The OCI Networking MCP server provides tools to interact with Oracle Cloud Infrastructure networking resources, including Virtual Cloud Networks (VCNs), subnets, security lists, and network security groups.
Installation
uvx oracle.oci-networking-mcp-server
Running the Server
STDIO Transport Mode
uvx oracle.oci-networking-mcp-server
HTTP Streaming Transport Mode
ORACLE_MCP_HOST=<hostname/IP address> ORACLE_MCP_PORT=<port number> uvx oracle.oci-networking-mcp-server
| Tool Name | Description |
|---|
list_vcns | List Virtual Cloud Networks (VCNs) in a given compartment |
get_vcn | Get detailed information about a VCN using its OCID |
delete_vcn | Delete a VCN using its OCID |
create_vcn | Create a new Virtual Cloud Network |
list_subnets | List subnets in a given compartment and VCN |
get_subnet | Get detailed information about a subnet using its OCID |
create_subnet | Create a new subnet in a VCN |
list_security_lists | List security lists in a given VCN and compartment |
get_security_list | Get a security list using its OCID |
list_network_security_groups | List network security groups in a compartment and VCN |
get_network_security_group | Get a network security group using its OCID |
Usage Examples
List All VCNs
List all VCNs in my compartment
Create a New VCN
Create a new VCN with CIDR block 10.0.0.0/16 named "production-vcn"
Get VCN Details
Show me details for VCN ocid1.vcn.oc1.phx.example
Working with Subnets
List all subnets in VCN ocid1.vcn.oc1.phx.example
Create a public subnet with CIDR 10.0.1.0/24 in VCN ocid1.vcn.oc1.phx.example
Security Configuration
List all security lists in VCN ocid1.vcn.oc1.phx.example
Show me details for security list ocid1.securitylist.oc1.phx.example
Network Security Groups
List all network security groups in my compartment
Get details for NSG ocid1.networksecuritygroup.oc1.phx.example
Delete a VCN
Delete VCN ocid1.vcn.oc1.phx.example
Destructive ActionDeleting a VCN is permanent. Ensure all dependent resources (subnets, route tables, security lists, gateways) are removed first.
Understanding OCI Networking
Virtual Cloud Network (VCN)
A VCN is a software-defined network you set up in OCI data centers. Key features:
- Customizable private IP address space (RFC 1918)
- Subnets for organizing resources
- Route tables for traffic routing
- Security lists and NSGs for firewalling
- Gateways for internet and on-premises connectivity
Subnets
Subnets subdivide a VCN and can be:
- Public - Resources have public IP addresses and internet access
- Private - Resources use only private IPs, no direct internet access
- Regional - Span all availability domains in a region (recommended)
- AD-specific - Limited to a single availability domain
Security Lists vs Network Security Groups
Security Lists:
- Stateful firewall rules
- Applied at subnet level
- All instances in subnet inherit rules
- Simpler for uniform security policies
Network Security Groups:
- More granular control
- Applied to individual VNICs
- Multiple NSGs per VNIC
- Better for complex multi-tier applications
Authentication
The server uses OCI CLI configuration from ~/.oci/config. Ensure you have:
- OCI CLI installed and configured
- Valid API credentials
- Appropriate IAM permissions for networking operations
Required Permissions
Your OCI user or instance principal needs these IAM permissions:
Allow group NetworkAdmins to manage virtual-network-family in compartment MyCompartment
Allow group NetworkViewers to inspect virtual-network-family in compartment MyCompartment
Allow group NetworkAdmins to manage vcns in compartment MyCompartment
Allow group NetworkAdmins to manage subnets in compartment MyCompartment
Allow group NetworkAdmins to manage security-lists in compartment MyCompartment
Allow group NetworkAdmins to manage network-security-groups in compartment MyCompartment
Security NoticeAll actions are performed with the permissions of the configured OCI CLI profile. We advise:
- Least-privilege IAM setup
- Secure credential management
- Safe network practices
- Secure logging
- Never expose secrets in logs or responses
Common Use Cases
Network Planning
- Design VCN CIDR blocks to avoid conflicts
- Plan subnet allocation across availability domains
- Configure routing between subnets and to internet
Security Hardening
- Implement defense-in-depth with security lists and NSGs
- Restrict ingress to only necessary ports
- Use private subnets for backend services
- Enable VCN flow logs for audit
Multi-Tier Architecture
- Create separate subnets for web, app, and database tiers
- Use public subnets for load balancers
- Use private subnets for application and database servers
- Configure security rules between tiers
Hybrid Cloud
- Set up VCN peering for multi-VCN communication
- Configure Site-to-Site VPN or FastConnect
- Design non-overlapping CIDR blocks
- Route traffic between cloud and on-premises
Network Architecture Best Practices
CIDR Block Planning
- Use RFC 1918 private address space
- Plan for growth - don’t use /24 for entire VCN
- Avoid overlapping CIDRs if peering is needed
- Document IP allocation scheme
Subnet Design
- Use regional subnets for high availability
- Separate public and private subnets
- Reserve subnets for future use
- Align subnets with availability domains if needed
Security
- Default deny, explicitly allow needed traffic
- Use NSGs for fine-grained control
- Regularly audit security rules
- Implement network segmentation
Troubleshooting
Cannot Delete VCN
Ensure all dependent resources are deleted:
- Subnets
- Internet gateways
- NAT gateways
- Service gateways
- Route tables
- Security lists
- DRG attachments
Connectivity Issues
Verify:
- Correct route table associations
- Security list/NSG rules allow traffic
- Internet gateway exists for public subnets
- NAT gateway configured for private subnet internet access
Overlapping CIDR Blocks
Plan CIDR blocks to avoid conflicts:
- Between VCNs that will be peered
- With on-premises networks
- Across different regions
Additional Resources
