Connect to Private Resources

To connect to private resources that are in your virtual cloud network (VCN), use a private endpoint.

Overview

Outbound traffic, also called egress traffic, originates in your Oracle Integration instance and goes to your organization's network or a private cloud. All outbound traffic is routed through an adapter. When you use a private endpoint, the outbound traffic is routed on a private channel that is set up within Oracle Cloud Infrastructure. The traffic never goes through the public internet.

A private endpoint doesn't secure inbound traffic, also called ingress traffic, which originates outside Oracle Integration and goes to Oracle Integration. You restrict inbound traffic using access control lists (ACLs), also known as allowlists.

You can secure the following outbound traffic using a private endpoint:

  • Outbound traffic that connects to a private resource in your VCN.
  • Outbound traffic that connects to a public-facing endpoint with an access control list (ACL) that accepts requests from specific IP addresses.

    In such cases, you typically create a private NAT gateway, and the ACL accepts requests only from the IP address of the NAT gateway.

Note:

Because network topologies can vary greatly Oracle Integration supports and documents only the first scenario. However, other scenarios, such as using a NAT gateway, are possible. Refer to Oracle Integration Blogs for additional use cases.

Another option for connecting to resources on your on-premises network is the connectivity agent. Keep reading to learn when to use each option.

Differences between private endpoints and the connectivity agent

Area Private endpoint Connectivity agent

Usage

  • Use a private endpoint to connect to resources in a single subnet within a VCN.
  • The private endpoint can route traffic through a private NAT gateway, if your organization requires it.

    This scenario is not documented in this guide or supported by Oracle Integration. Refer to Oracle Integration Blogs for use cases such as this one.

Use the connectivity agent to connect to resources on your on-premises network.

Security

Oracle Integration routes traffic and packages through the private endpoint. All traffic stays on your private network without going over the public internet.

Oracle Integration routes traffic over the public internet.

Setup and maintenance

Before you can create a private endpoint, complete the prerequisite tasks. These tasks can take some time and require your organization's networking team. However, most of this work might already be complete. For example, if you have resources in your private Oracle Cloud Infrastructure tenancy, you already have a VCN and subnet, which are required.

After completing all prerequisite tasks, configure the private endpoint. Configure only one private endpoint per Oracle Integration instance.

Setup of the connectivity agent is fast. Create a virtual machine (VM) on your private network to host the connectivity agent, and then install the connectivity agent on the VM.

The connectivity agent requires ongoing maintenance and management. For example, you must manage the VM and the upgrade cycles of the connectivity agent.

See About the Connectivity Agent in Using Integrations in Oracle Integration 3.

Adapter support

All outbound traffic from Oracle Integration goes through a connection that is based on an adapter. Therefore, while you create a private endpoint for an instance, securing outbound traffic with the private endpoint is available on an adapter-by-adapter basis.

See Adapters that Support Connecting to Private Endpoints in Using Integrations in Oracle Integration 3.

Similarly, outbound traffic for the connectivity agent goes through a connection that is based on an adapter. The connectivity agent works with a number of adapters.

See About the Connectivity Agent

How to use the private endpoint in a connection

To use the private endpoint to connect to a private resource, all you need to do is select the Private endpoint option in the Access type section of the Connections page when you create the connection.

Within an integration, use different connection types as needed. For example, one connection can use the connectivity agent for a resource that's on your on-premises network, while another connection can use a private endpoint for a resource that's in your VCN.

See Create a Connection in Using Integrations in Oracle Integration 3.

Architecture diagram of private endpoints

The following diagram illustrates how you can connect to private resources using a private endpoint.

Your tenancy is in the Oracle Cloud. Your tenancy contains several resources, including your Oracle Integration instance and a VCN, which contains a private subnet. The Oracle Integration instance contains an integration that has a connection based on the Oracle ATP Adapter. Outbound traffic from the Oracle Integration instance flows over a secure connection through the private endpoint and connects to the Virtual Network Interface Card (VNIC), which is in the VCN. The VNIC allows for a connection to an Oracle Autonomous Database (ATP) in the subnet.