Monday, March 2, 2026

 

OCI Logging – Auditing VCN Security list changes

In the previous post, we discussed how to audit VCN Security List changes. In this article, we will review how to audit VCN Route Table changes using OCI Audit service.

Route Tables control how traffic flows within a VCN. Any incorrect modification such as adding an Internet Gateway route or changing a DRG target can impact security posture, connectivity, or cost governance. Therefore, auditing route table changes is critical for enterprise cloud governance.

Login into OCI Console -> Networking -> VCN. It will show list of VCNS, we can choose the desired one.

In the VCN details page, choose Routing, it will list all the route tables associated with the VCN.

In this exercise we have only default route table with single route rule and the route rule is created for external access through Internet Gateway. We will add a route rule for Service Gateway.

Now route rule is added, we will use Audit to identify what changes happened in the route table.

OCI Audit is a native, always-on service that records all API operations across your tenancy. Any modification to a VCN Route Table (creation, update, or deletion) is captured here with full request payload and identity metadata.

Select:

  • Compartment → root
  • Set appropriate Time Range

Route Tables are network resources under specific compartments. Select the right compartment o see changes across all sub-compartments if required.

Once the timeframe is chosen the audit page will updated with all Event types recorded in that timeframe. Choose UpateRouteTable event type which is appropriate to our requirement.

Other available event types are below.

Event Name = UpdateRouteTable
Event Name = CreateRouteTable
Event Name = DeleteRouteTable

UpdateRouteTable event provides

·       Who made the change (User/Service Principal)

·       When it was made (Timestamp)

·       From which IP address

·       Target Resource OCID

·       Request/Response payload

 

In the JSON output, locate the stateChange section.

Inside stateChange, expand:

  • previous
  • current

Within these sections, examine routeRules.

By comparing the previous and current routeRules arrays, you can identify exactly what changed.

In our case:

  • previous → One route rule
  • current → Two route rules

This confirms that a new route rule was added.

In summary, OCI Audit logs provide a reliable and tamper-resistant mechanism to track route table changes, something the OCI Route Table UI itself does not natively provide.

 

at No comments:
Subscribe to: Comments (Atom)

  OCI Logging – Auditing VCN Security list changes In the previous post, we discussed how to audit VCN Security List changes. In this arti...

  • (no title)
        OCI - Vision The very common use case seen today is image recognition and detecting objects within that image. The image could have docu...
  • (no title)
      OCI Resource Manager OCI Resource manager is an automation tool for infrastructure. It can be considered as Infrastructure as a code too...
  • (no title)
    Installation of OCI Command line OCI CLI (Oracle Cloud Infrastructure Command Line Interface) is a powerful tool that allows users to mana...