Networking Setup

This topic describes how to create and configure a Virtual Cloud Network for use with MySQL DB Systems.

Network Setup for MySQL DB Systems

MySQL Database DB System Endpoints are not public. To connect to a MySQL DB System, you must do one of the following:
  • Create a Compute instance from which to connect to your DB System. Compute instances, attached to public subnets, can use public IP addresses. This enables you to use SSH or RDP, depending on your platform, to connect to the Compute instance and, from there, to interact with your DB System.
  • Create a VPN connection, bridging your local network with your Oracle Cloud Infrastructure VCN.
DB Systems should always be attached to private subnets. It is strongly recommended to use Regional Subnets. For more information, see VCNs and Subnets

To configure a network to enable communication between VPN or Compute and DB System, you must configure your VCN's subnets with Security rules. These rules permit traffic from specific IP addresses and ports, or ranges of IP addresses and ports, between resources. For more information on Security Rules, see Network Security Rules.


The Networking service reserves three IP addresses in each subnet, and MySQL Database service requires two IP addresses per DB System in each subnet; one to attach to the DB System, the other for use in maintenance and upgrade operations of that DB System. Take this into account when defining the CIDR blocks of your subnets.

Configuring the Network

This task assumes there are no existing VCNs with a private and public regional subnet already present in your tenancy.
To create a VCN and subnets which enable you to connect to a Compute instance and interact with a MySQL Database Service DB System:
  1. In the navigation menu, open Networking and select Virtual Cloud Networks.
    The Virtual Cloud Networks page is displayed.
  2. Click Start VCN Wizard.
    The Start VCN Wizard dialog is displayed.
  3. Select VCN with Internet Connectivity and click Start VCN Wizard.
    The VCN wizard creates a VCN, Public and Private Regional Subnets, Internet, Service, and NAT gateways. For more information on these components, see Overview of Networking.
  4. Populate the fields as required and click Next. It is strongly recommended you accept the default values for this VCN.
  5. Review your settings and click Create to create your VCN.
    The VCN is created.
  6. Open the new VCN's Details page and select Security Lists from the Resources section.
  7. Select the security list for the private subnet.
    The Security list for the private subnet is displayed.
  8. Click Add Ingress Rules.
    The Add Ingress Rules dialog is displayed.
  9. Add the following information to the Ingress Rule:
    • Stateless: do not select.
    • Source Type: CIDR.
    • Source CIDR: The CIDR of the public subnet. You can narrow the range down to more specific IP addresses if it is required.
    • IP Protocol: TCP
    • Source Port Range: Leave blank.
    • Destination Port Range: the port the DB System will listen on. Default is 3306 for MySQL Classic and 33060 for MySQL X Protocol.

      To add multiple destination ports simultaneously, add them as a comma-separated list. For example, to add ingress rules for ports 3306 and 33060 simultaneously, enter 3306,33060 in this field.
    • Description: add required descriptive string.
The Ingress Rule is created and access is granted to port 3306 on the private subnet.

VPN Connections

This section describes the VPN options recommended for use with MySQL Database Service.

  • VPN Connect: enables you to create a site-to-site IPSec VPN between your on-premises network and your virtual cloud network (VCN) over a secure, encrypted connection. For more information on VPN Connect, see Oracle VPN Connect.
  • FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections. For more information on FastConnect, see FastConnect Overview
  • OpenVPN: available from the Oracle Cloud Infrastructure Marketplace, creates an OpenVPN Access Server, enabling your client devices to connect directly to Oracle cloud resources, such as MySQL DB Systems. It does not enable you to connect entire sites or networks to an Oracle VCN; for that scenario, Oracle's VPN Connect or FastConnect are recommended.

    Access Server is free to install and use for 2 simultaneous VPN connections. For more information on pricing, see OpenVPN Access Server Pricing.


To connect to Oracle cloud resources using an OpenVPN Access Server, do the following:

  • Create the OpenVPN stack. This consists of a Compute instance running the Access Server attached to the same VCN your MySQL DB System is attached to, and the network configuration required for external connections to the Access Server.
  • Configure the OpenVPN Access Server to route traffic to your DB System. This requires configuring static IP addresses, routing instead of NAT, and creating and configuring a VPN user.
  • Install and configure a VPN client to use with your OpenVPN Access Server and connect to your DB System.
  • Define route and ingress rules on the private subnet to allow communications from the OpenVPN Access Server to the MySQL DB System attached to the private subnet.
  • It is strongly recommended that you secure your OpenVPN connection with a shared secret key. For more information, see Hardening OpenVPN Security.

