Manage Network Access Changes for an Autonomous Database on Shared Exadata Infrastructure

You can change the network access type for your Autonomous Database on Shared Exadata Infrastructure from Secure Access from Anywhere to Virtual cloud network, and vice versa. When making a network access change, you may need to perform tasks to maintain the database's registration with Oracle Data Safe.

This article has the following topics:

Overview

In Oracle Cloud Infrastructure, you can change the network access type for an Autonomous Database on Shared Exadata Infrastructure from Secure Access from Anywhere (public endpoint) to Virtual cloud network (private endpoint), and vice versa. If you plan to change the network access type, you may need to perform tasks beforehand to maintain the database's registration with Oracle Data Safe.

Consider the following:

  • If you plan to switch from a public endpoint to a private endpoint: Prior to making the network access change, you need to create an Oracle Data Safe private endpoint on the same VCN and subnet as your database. See Workflow for Switching the Network Access to Virtual Cloud Network.
  • If you plan to switch from a private endpoint to a public endpoint: You do not need to do anything other than make the network switch. You do not need to deregister your Autonomous Database with Oracle Data Safe beforehand. Your database will have a public IP address after you make the change and you can view that IP address from the database's Console. You may want to delete the Oracle Data Safe private endpoint previously used because it is no longer needed.
Note

If your Autonomous Database on Shared Exadata Infrastructure is not yet registered with Oracle Data Safe, first make the network access change and then register your database. You can follow one of the following registration procedures:

When you switch the network access type for your Autonomous Database from Secure Access from Anywhere to Virtual cloud network, the database's private endpoint communicates with Oracle Data Safe's private endpoint. The two private endpoints allow Oracle Data Safe to communicate with your database. This scenario is illustrated in the diagram below.

Autonomous Database on Shared Exadata Infrastructure using a private VPN

If there is no Oracle Data Safe private endpoint available and you attempt to make the network access change, you will get a message that the "Data Safe service may be disrupted if you switch to using a private endpoint without first configuring a Data Safe private endpoint.", as shown in the screenshot below. In this case, the switch will fail.

Confirm Network Access Type Update dialog box

Workflow for Switching the Network Access to Virtual Cloud Network

If your Autonomous Database on Shared Exadata Infrastructure is already registered with Oracle Data Safe and you want to switch the database's network access type from Secure Access from Anywhere to Virtual cloud network, then follow the steps listed in the table below to create an Oracle Data Safe private endpoint and make the network access change.

Step Description Reference

1

Obtain the required permissions for managing virtual networking resources in Oracle Cloud Infrastructure.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

2

Obtain the required permissions for creating an Oracle Data Safe private endpoint.

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

3

Create an Oracle Data Safe private endpoint in Oracle Cloud Infrastructure.

Create an Oracle Data Safe Private Endpoint

4

Switch the network access type to VCN for your Autonomous Database on Shared Exadata Infrastructure.

Switch the Network Access Type to VCN for an Autonomous Database on Shared Exadata Infrastructure

5

Update the security rules to allow communication between Oracle Data Safe and your Autonomous Database.

Update the Security Rules to Allow Communication Between Oracle Data Safe and Your Database

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

Prior to creating an Oracle Data Safe private endpoint, you need to obtain permissions for managing virtual networking resources in Oracle Cloud Infrastructure. You require certain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. The following table lists the required permissions for virtual networking resources for each type of private endpoint operation.

Operation Required Access on Underlying Resources

Create a private endpoint

For the private endpoint compartment:

  • Create/Delete VNIC
  • Update members in a network security group
  • Associate a network security group

For the subnet compartment:

  • Attach/detach subnet

Update a private endpoint

For the private endpoint compartment:

  • Update VNIC
  • Update members in a network security group
  • Associate a network security group

Delete a private endpoint

For the private endpoint compartment:

  • Delete VNIC
  • Update members in a network security group

For the subnet compartment

  • Detach subnet

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-30 Broad permission

In this example, the dbadmin group has broad permission to use all virtual networking resources in the compartment ADWcmp1.

allow group dbadmin to manage virtual-network-family in compartment ADWcmp1

Example 3-31 Specific permissions

In this example, the dbadmin group has specific permissions on network resources. The third statement is required only if you want to use network security groups to control traffic to and from the private endpoint.

allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1 

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

To create, update, or delete Oracle Data Safe private endpoints, you require permissions on Oracle Data Safe resources in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. There are two types of Oracle Data Safe resources on which you can grant permissions:

  • data-safe-family
  • data-safe-private-endpoints

The following table describes the different permissions for an Oracle Data Safe private endpoint.

