Skip to content

Network Abstractions

cloudspells.core.abstractions.network

Cloud-neutral network abstractions for CloudSpells multi-cloud support.

Defines the security-rule dataclasses, factory helpers, and network interfaces that decouple spells (Compute, OKE, ScalableWorkload) from any specific cloud provider. Each provider translates these descriptors into its own firewall model (OCI SecurityList, AWS Security Group, GCP Firewall Rule).

Typical usage:

from cloudspells.core.abstractions.network import (
    SecurityRules, INTERNET, CLOUD_SERVICES,
    tcp_ingress, all_egress,
)
from cloudspells.core.ports import HTTPS, HTTP, SSH, POSTGRES

vcn.add_security_rules(SecurityRules(
    public_ingress=[
        tcp_ingress(HTTPS, INTERNET),
        tcp_ingress(HTTP,  INTERNET),
        tcp_ingress(SSH,   INTERNET),
    ],
    private_ingress=[
        tcp_ingress(app_port, vcn.get_public_subnet_cidr()),
        tcp_ingress(SSH,      vcn.get_public_subnet_cidr()),
    ],
    private_egress=[
        all_egress(CLOUD_SERVICES),
        all_egress(INTERNET),
    ],
    secure_ingress=[
        tcp_ingress(POSTGRES, vcn.get_private_subnet_cidr()),
        tcp_ingress(SSH,      vcn.get_private_subnet_cidr()),
    ],
    secure_egress=[all_egress(CLOUD_SERVICES)],
))
Exports

INTERNET: Symbolic source/destination meaning 0.0.0.0/0. CLOUD_SERVICES: Symbolic destination meaning cloud-managed service endpoints. IngressRule: Cloud-neutral inbound security rule descriptor. EgressRule: Cloud-neutral outbound security rule descriptor. SecurityRules: Accumulated rules for all four subnet tiers. AbstractNetwork: Builder interface for cloud networks. AbstractNetworkRef: Read-only reference to a network in another stack. tcp_ingress: Build a TCP ingress rule from any source (CIDR, subnet ref, or INTERNET). tcp_egress: Build a TCP egress rule to any destination. all_egress: Build an all-protocol egress rule to any destination.

INTERNET: str = '0.0.0.0/0' module-attribute

CIDR representing the public internet. Works as source or destination in tcp_ingress, all_egress, and tcp_egress.

CLOUD_SERVICES: str = 'cloud-services' module-attribute

Symbolic destination resolving to cloud-managed service endpoints.

Resolves to the OCI Service Gateway CIDR (SERVICE_CIDR_BLOCK) on OCI, or the equivalent managed-prefix on other clouds.

IngressRule dataclass

Cloud-neutral inbound security rule descriptor.

Provider implementations translate this into their native firewall construct. The source field supports both literal CIDRs and the following symbolic names that each provider resolves internally:

  • "internet"0.0.0.0/0 on all providers.
  • "cloud-services" — OCI Service Gateway CIDR, AWS managed-prefix list, or GCP Private Service Access range.

Attributes:

Name Type Description
protocol str

Transport protocol: "tcp", "udp", or "all".
source Input[str]

Source CIDR block or symbolic name.
port_min int | None

First TCP/UDP port in the allowed range (inclusive). None means no port restriction.
port_max int | None

Last TCP/UDP port in the allowed range (inclusive). None means no port restriction.
description str

Human-readable description of the rule's purpose.
Example 
# Allow SSH from the public subnet CIDR
rule = IngressRule(
    protocol="tcp",
    source="10.0.0.0/19",
    port_min=22,
    port_max=22,
    description="SSH from bastion host",
)
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
@dataclass
class IngressRule:
    """Cloud-neutral inbound security rule descriptor.

    Provider implementations translate this into their native firewall
    construct.  The `source` field supports both literal CIDRs and the
    following symbolic names that each provider resolves internally:

    - `"internet"`       — `0.0.0.0/0` on all providers.
    - `"cloud-services"` — OCI Service Gateway CIDR, AWS managed-prefix
      list, or GCP Private Service Access range.

    Attributes:
        protocol: Transport protocol: `"tcp"`, `"udp"`, or `"all"`.
        source: Source CIDR block or symbolic name.
        port_min: First TCP/UDP port in the allowed range (inclusive).
            `None` means no port restriction.
        port_max: Last TCP/UDP port in the allowed range (inclusive).
            `None` means no port restriction.
        description: Human-readable description of the rule's purpose.