Creating the OpenVPN Stack

This task assumes the following:
To create a VPN connection using OpenVPN, do the following:
  1. In the navigation menu, open Marketplace, and select OpenVPN Access Server.
    The OpenVPN Access Server - BYOL page is displayed.
  2. Select the compartment you created the VCN in and click Launch Stack.
    The Create Stack dialog is displayed.
  3. Provide the following information:
    • Name: Provide a name for the Access Server. (Optional)
    • Description: Provide a description of the Access Server. (Optional)

    It is not possible to edit the Compartment or Terraform Version.
  4. Click Next.
    The Configure Variables dialog is displayed.
  5. Provide the following information:
    • OpenVPN Access Server Name: unique name for your server. This name must be unique on the configured VCN.
    • Compute Shape: the resourced shape of the Compute instance.
    • Administrator Username: the Administrator username for the Compute instance. Only alphanumeric characters and must start with a lowercase letter.

      Do not use openvpn for the Administrator's username. It is a reserved user.
    • Administrator Password: the Administrator user's password. At least 8 alphanumeric characters and no special characters.
    • Activation Key: a license key, purchased from OpenVPN, required if you intend to use more than two VPN connections with this Access Server Compute instance.
    • Network Strategy: select Use Existing VCN.
    • Existing Network: select the VCN to which your DB System is attached.
    • Existing Subnet: select the public subnet of your VCN.
    • Compartment: the compartment in which to create all the resources. This is set to the compartment you specified on the Marketplace page.
    • Public SSH Key String: required if you intend to access the Compute instance using SSH. This is optional because the majority of the configuration can be accomplished using the Access Server's administration page.
  6. Click Next to open the Review page. Confirm your settings and click Create.
The Resource Manager Job Details page is displayed. The Logs section lists the results of the stack creation process and the login details for the Access Server in the format:
Outputs:admin_password = ********
admin_username = username
instance_public_url =
where the IP address is the public IP of the Compute instance hosting the Access Server. Make note of these details, they are required by the subsequent tasks.

Creating an OpenVPN Connection

Create and configure the VPN connection and a VPN user.

This task assumes the following:
To create a VPN connection using OpenVPN, do the following:
  1. Load the OpenVPN Access Server Administration tool using the IP address and credentials provided at the end of the stack creation task. https://IPAddress/admin. The IPAddress is also the public IP address of the Compute instance created in the stack creation task.
    The Access Server Status Overview page is displayed.
  2. In the navigation menu, select Configuration, then select VPN Settings.
    The VPN Settings page is displayed.
  3. Specify a static IP in the Static IP Address Network field. A static IP is preferred because you must also configure Ingress Rules for this IP address on your VCN's subnets. If you used a dynamic address, you would have to update the ingress rules each time the address was reassigned.

    The Dynamic IP Address field is mandatory. Do not change the default value, similar to When specifying the value for your static network, use a similar value, such as
  4. In the Routing section, select Yes, using Routing and add the CIDR blocks of the private and public subnets to which the VPN clients require access. These are the CIDR blocks of the subnets attached to your VCN. For example: and
  5. Click Save Settings to save your changes.
  6. From the navigation menu, select User Management, then User Permissions
    The User Permissions dialog is displayed.
  7. Enter a username in the New Username field, and click the More Settings icon in the adjacent column.
    The New User Settings pane is displayed.
  8. Add the following:
    • Password: specify a password for the new user.
    • Select IP Addressing: select Use Static.
    • VPN Static IP Address: define the IP address to assign to this user. This IP address must be in the range defined in the Static IP Address Network field of the VPN Configuration.
    • Select addressing method: select Use Routing.
    • Allow access to these networks: enter the IP addresses of the public and private subnets, as described in the Routing section of the VPN configuration.
  9. Save the user. Log out, and log in using the new user's credentials. Download the profile, client.ovpn, using the Yourself (user-locked profile) link at the bottom of the page.
Import the profile to the OpenVPN client. See the OpenVPN documentation for more information. You must now configure your network to accept connections from the OpenVPN Access Server. For more information, see Configuring the VCN for OpenVPN Connections.

Configuring the VCN for OpenVPN Connections

Configure route and ingress rules for the VPN connections.

This task assumes the following:
To configure the VCN to accept connections from the OpenVPN Access Server, do the following:
  1. Navigate to your VCN and open the Route Table for the private subnet.
  2. Select Add Route Rules and add the following:
    • Target Type: select Private IP.
    • Destination Type: select CIDR Block.
    • Destination CIDR Block: enter the CIDR block you defined in the Static IP Address Network field of the OpenVPN Access Server's VPN Settings.
    • Target Selection: enter the private IP address of the OpenVPN Access Server's Compute instance.
  3. Save the changes and navigate to the Security List Details page of your private subnet.
  4. Add ingress rules for the VPNs Static IP addresses and the MySQL ports (3306 and 33060 are the defaults).