Introduction
As organizations move critical workloads to the cloud, traditional perimeter-based security models are no longer sufficient. Modern cloud environments are highly dynamic, distributed, and interconnected, requiring security to be embedded directly into the architecture rather than applied as an afterthought. Oracle Cloud Infrastructure (OCI) is designed with this reality in mind, emphasizing strong network isolation, explicit access control, and layered security enforcement.
A foundational concept within this design is the separation of Trust and Untrust. These concepts define how traffic is classified, how access is granted, and how risks are mitigated across the OCI environment. Rather than relying solely on a single security device, OCI enforces Trust and Untrust boundaries using native networking components such as Virtual Cloud Networks (VCNs), subnets, route tables, and security rules.
Understanding and correctly implementing Trust and Untrust is essential for building secure, scalable, and compliant OCI architectures.
Understanding Trust and Untrust in OCI
In OCI:
- Trust represents networks and resources that are internal, controlled, and governed within an OCI tenancy.
- Untrust represents external or unknown networks that must never be trusted by default.
OCI aligns with Zero Trust security principles, which assume that no network—internal or external—should be automatically trusted.
This approach enforces the following behaviours:
- No traffic is implicitly allowed
- Every connection must be explicitly defined
- Even internal traffic is authenticated, segmented, and controlled
Instead of relying on a single perimeter firewall, OCI distributes security enforcement across multiple layers of the network architecture.
Trust Domains in OCI Architecture
Trust domains consist of internal components that should not be directly exposed to external networks. These domains typically include:
- Private subnets
- Application tiers
- Database tiers
- Internal service-to-service communication
- Backend and management networks
These networks operate within a controlled boundary and are protected from direct internet access by default.
Key Characteristics of Trust Networks
Trust networks in OCI exhibit the following characteristics:
- Traffic is restricted, not open
- Access is governed by Network Security Groups (NSGs) or Security Lists
- Primarily used for east–west traffic
- Designed using least-privilege access principles
Even within a trusted zone, OCI does not permit unrestricted communication. Explicit ingress and egress rules are required to allow traffic between resources.
Example:
Application Subnet → Database Subnet
Only required ports, such as database listener ports, should be allowed, while all other traffic remains blocked.
Untrust Domains in OCI Architecture
Untrust domains represent all traffic sources that originate outside controlled internal networks. These sources are treated as potentially hostile unless explicitly permitted.
Common Untrust sources include:
- Internet traffic
- Public IP addresses
- Public Load Balancers
- External partner networks
- On-premises networks (depending on security posture)
Key Characteristics of Untrust Networks
Untrust networks have the following attributes:
- No default access to internal resources
- Traffic must pass explicit ingress rules
- Higher exposure to threats
- Requires strict inspection, monitoring, and logging
Example:
Internet → Public Load Balancer → Application Subnet
Only required protocols and ports should be permitted, and backend systems must remain isolated within trusted zones.
How OCI Natively Enforces Trust and Untrust
OCI enforces Trust and Untrust without requiring a firewall, using built-in networking constructs that collectively define security boundaries.
Virtual Cloud Network (VCN)
The VCN acts as the primary trust boundary in OCI. All resources within a VCN are isolated from other networks unless explicitly connected using gateways or peering.
Subnets
Subnets further define trust levels within a VCN:
- Private Subnets → Trust
- Public Subnets → Closer to Untrust
Private subnets have no direct internet access, while public subnets enable controlled exposure through routing and security rules.
- Route Tables
Route tables control how traffic flows between Trust and Untrust zones:
- Internet Gateway routes expose traffic to Untrust
- NAT Gateway routes allow controlled outbound access
- Dynamic Routing Gateway (DRG) routes connect external networks
Routing decisions are critical in determining whether traffic remains within trusted boundaries or crosses into untrusted space.
- Network Security Groups and Security Lists
NSGs and Security Lists enforce Trust and Untrust at the packet level:
- Ingress rules control Untrust → Trust traffic
- Egress rules control Trust → Untrust traffic
By default, OCI follows a deny-all model, ensuring that no traffic is allowed unless explicitly defined.
Public vs Private Access as Trust Indicators
In OCI, public accessibility does not equate to trust.
- Public Load Balancers act as Untrust entry points
- Backend application servers remain within Trust zones
- Databases and backend services should never be directly accessible from Untrust
This layered access model ensures that exposure is limited strictly to what is required.
Role of OCI Network Firewall (Optional Layer)
OCI Network Firewall does not define Trust and Untrust—it enhances enforcement by adding advanced inspection capabilities.
It provides:
- Layer-7 traffic inspection
- Intrusion detection and threat prevention
- Advanced traffic logging and visibility
While optional, it is beneficial for environments with regulatory requirements, high-risk internet exposure, or complex inbound traffic patterns. Even without a firewall, Trust and Untrust boundaries are fully enforced through OCI’s native controls.
Trust and Untrust for Traffic Flows
OCI environments must secure both traffic patterns:
North–South Traffic
Traffic entering or leaving OCI
(Untrust ↔ Trust)
East–West Traffic
Internal traffic between services
(Trust ↔ Trust)
Both traffic types require strong controls. Neglecting east–west security increases the risk of lateral movement during a security incident.
Best Practices for Trust and Untrust Design in OCI
- Use private subnets by default
- Expose applications only through Load Balancers
- Never expose databases or backend services to Untrust
- Apply least-privilege rules in NSGs
- Segment application tiers into distinct trust zones
- Enable logging selectively to balance visibility and cost
Common Design Mistakes
- Treating public subnets as trusted
- Allowing wide CIDR ranges in ingress rules
- Granting direct internet access to backend systems
- Over-trusting internal traffic
- Mixing management and application traffic
These design flaws weaken security posture and increase risk exposure.
Why Trust and Untrust Matter
A well-defined Trust and Untrust architecture:
- Reduces overall attack surface
- Limits blast radius during incidents
- Improves audit and compliance readiness
- Simplifies governance and troubleshooting
- Aligns with Zero Trust security principles
OCI’s native networking model encourages this approach from the ground up.
Conclusion
Trust and Untrust in Oracle Cloud Infrastructure are core architectural concepts, not optional security features. They are enforced through VCNs, subnets, route tables, and security rules, forming the foundation of a secure cloud environment.
By clearly defining trusted and untrusted zones, organizations can build OCI environments that are secure, resilient, and scalable—regardless of whether additional firewall services are deployed.