    Example:
        ```python
        # Allow SSH from the public subnet CIDR
        rule = IngressRule(
            protocol="tcp",
            source="10.0.0.0/19",
            port_min=22,
            port_max=22,
            description="SSH from bastion host",
        )
        ```
    """

    protocol: str
    source: pulumi.Input[str]
    port_min: int | None = None
    port_max: int | None = None
    description: str = ""

EgressRule dataclass

Cloud-neutral outbound security rule descriptor.

Mirrors IngressRule for egress direction. The destination field supports the same symbolic names as IngressRule.source.

Attributes:

Name Type Description
protocol str

Transport protocol: "tcp", "udp", or "all".
destination Input[str]

Destination CIDR block or symbolic name.
port_min int | None

First TCP/UDP port in the allowed range (inclusive). None means no port restriction.
port_max int | None

Last TCP/UDP port in the allowed range (inclusive). None means no port restriction.
description str

Human-readable description of the rule's purpose.
Example 
# Allow HTTPS egress to OCI-managed services
rule = EgressRule(
    protocol="tcp",
    destination="cloud-services",
    port_min=443,
    port_max=443,
    description="HTTPS to OCI services",
)
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
@dataclass
class EgressRule:
    """Cloud-neutral outbound security rule descriptor.

    Mirrors `IngressRule` for egress direction.  The `destination`
    field supports the same symbolic names as `IngressRule.source`.

    Attributes:
        protocol: Transport protocol: `"tcp"`, `"udp"`, or `"all"`.
        destination: Destination CIDR block or symbolic name.
        port_min: First TCP/UDP port in the allowed range (inclusive).
            `None` means no port restriction.
        port_max: Last TCP/UDP port in the allowed range (inclusive).
            `None` means no port restriction.
        description: Human-readable description of the rule's purpose.

    Example:
        ```python
        # Allow HTTPS egress to OCI-managed services
        rule = EgressRule(
            protocol="tcp",
            destination="cloud-services",
            port_min=443,
            port_max=443,
            description="HTTPS to OCI services",
        )
        ```
    """

    protocol: str
    destination: pulumi.Input[str]
    port_min: int | None = None
    port_max: int | None = None
    description: str = ""

SecurityRules dataclass

Accumulated cloud-neutral security rules for all four subnet tiers.

Spells call AbstractNetwork.add_security_rules with a populated SecurityRules instance. The network implementation translates each IngressRule / EgressRule into provider-specific constructs (OCI SecurityListIngressSecurityRuleArgs, AWS SecurityGroupIngressArgs, etc.) and accumulates them for batch materialisation when AbstractNetwork.finalize_network is called.

Attributes:

Name Type Description
public_ingress list[IngressRule]

Ingress rules for the public (load-balancer) tier.
public_egress list[EgressRule]

Egress rules for the public tier.
private_ingress list[IngressRule]

Ingress rules for the private (app-server) tier.
private_egress list[EgressRule]

Egress rules for the private tier.
secure_ingress list[IngressRule]

Ingress rules for the secure (database) tier.
secure_egress list[EgressRule]

Egress rules for the secure tier.
management_ingress list[IngressRule]

Ingress rules for the management tier.
management_egress list[EgressRule]

Egress rules for the management tier.
Example 
rules = SecurityRules(
    private_ingress=[
        IngressRule(
            protocol="tcp",
            source="10.0.0.0/19",
            port_min=22,
            port_max=22,
            description="SSH from public subnet",
        )
    ],
)
vcn.add_security_rules(rules)
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
@dataclass
class SecurityRules:
    """Accumulated cloud-neutral security rules for all four subnet tiers.

    Spells call `AbstractNetwork.add_security_rules` with a populated
    `SecurityRules` instance.  The network implementation translates each
    `IngressRule` / `EgressRule` into provider-specific constructs (OCI
    `SecurityListIngressSecurityRuleArgs`, AWS `SecurityGroupIngressArgs`,
    etc.) and accumulates them for batch materialisation when
    `AbstractNetwork.finalize_network` is called.

