Securing a Stream

This information describes securing a stream.

Streaming data is encrypted both at rest and in transit. Private endpoints within your virtual cloud network (VCN) can be used to restrict access to your streams so they cannot be accessed through the internet.

Both encryption and private access are configured at the stream pool level to make managing groups of streams easier. See Creating a Stream Pool and Updating the Master Encryption Key Assigned to a Stream Pool for more information. For security best practices, see Securing a Stream.


By default, all encryption-related matters are handled by Oracle, but you can manage your own encryption keys using OCI Vault. Vault allows you to bring your own Advanced Encryption Standard (AES) symmetric keys and manage, rotate, disable, and delete them as needed.

Because encryption keys are managed at the stream pool level, you can use a different encryption key for each logical stream grouping or virtual Kafka cluster.

To use your own encryption key:

For more information, see Overview of Vault and Managing Keys.

Private Endpoints

Private endpoints associate a private IP address within a VCN to the stream pool, allowing Streaming traffic to avoid traversing the internet.

To create a private endpoint for Streaming, you need access to a VCN with a private subnet when you create the stream pool. See About Private Endpoints and VCNs and Subnets for more information.

To use private endpoints:

Because streams using private endpoints are not accessible from the internet, you cannot use the Console to show their latest messages.