Oracle Cloud Infrastructure Documentation

Configuring a Private Network

You can configure your data catalog to access data sources hosted in private networks.

By configuring data catalog to access a private network, you can:

  • Harvest Oracle Cloud Infrastructure data sources that are only accessible privately.
  • Harvest on-premise data sources that are connected to an Oracle Cloud Infrastructure Virtual Cloud Network (VCN) using Site-to-Site VPN service or FastConnect.
Note

You can access and harvest on premise or private data sources in Data Catalog using either their Fully Qualified Domain Name (FQDN) or private IP. The FQDN must have an A record in the configured DNS server and must not be an Oracle reserved public domain, such as oracle.com or adb.oracle.com. Valid FQDN examples: wxyz.adb.oracle.com and <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com.

To allow your data catalog to access a private network, you must:

  1. Create a private endpoint for your data catalog.
  2. Attach the private endpoint to your data catalog.
  3. Use the private endpoint while creating a data asset.

Required IAM Policies

You can create policies to define how you want your users to access data sources hosted in private networks.

View the private endpoints verb to permission mapping to decide which verb meets your access requirements. For example, INSPECT allows users to view the list of available private endpoints.

Create this policy to allow users create, update, and delete private endpoints in the tenancy or a specific compartment.
Allow group <group-name> to manage data-catalog-family in tenancy
Allow group <group-name> to manage data-catalog-family in compartment <compartment-name>
Create this policy to allow users to perform network related operations required to manage private endpoints.
Allow group <group-name> to manage virtual-network-family in tenancy
Create this policy to allow users to create, update, and delete private endpoints to be attached to catalog instances in the tenancy or a specific compartment.
Allow group <group-name> to manage data-catalog-private-endpoints in tenancy
Allow group <group-name> to manage data-catalog-private-endpoints in compartment <compartment-name>

Prerequisites

One of the ways Oracle Cloud Infrastructure lets you configure private access for your resources is using private endpoints.

Data Catalog uses private endpoints to access the private network where your data sources are hosted. You must have the required data catalog permissions to use the Data Catalog private endpoints.

Additionally, to create, update, or delete private endpoints in Oracle Cloud Infrastructure, you need to obtain certain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. The following table lists the required permissions for virtual networking resources in Oracle Cloud Infrastructure for the private endpoint operations.

Operation Required Access on Underlying Resources
Create a private endpoint

For the private endpoint compartment:

  • Create VNIC (VNIC_CREATE)
  • Delete VNIC (VNIC_DELETE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)
  • Associate a network security group (VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP)

For the subnet compartment:

  • Attach subnet (SUBNET_ATTACH)
  • Detach subnet (SUBNET_DETACH)
Update a private endpoint

For the private endpoint compartment:

  • Update VNIC (VNIC_UPDATE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)
  • Associate a network security group (VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP)
Delete a private endpoint

For the private endpoint compartment:

  • Delete VNIC (VNIC_DELETE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)

For the subnet compartment:

  • Detach subnet (SUBNET_DETACH)
Note

If you are managing the data catalog private endpoints resource, we recommend that you also have the manage work requests permission. This ensures that you are able to view the logs and error messages that are encountered while working with private endpoints.