    Attributes:
        public_ingress: Ingress rules for the public (load-balancer) tier.
        public_egress: Egress rules for the public tier.
        private_ingress: Ingress rules for the private (app-server) tier.
        private_egress: Egress rules for the private tier.
        secure_ingress: Ingress rules for the secure (database) tier.
        secure_egress: Egress rules for the secure tier.
        management_ingress: Ingress rules for the management tier.
        management_egress: Egress rules for the management tier.

    Example:
        ```python
        rules = SecurityRules(
            private_ingress=[
                IngressRule(
                    protocol="tcp",
                    source="10.0.0.0/19",
                    port_min=22,
                    port_max=22,
                    description="SSH from public subnet",
                )
            ],
        )
        vcn.add_security_rules(rules)
        ```
    """

    public_ingress: list[IngressRule] = field(default_factory=list)
    public_egress: list[EgressRule] = field(default_factory=list)
    private_ingress: list[IngressRule] = field(default_factory=list)
    private_egress: list[EgressRule] = field(default_factory=list)
    secure_ingress: list[IngressRule] = field(default_factory=list)
    secure_egress: list[EgressRule] = field(default_factory=list)
    management_ingress: list[IngressRule] = field(default_factory=list)
    management_egress: list[EgressRule] = field(default_factory=list)

AbstractNetwork

Bases: ABC

Builder interface for a cloud network with four subnet tiers.

All provider network implementations (OCI Vcn, AWS AwsVpc, GCP GcpVpc) inherit from this class.

The four tiers follow the CloudSpells reference architecture:

  • Public — load balancers, bastion hosts; route to internet gateway.
  • Private — app servers, Kubernetes nodes; route via NAT + service gateway (internet-capable outbound).
  • Secure — databases, secrets; route via service gateway only (no internet path).
  • Management — monitoring agents, VPN endpoints; same isolation as secure.

Typical usage by a spell:

rules = SecurityRules(
    private_ingress=[IngressRule(protocol="tcp", source="...", ...)],
)
network.add_security_rules(rules)
network.finalize_network()  # idempotent

Attributes:

Name Type Description
id Output[str]

Provider resource ID of the network (VCN OCID, VPC ID, etc.).
public_subnet Any | None

Provider subnet object for the public tier, or None before finalize_network is called.
private_subnet Any | None

Provider subnet object for the private tier.
secure_subnet Any | None

Provider subnet object for the secure tier.
management_subnet Any | None

Provider subnet object for the management tier.
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
class AbstractNetwork(ABC):
    """Builder interface for a cloud network with four subnet tiers.

    All provider network implementations (OCI `Vcn`,
    AWS `AwsVpc`, GCP `GcpVpc`) inherit from this class.

    The four tiers follow the CloudSpells reference architecture:

    - **Public** — load balancers, bastion hosts; route to internet gateway.
    - **Private** — app servers, Kubernetes nodes; route via NAT + service
      gateway (internet-capable outbound).
    - **Secure** — databases, secrets; route via service gateway only
      (no internet path).
    - **Management** — monitoring agents, VPN endpoints; same isolation as
      secure.

    Typical usage by a spell:

    ```python
    rules = SecurityRules(
        private_ingress=[IngressRule(protocol="tcp", source="...", ...)],
    )
    network.add_security_rules(rules)
    network.finalize_network()  # idempotent
    ```

    Attributes:
        id: Provider resource ID of the network (VCN OCID, VPC ID, etc.).
        public_subnet: Provider subnet object for the public tier, or
            `None` before `finalize_network` is called.
        private_subnet: Provider subnet object for the private tier.
        secure_subnet: Provider subnet object for the secure tier.
        management_subnet: Provider subnet object for the management tier.
    """

    id: pulumi.Output[str]
    public_subnet: Any | None
    private_subnet: Any | None
    secure_subnet: Any | None
    management_subnet: Any | None

    @abstractmethod
    def add_security_rules(self, rules: SecurityRules) -> None:
        """Accumulate cloud-neutral security rules for later materialisation.

        Translates each `IngressRule` / `EgressRule` into
        provider-specific firewall constructs and merges them into the
        pending rule set.  Does not create any cloud resources; call
        `finalize_network` to materialise.

        Args:
            rules: Cloud-neutral rule descriptors to merge into this
                network's pending rule set.
        """

    @abstractmethod
    def finalize_network(self) -> None:
        """Create subnets and firewall resources from accumulated rules.

