Autonomous Database with Private Endpoint
This topic applies only to Autonomous Databases with shared Exadata infrastructure.
Private endpoint refers to a network setup for your Autonomous Database with shared Exadata infrastructure where all network traffic moves through a private endpoint within a VCN in your tenancy. If your organization has strict security mandates that do not allow you to have a public endpoint for your database, this provides you with the necessary private endpoint. Additionally, this configuration uses no public subnets and allows you to keep all traffic to and from your Autonomous Database off of the public internet.
Overview of Private Endpoint
Enabling a private endpoint for an Autonomous Database ensures that the only access path to the database is via a VCN inside your Oracle Cloud Infrastructure tenancy. This network configuration completely blocks access to the database from public endpoints. A private endpoint offers the following advantages over other methods of private network access:
- Does not require you to set up transit routing in you VCN and use a service gateway to connect.
- Can satisfy security requirements that forbid the use of a public endpoint.
The private endpoint option is available for both new and existing Autonomous Databases on shared Exadata infrastructure. See To create an Autonomous Database on shared Exadata infrastructure for instructions on creating a new Autonomous Database with a private endpoint. See To change the network access of an Autonomous Database on shared Exadata infrastructure from private endpoint to public endpoint for information on switching network access configuration of an existing database.
Networking Prerequisites Needed for Private Endpoint
To provision an Autonomous Database with a private endpoint, you must have the following resources already created:
- A VCN within the region that will contain your Autonomous Database with shared Exadata infrastructure. Cannot be changed after provisioning.
- A private subnet within your VCN configured with default DHCP options. Cannot be changed after provisioning.
- At least 1 network security group (NSG) within your VCN for the Autonomous Database. Can be changed or edited after provisioning.
NSGs create a virtual firewall for your Autonomous Database using security rules. You can specify up to five NSGs to control access to your Autonomous Database.
Your security rules for the NSG of your Autonomous Database need to be configured as follows:
- The private endpoint feature supports both stateful and stateless security rules within NSGs.
- Your rule covering ingress traffic must specify the IP Protocol "TCP", and your Destination Port Range must be 1522.
To use Oracle Application Express, Oracle SQL Developer Web, and Oracle REST Data Services, add port 443 to the NSG rule.
To connect another resource located inside Oracle Cloud Infrastructure (for example, a Compute instance) to your Autonomous Database, the second resource needs a security rule that allows all egress traffic to the NSG of the Autonomous Database. This means you specify the NSG of the Autonomous Database as the Destination for this security rule. The second resource's security rule can be part of an NSG or a security list.See Network Security Groups and To create an NSG for more information on working with NSGs.
Connecting to an Autonomous Database with a Private Endpoint
You can connect to an Autonomous Database that uses a private endpoint from within Oracle Cloud Infrastructure resources, or from your data center. See To find the Fully Qualified Domain Name (FQDN) and IP address of your private endpoint for information on locating the IP address and URL of your endpoint.
Example 1: Connecting from Within Oracle Cloud Infrastructure
You can connect from a resource (like a Compute instance) within the same VCN as the private endpoint. Note that you can also connect from a resource located in a different VCN from the private endpoint by using local or remote VCN peering.
Example network layout for connecting to an Autonomous Database with a private endpoint from within Oracle Cloud Infrastructure
You set up:
- A VCN and a private subnet
An NSG for the Autonomous Database that includes either stateful or stateless security rules, as described in Networking Prerequisites Needed for Private Endpoint
Example stateful security rule for the Autonomous Database NSG. Note that stateless rules are also supported.
An NSG security rule for the resource that will be allowed access to the Autonomous Database. This stateful egress security rule allows all egress traffic to the NSG of the Autonomous Database.
Example stateful egress security rule for the NSG of the resource connecting to the Autonomous Database
Example 2: Connecting from an On-Premise Data Center
Example network layout for connecting to an Autonomous Database with a private endpoint from an on-premises network
You set up:
- A VCN and a private subnet
An NSG for the Autonomous Database that includes one or more security rules as described in see Networking Prerequisites Needed for Private Endpoint allowing traffic to a CIDR within your on-premises network
Example stateful security rule for the Autonomous Database NSG
- A Oracle Cloud Infrastructure FastConnect dedicated private connection or a VPN Connect IPSec VPN connection
- A dynamic routing gateway (DRG)
- A route table
When connecting from an on-premises network, Oracle recommends using a FastConnect connection. If you are using an IPSec VPN connection, see the configuration tips in the Hanging Connection topic in the Networking service documentation to avoid connection problems.
Your database's private endpoint IP address is displayed on the Autonomous Database Details page in the Oracle Cloud Infrastructure Console.
Open the navigation menu. Under Oracle Database, click Autonomous Data Warehouse, Autonomous JSON Database, or Autonomous Transaction Processing.
- Choose your Compartment.
- In the list of Autonomous Databases, click the display name of the database you want to connect to.
- On the Autonomous Database Details page, in the Network section, the Private Endpoint IP Private Endpoint URL fields display the IP address and URL of the endpoint.
To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name
(FQDN) requires that you add an entry in your on-premise client's hosts
/etc/hosts file. For example:
# example /etc/hosts entry 10.0.2.7 example.adb.us-phoenix-1.oraclecloud.com
To use Oracle Application Express, Oracle SQL Developer Web, and Oracle REST Data Services, add another entry with the same IP. For example:
# example /etc/hosts entry 10.0.2.7 example.adb.ca-toronto-1.oraclecloudapps.com
You find the private endpoint IP and the FQDN as follows:
- The Private IP is shown on the Oracle Cloud Infrastructure Console Autonomous Database details page for the instance.
- The FQDN is shown in the
tnsnames.orafile in the Autonomous Database client credential wallet.
Alternatively you can set up a hybrid DNS in Oracle Cloud Infrastructure for DNS name resolution.
See To create an Autonomous Database on shared Exadata infrastructure for instructions on provisioning an Autonomous Database that uses a private endpoint.
See To update the network configuration of an Autonomous Database on shared Exadata infrastructure that uses a private endpoint for information on editing networking settings related to a private endpoint.
See Private Access in the Networking service documentation for an overview of the options for enabling private access to services within Oracle Cloud Infrastructure.
See Hanging Connection in the Networking service documentation for troubleshooting IPSec VPN connection issues that can occur when connecting from your on-premises network.