic=False,  # Allow public IPs
    )
).data

# Private subnet
private_subnet = network.create_subnet(
    oci.core.models.CreateSubnetDetails(
        compartment_id=config["tenancy"],
        vcn_id=vcn.id,
        display_name="private-subnet",
        cidr_block="10.0.2.0/24",
        route_table_id=private_rt.id,
        dns_label="privsub",
        prohibit_public_ip_on_vnic=True,  # No public IPs
    )
).data

print(f"Public subnet: {public_subnet.id}")
print(f"Private subnet: {private_subnet.id}")
```

### Step 6: Verify Connectivity

```python
# List all subnets in the VCN to confirm setup
subnets = network.list_subnets(
    compartment_id=config["tenancy"],
    vcn_id=vcn.id
).data

for s in subnets:
    print(f"{s.display_name} | {s.cidr_block} | Public IPs: {not s.prohibit_public_ip_on_vnic}")
```

## Output

Successful completion produces:

- A VCN with a /16 CIDR block and DNS resolution enabled
- Internet gateway (public traffic) and NAT gateway (private outbound)
- Separate route tables for public and private subnets
- An NSG with SSH (22), HTTP (80), and HTTPS (443) ingress rules
- Public and private subnets with correct routing

## Error Handling

| Error | Code | Cause | Solution |
|-------|------|-------|----------|
| Not authorized | 404 NotAuthorizedOrNotFound | Missing IAM policy for virtual-network-family | Add policy: `Allow group X to manage virtual-network-family in compartment Y` |
| CIDR overlap | 400 InvalidParameter | Subnet CIDR conflicts with existing subnet | Use non-overlapping /24 blocks within the VCN /16 range |
| Limit exceeded | 400 LimitExceeded | VCN or subnet limit reached | Check limits in Console > Governance > Limits; request increase |
| Silent traffic drop | N/A | Security list or NSG missing ingress rule | Check NSG rules — OCI drops unmatched traffic with no ICMP unreachable |
| Not authenticated | 401 NotAuthenticated | Bad API key or config | Verify `~/.oci/config` key_file and fingerprint |
| Rate limited | 429 TooManyRequests | Too many API calls | Add backoff; OCI does not return Retry-After header |

**Debugging silent drops:** If traffic times out, check in this order: (1) NSG ingress rules, (2) security list rules, (3) route table entries, (4) gateway exists and is enabled. OCI applies security lists AND NSGs — traffic must pass both.

## Examples

**Quick VCN list via CLI:**

```bash
oci network vcn list \
  --compartment-id <OCID> \
  --query "data[*].{Name:\"display-name\",CIDR:\"cidr-blocks\"}" \
  --output table
```

**Check NSG rules for debugging:**

```python
rules = network.list_network_security_group_security_rules(
    network_security_group_id=nsg.id
).data
for r in rules:
    print(f"{r.direction} | {r.protocol} | {r.source or r.destination} | {r.description}")
```

## Resources

- [VCN Overview](https://docs.oracle.com/en-us/iaas/Content/) — networking concepts and best practices
- [Python SDK Reference](https://docs.oracle.com/en-us/iaas/tools/pyth
Files: 2
Size: 10.6 KB
Complexity: 29/100
Category: Security
Source: https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/main/plugins/saas-packs/oraclecloud-pack/skills/oraclecloud-core-workflow-b

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97