        Idempotent — only the first call has effect.  Called automatically
        by every spell (Compute, OKE, ScalableWorkload) after it has
        appended its security rules.
        """

    @abstractmethod
    def get_public_subnet_cidr(self) -> pulumi.Input[str]:
        """Return the CIDR of the public subnet tier.

        Returns:
            `pulumi.Input[str]` resolving to the public subnet CIDR.
        """

    @abstractmethod
    def get_private_subnet_cidr(self) -> pulumi.Input[str]:
        """Return the CIDR of the private subnet tier.

        Returns:
            `pulumi.Input[str]` resolving to the private subnet CIDR.
        """

    @abstractmethod
    def get_secure_subnet_cidr(self) -> pulumi.Input[str]:
        """Return the CIDR of the secure subnet tier.

        Returns:
            `pulumi.Input[str]` resolving to the secure subnet CIDR.
        """

    @abstractmethod
    def get_management_subnet_cidr(self) -> pulumi.Input[str]:
        """Return the CIDR of the management subnet tier.

        Returns:
            `pulumi.Input[str]` resolving to the management subnet CIDR.
        """

    @abstractmethod
    def export(self) -> None:
        """Publish standard network stack outputs."""

add_security_rules(rules: SecurityRules) -> None abstractmethod

Accumulate cloud-neutral security rules for later materialisation.

Translates each IngressRule / EgressRule into provider-specific firewall constructs and merges them into the pending rule set. Does not create any cloud resources; call finalize_network to materialise.

Parameters:

Name Type Description Default
rules SecurityRules

Cloud-neutral rule descriptors to merge into this network's pending rule set.

 required
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
344
345
346
347
348
349
350
351
352
353
354
355
356
@abstractmethod
def add_security_rules(self, rules: SecurityRules) -> None:
    """Accumulate cloud-neutral security rules for later materialisation.

    Translates each `IngressRule` / `EgressRule` into
    provider-specific firewall constructs and merges them into the
    pending rule set.  Does not create any cloud resources; call
    `finalize_network` to materialise.

    Args:
        rules: Cloud-neutral rule descriptors to merge into this
            network's pending rule set.
    """

finalize_network() -> None abstractmethod

Create subnets and firewall resources from accumulated rules.

Idempotent — only the first call has effect. Called automatically by every spell (Compute, OKE, ScalableWorkload) after it has appended its security rules.

Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
358
359
360
361
362
363
364
365
@abstractmethod
def finalize_network(self) -> None:
    """Create subnets and firewall resources from accumulated rules.

    Idempotent — only the first call has effect.  Called automatically
    by every spell (Compute, OKE, ScalableWorkload) after it has
    appended its security rules.
    """

get_public_subnet_cidr() -> pulumi.Input[str] abstractmethod

Return the CIDR of the public subnet tier.

Returns:

Type Description
Input[str]

pulumi.Input[str] resolving to the public subnet CIDR.
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
367
368
369
370
371
372
373
@abstractmethod
def get_public_subnet_cidr(self) -> pulumi.Input[str]:
    """Return the CIDR of the public subnet tier.

    Returns:
        `pulumi.Input[str]` resolving to the public subnet CIDR.
    """

get_private_subnet_cidr() -> pulumi.Input[str] abstractmethod

Return the CIDR of the private subnet tier.

Returns:

Type Description
Input[str]

pulumi.Input[str] resolving to the private subnet CIDR.
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
375
376
377
378
379
380
381
@abstractmethod
def get_private_subnet_cidr(self) -> pulumi.Input[str]:
    """Return the CIDR of the private subnet tier.

    Returns:
        `pulumi.Input[str]` resolving to the private subnet CIDR.
    """

get_secure_subnet_cidr() -> pulumi.Input[str] abstractmethod

Return the CIDR of the secure subnet tier.

Returns:

Type Description
Input[str]

pulumi.Input[str] resolving to the secure subnet CIDR.
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
383
384
385
386
387
388
389
@abstractmethod
def get_secure_subnet_cidr(self) -> pulumi.Input[str]:
    """Return the CIDR of the secure subnet tier.

    Returns:
        `pulumi.Input[str]` resolving to the secure subnet CIDR.
    """

get_management_subnet_cidr() -> pulumi.Input[str] abstractmethod

Return the CIDR of the management subnet tier.

