Create a Database Management Private Endpoint for Autonomous AI Databases

You can create a Database Management private endpoint to configure network access between Database Management and an Autonomous AI Database.

Note

The information in this topic is only applicable for Autonomous AI Databases Serverless and Autonomous AI Databases on Dedicated Exadata Infrastructure, and not for Autonomous AI Databases on ExaDB-C@C.

The private endpoint is a representation of Database Management in the VCN in which the Autonomous AI Database can be accessed, and acts as a VNIC with private IP addresses in a subnet of your choice. The private endpoint created in a VCN can be used to enable Database Management Diagnostics & Management for the Autonomous AI Databases available in the same VCN and it cannot be used across multiple VCNs. The private endpoint does not have to be on the same subnet as the Autonomous AI Database, although it must be on a subnet that can communicate with the Autonomous AI Database.

In Database Management, you can create the following types of private endpoints:

  • Private endpoint for Autonomous AI Databases Serverless: You can create a maximum of seven Database Management private endpoints in your tenancy (per region) to connect to an Autonomous AI Database Serverless. There's no restriction on the number of Autonomous AI Databases Serverless for which you can enable Diagnostics & Management using a single private endpoint. The private endpoint for Autonomous AI Databases Serverless has only one private IP address.
  • Private endpoint for Autonomous AI Databases on Dedicated Exadata Infrastructure: You can create three Database Management private endpoints in your tenancy (per region) to connect to Autonomous AI Databases on Dedicated Exadata Infrastructure. The private endpoint for Autonomous AI Databases on Dedicated Exadata Infrastructure has two private IP addresses.

Note that you can create one private endpoint of each type in a VCN, which means that you can create one private endpoint for Autonomous AI Databases Serverless and one for Autonomous AI Databases on Dedicated Exadata Infrastructure. If you need more private endpoints than the default limit of seven private endpoints for Autonomous AI Databases Serverless and three private endpoints for Autonomous AI Databases on Dedicated Exadata Infrastructure in a tenancy, you can request for an increase to the private endpoint limit.

For information on private endpoints, see About Private Endpoints.

Before you create a Database Management private endpoint in the VCN, you must obtain the permissions required to work with virtual networking resources in Oracle Cloud Infrastructure and create a Database Management private endpoint. For information, see Permissions Required to Enable Diagnostics & Management for Autonomous AI Databases.

To create a Database Management private endpoint:

  1. Sign in to the Oracle Cloud Infrastructure console.
  2. Open the navigation menu, click Observability & Management. Under Database Management, click Administration.
  3. In the left pane, click Private Endpoints.
  4. On the Private endpoints page, click Create private endpoint.
  5. In the Create private endpoint panel:
    1. Provide the following details:
      1. Name: Enter a name for the private endpoint.
      2. Description: Optionally, enter a description for the private endpoint.
      3. Compartment: Select the compartment in which you want the private endpoint to reside. By default, the compartment selected on the Private endpoints page is displayed, however, you can select another compartment in the drop-down list.
      4. Use this private endpoint for Dedicated Autonomous AI Databases: Select this check box if you want to create a Database Management private endpoint for Autonomous AI Databases on Dedicated Exadata Infrastructure.
      5. Virtual cloud network: Select the virtual cloud network compartment, and then select the VCN in which the Autonomous AI Database can be accessed.
      6. Subnet: Select the subnet compartment, and then select a subnet within the selected VCN. Depending on whether the new Database Management private endpoint is for Autonomous AI Databases Serverless or Autonomous AI Databases on Dedicated Exadata Infrastructure, it will take up two or three private IP addresses respectively, in the selected subnet. Note that the subnet can be in a different compartment than the VCN, however, it must have access to the database subnet in the VCN.
      7. Network security group: Optionally, turn on Use network security groups to control traffic to select an NSG added to the Autonomous AI Database. You can also click + Another security group to select another NSG.
        Note

        The option to associate existing NSGs in the Autonomous AI Database with the Database Management private endpoint ensures that the private endpoint can access the database. Using the NSG you can add ingress and egress security rules to enable communication between the Database Management private endpoint and the Autonomous AI Database.
      8. Tags: Optionally, add free-form or defined tags to the Database Management private endpoint. If you have the permissions required to create a Database Management private endpoint, then you also have permissions to add free-form tags. To add a defined tag, you must have permissions to use the tag namespace.

        For information on:

      9. Security attributes: Optionally, add security attributes to the private endpoint. Click Add security attribute, and then specify the security attribute namespace, key, and value. For information on security attributes, see the Manage Security Attributes for Private Endpoints section below.
    2. Click Create.
A Database Management private endpoint is created in the VCN, using which you can enable Database Management for Autonomous AI Databases.

To view details of the Database Management private endpoint, click its name. On the Private endpoint details page, you can:

  • View details such as the associated VCN and subnet and the private IP addresses assigned to the Database Management private endpoint. Note that the private IP address information is required to configure security rules.
  • View the associated databases in the Databases section on the Details tab.
  • Monitor the work requests pertaining to the private endpoint on the Work requests tab. You can click a particular work request to view work request information, log messages, and error messages, if any.
  • Perform tag-related tasks on the Tags tab.

Manage Security Attributes for Private Endpoints

You can optionally add Zero Trust Packet Routing (ZPR) security attributes to private endpoints to control access through ZPR policies. ZPR evaluates these attributes together with existing network controls.

For more information on security attributes and ZPR, see Security Attributes and Overview of Zero Trust Packet Routing.

Note

If you add security attributes to a private endpoint, verify that the required ZPR policies are in place, otherwise, intended traffic can be blocked.

Setup

Before you add security attributes to a private endpoint, complete the required ZPR setup and verify that the network configuration allows the intended traffic.

  1. Ensure that the required IAM permissions, security attribute namespaces, security attributes, and ZPR policies are already configured. For more information, see Zero Trust Packet Routing IAM Policies, Security Attributes, and Zero Trust Packet Routing Policy.
  2. Decide which security attributes to add to the private endpoint so that the applicable ZPR policies allow the intended traffic.

Important Considerations

  • Administrators must set up security attribute namespaces and security attributes in the tenancy before users can apply security attributes to private endpoints.
  • When security attributes are used, access to the private endpoint is governed by ZPR policies together with existing network controls, such as security lists and NSGs.
  • A security attribute is effective only when appropriate ZPR policies are defined. If you add a security attribute without corresponding policies, access to the private endpoint is denied by default, even if NSGs or security lists would otherwise allow the traffic.
  • You can add up to three security attributes to a private endpoint. If you aren't sure which attributes to use, contact your network administrator.

Add Security Attributes

You can add security attributes when you create a private endpoint or from the Private endpoint details page after the private endpoint is created.

To add security attributes from the Private endpoint details page:

  1. Go to the Private endpoint details page for the private endpoint.
  2. On the Security tab, in the Security attributes section, click Add.
  3. Specify the security attribute namespace, key, and value.
  4. Click Add security attributes.

List Security Attributes

To view the security attributes added to a private endpoint, go to the Private endpoint details page for the private endpoint, and then click the Security tab. The Security attributes section lists the security attributes added to the private endpoint.