Permission What you can do

inspect

List an Oracle Data Safe resource in Oracle Cloud Infrastructure

read or use

Inspect and view properties for an Oracle Data Safe resource in Oracle Cloud Infrastructure

manage

Inspect, read, create, update, delete, and move an Oracle Data Safe resource in Oracle Cloud Infrastructure

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-32 Broad permission

In this example, the dsadmins group (for example, a group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in the compartment ADWcmp1.

allow group dsadmins to manage data-safe-family in compartment ADWcmp1

Example 3-33 Specific permission

In this example, the ProjectA group has specific permission to manage the resource called data-safe-private-endpoints.

allow group ProjectA to manage data-safe-private-endpoints in compartment ADWcmp1

Create an Oracle Data Safe Private Endpoint

You can create an Oracle Data Safe private endpoint from the Oracle Data Safe service page in Oracle Cloud Infrastructure. You typically create the private endpoint in the same VCN as your database. The only exception is, if you are using VCN peering. In that case, you can select another VCN for which VCN peering with your database's VCN is set up. The private IP address does not need to be on the same subnet as your database, although, it does need to be on a subnet that can communicate with the database. You can create a maximum of one private endpoint per VCN.

Note

If a private endpoint already exists in the same VCN as your database, then you do not need to create a private endpoint.

When you create a private endpoint, you have the option to associate network security groups (NSGs) with it. You may need to do this to ensure the private endpoint can access your database. A network security group specifies egress and ingress security rules at the IP address level. You can create network security groups by using Oracle Cloud Infrastructure's networking service. See Access and Security in the Oracle Cloud Infrastructure documentation.

  1. Refer to the following table to obtain the network information for your database.
    Database How to Find Network Information for the Database
    DB system that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Bare Metal, VM, and Exadata.
    2. Click the name of your DB system.
    3. On the DB System Information tab, under Network, make note of the VCN and subnet names.
    Autonomous Database on Dedicated Exadata Infrastructure that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Autonomous Dedicated Infrastructure.
    2. Click Autonomous Exadata Infrastructure.
    3. On the right, in the Autonomous Exadata Infrastructure table, click the name of the infrastructure in which your database exists.
    4. Under Network, make note of the VCN and subnet names.
    Autonomous Database on Shared Exadata Infrastructure that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Autonomous Data Warehouse or Autonomous Transaction Processing.
    2. From the Compartment drop-down list, select the compartment that contains your Autonomous Database.
    3. On the right, click the name of your Autonomous Database.
    4. Under Network on the the Autonomous Database Information tab, make note of the VCN and subnet names.
    Oracle Database on a compute instance in Oracle Cloud Infrastructure
    1. From the navigation menu in Oracle Cloud Infrastructure, select Compute, and then Instances.
    2. Click the name of your compute instance.
    3. On the Instance Information tab, make note of the VCN and subnet names.
    Oracle Database on a compute instance in a non-Oracle cloud environment
    1. From the navigation menu in Oracle cloud Infrastructure, select Networking, and then Site-to-Site VPN (IPSec) or FastConnect.
    2. Select the VCN and subnet in Oracle Cloud Infrastructure that has connectivity via FastConnect or VPN Connect to your database.
    3. If you do not have FastConnect or VPN Connect set up, Oracle recommends that you use an Oracle Data Safe on-premises connector instead. See Register On-Premises Oracle Databases by Using an Oracle Data Safe On-Premises Connector.
    On-Premises Oracle Database

    Obtain the name of the virtual cloud network and subnet on which your on-premises Oracle database can be accessed.