Returns:

Type Description
Input[str]

pulumi.Input[str] resolving to the management subnet CIDR.
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
391
392
393
394
395
396
397
@abstractmethod
def get_management_subnet_cidr(self) -> pulumi.Input[str]:
    """Return the CIDR of the management subnet tier.

    Returns:
        `pulumi.Input[str]` resolving to the management subnet CIDR.
    """

export() -> None abstractmethod

Publish standard network stack outputs.

Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
399
400
401
@abstractmethod
def export(self) -> None:
    """Publish standard network stack outputs."""

AbstractNetworkRef

Bases: ABC

Read-only reference to a network deployed in another Pulumi stack.

add_security_rules and finalize_network are deliberate no-ops — the owning stack manages all firewall rules. Spells accept either AbstractNetwork or AbstractNetworkRef and call both methods unconditionally; the no-ops make VcnRef-style usage safe without extra branching in spell code.

Example 
vcn_ref = OciVcnRef.from_stack_reference("org/platform/prod")
cluster = OkeCluster(name="app", vcn=vcn_ref, ...)
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
class AbstractNetworkRef(ABC):
    """Read-only reference to a network deployed in another Pulumi stack.

    `add_security_rules` and `finalize_network` are deliberate
    no-ops — the owning stack manages all firewall rules.  Spells accept
    either `AbstractNetwork` or `AbstractNetworkRef` and call both methods
    unconditionally; the no-ops make `VcnRef`-style usage safe without
    extra branching in spell code.

    Example:
        ```python
        vcn_ref = OciVcnRef.from_stack_reference("org/platform/prod")
        cluster = OkeCluster(name="app", vcn=vcn_ref, ...)
        ```
    """

    def add_security_rules(self, rules: SecurityRules) -> None:  # noqa: B027
        """No-op — cross-stack refs do not mutate the source network.

        Args:
            rules: Ignored.
        """

    def finalize_network(self) -> None:  # noqa: B027
        """No-op — cross-stack refs do not mutate the source network."""

    @classmethod
    @abstractmethod
    def from_stack_reference(cls, stack_name: str) -> AbstractNetworkRef:
        """Construct a read-only network reference from a stack name.

        Args:
            stack_name: Fully qualified Pulumi stack name
                (e.g. `"org/project/stack"`).

        Returns:
            A populated read-only network reference.
        """

add_security_rules(rules: SecurityRules) -> None

No-op — cross-stack refs do not mutate the source network.

Parameters:

Name Type Description Default
rules SecurityRules

Ignored.

 required
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
420
421
422
423
424
425
def add_security_rules(self, rules: SecurityRules) -> None:  # noqa: B027
    """No-op — cross-stack refs do not mutate the source network.

    Args:
        rules: Ignored.
    """

finalize_network() -> None

No-op — cross-stack refs do not mutate the source network.

Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
427
428
def finalize_network(self) -> None:  # noqa: B027
    """No-op — cross-stack refs do not mutate the source network."""

from_stack_reference(stack_name: str) -> AbstractNetworkRef abstractmethod classmethod

Construct a read-only network reference from a stack name.

Parameters:

Name Type Description Default
stack_name str

Fully qualified Pulumi stack name (e.g. "org/project/stack").

 required

Returns:

Type Description
AbstractNetworkRef

A populated read-only network reference.
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
430
431
432
433
434
435
436
437
438
439
440
441
@classmethod
@abstractmethod
def from_stack_reference(cls, stack_name: str) -> AbstractNetworkRef:
    """Construct a read-only network reference from a stack name.

    Args:
        stack_name: Fully qualified Pulumi stack name
            (e.g. `"org/project/stack"`).

    Returns:
        A populated read-only network reference.
    """

tcp_ingress(port: int, source: pulumi.Input[str], description: str = '') -> IngressRule

Build a TCP ingress rule from any source.

source can be a literal CIDR string, a pulumi.Input[str] subnet reference (e.g. vcn.get_public_subnet_cidr()), or the INTERNET constant for unrestricted internet access.

Parameters:

Name Type Description Default
port int

Destination TCP port number.

 required
source Input[str]

Source CIDR, subnet reference, or INTERNET.

 required
description str

Human-readable description. Defaults to "TCP {port} ingress".

 ''

Returns:

Type Description
IngressRule

IngressRule configured for TCP on port from source.
Example 
tcp_ingress(HTTPS, INTERNET)
tcp_ingress(app_port, vcn.get_public_subnet_cidr())
tcp_ingress(POSTGRES, "10.0.8.0/21")
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
def tcp_ingress(
    port: int,
    source: pulumi.Input[str],
    description: str = "",
) -> IngressRule:
    """Build a TCP ingress rule from any source.

    source can be a literal CIDR string, a `pulumi.Input[str]` subnet
    reference (e.g. `vcn.get_public_subnet_cidr()`), or the
    `INTERNET` constant for unrestricted internet access.

    Args:
        port: Destination TCP port number.
        source: Source CIDR, subnet reference, or `INTERNET`.
        description: Human-readable description.  Defaults to
            `"TCP {port} ingress"`.

    Returns:
        `IngressRule` configured for TCP on port from source.

    Example:
        ```python
        tcp_ingress(HTTPS, INTERNET)
        tcp_ingress(app_port, vcn.get_public_subnet_cidr())
        tcp_ingress(POSTGRES, "10.0.8.0/21")
        ```
    """
    return IngressRule(
        protocol="tcp",
        source=source,
        port_min=port,
        port_max=port,
        description=description or f"TCP {port} ingress",
    )

tcp_egress(port: int, destination: pulumi.Input[str], description: str = '') -> EgressRule

Build a TCP egress rule to a CIDR block or subnet reference.

Parameters:

Name Type Description Default
port int

Destination TCP port number.

 required
destination Input[str]

Destination CIDR or pulumi.Input[str] subnet reference.

 required
description str

Human-readable description. Defaults to "TCP {port} egress".

 ''

Returns:

Type Description
EgressRule

EgressRule configured for TCP on port to destination.
Example 
tcp_egress(db_port, vcn.get_secure_subnet_cidr())
tcp_egress(SSH,     "10.0.0.0/16")
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
def tcp_egress(
    port: int,
    destination: pulumi.Input[str],
    description: str = "",
) -> EgressRule:
    """Build a TCP egress rule to a CIDR block or subnet reference.

    Args:
        port: Destination TCP port number.
        destination: Destination CIDR or `pulumi.Input[str]` subnet
            reference.
        description: Human-readable description.  Defaults to
            `"TCP {port} egress"`.

    Returns:
        `EgressRule` configured for TCP on port to destination.

    Example:
        ```python
        tcp_egress(db_port, vcn.get_secure_subnet_cidr())
        tcp_egress(SSH,     "10.0.0.0/16")
        ```
    """
    return EgressRule(
        protocol="tcp",
        destination=destination,
        port_min=port,
        port_max=port,
        description=description or f"TCP {port} egress",
    )

all_egress(destination: pulumi.Input[str], description: str = '') -> EgressRule

Build an all-protocol egress rule to any destination.

Pass INTERNET for unrestricted outbound via NAT Gateway, or CLOUD_SERVICES for Oracle-managed service endpoints via Service Gateway (no internet path).

Parameters:

Name Type Description Default
destination Input[str]

Destination CIDR, subnet reference, INTERNET, or CLOUD_SERVICES.

 required
description str

Human-readable description. Defaults to "All traffic egress".

 ''

Returns:

Type Description
EgressRule

EgressRule configured for all protocols to destination.
Example 
all_egress(INTERNET)        # outbound via NAT GW
all_egress(CLOUD_SERVICES)  # Oracle Services via Service GW
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/network.py 
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
def all_egress(
    destination: pulumi.Input[str],
    description: str = "",
) -> EgressRule:
    """Build an all-protocol egress rule to any destination.

    Pass `INTERNET` for unrestricted outbound via NAT Gateway, or
    `CLOUD_SERVICES` for Oracle-managed service endpoints via Service
    Gateway (no internet path).

    Args:
        destination: Destination CIDR, subnet reference, `INTERNET`,
            or `CLOUD_SERVICES`.
        description: Human-readable description.  Defaults to
            `"All traffic egress"`.

    Returns:
        `EgressRule` configured for all protocols to destination.

    Example:
        ```python
        all_egress(INTERNET)        # outbound via NAT GW
        all_egress(CLOUD_SERVICES)  # Oracle Services via Service GW
        ```
    """
    return EgressRule(
        protocol="all",
        destination=destination,
        description=description or "All traffic egress",
    )