  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe.
    The Overview page is displayed.
  3. On the left, click Private Endpoints.
    The Private Endpoints page is displayed.
  4. Click Create Private Endpoint.
    The Create Private Endpoint page is displayed.
  5. In the NAME field, enter a name for your private endpoint.
  6. Select a compartment in which to store your private endpoint.
  7. Scroll down to the Private Endpoint Information section.
  8. From the VIRTUAL CLOUD NETWORK drop-down list, select the VCN on which your database can be accessed. If needed, click CHANGE COMPARTMENT and select the compartment that stores your VCN.
  9. From the SUBNET drop-down list, select a subnet within the selected VCN. If needed, click CHANGE COMPARTMENT and select the compartment that stores the subnet that you want to use.
    The subnet can be in a different compartment than the VCN. The subnet that you select needs to have access to the database's subnet.
  10. (Optional) In the PRIVATE IP field, specify a private IP address.
    If you do not specify a private IP address, Oracle Cloud Infrastructure automatically generates one for you in the selected subnet.
  11. (Optional) Select a network security group to which your database belongs.
  12. (Optional) To add another network security group, click + Another Network Security Group, and select another network security group.
  13. Click Create Private Endpoint.
    A private endpoint for Oracle Data Safe is provisioned in your database's VCN.
  14. To view details for your private endpoint, click its name. Take note of the Private IP address that was assigned to the Private Endpoint (or that you assigned to it). It is needed for configuring security rules.

Switch the Network Access Type to VCN for an Autonomous Database on Shared Exadata Infrastructure

Switch the network access type to virtual cloud network (VCN) for your Autonomous Database on Shared Exadata Infrastrcuture. Be sure that you have an Oracle Data Safe private endpoint created in the Oracle Data Safe service prior to making the switch. For detailed instructions on how to make the switch, see Change from Public to Private Endpoints with Autonomous Database in the Oracle Cloud Infrastructure documentation.

Update the Security Rules to Allow Communication Between Oracle Data Safe and Your Database

Update the ingress and egress security rules for the Network Security Groups (NSGs) on your private VCN in Oracle Cloud Infrastructure to allow traffic from Oracle Data Safe's private endpoint to your Autonomous Database's private endpoint. While both an NSG and a security list act as virtual firewalls for your database, Oracle recommends that you use NSGs. For more information, see Network Security Groups.

Example 3-34 Configure security rules for an Autonomous Database on Shared Exadata Infrastructure with private VCN access

Suppose you provision an Autonomous Database on Shared Exadata Infrastructure with private VCN access in Oracle Cloud Infrastructure. During provisioning, Oracle Cloud Infrastructure automatically creates a private endpoint for your database and you associate an NSG with your database.

To obtain the private IP address for your database's private endpoint and view the NSG name, you access the Autonomous Database Information tab in your database's Console in Oracle Cloud Infrastructure. As shown in the following screenshot, under Network, the private endpoint's IP address is 10.0.10.232 and the NSG name is test_nsg.

Autonomous Database Information tab for an Autonomous Database on Shared Exadata Infrastructure with private VCN access

To obtain the private IP address and NSG for Oracle Data Safe's private endpoint, you access the Private Endpoint Information tab on the Data Safe page in Oracle Cloud Infrastructure. As shown in the following screenshot, the IP address is 10.0.10.160 and the NSG name is nsg_not_allow_pdb_pe_ip.

Private Endpoint Information tab

Next, you create a security rule for each of the NSGs the following way:

  • Ingress rule for the database private endpoint NSG: The database's private endpoint IP address, 10.0.10.232 (on port 1522) can receive incoming traffic from Oracle Data Safe's private endpoint IP address, 10.0.0.6 (from any port).
  • Egress rule for the Oracle Data Safe private endpoint NSG: Oracle Data Safe's private endpoint IP address, 10.0.0.6 (from any port), can send requests to the database's private endpoint IP address, 10.0.10.232 (on port 1522).

The following diagram illustrates the security rules.