Configure an Access Control List with Autonomous Database

You can control and restrict access to your Autonomous Database by setting network access control lists (ACLs).

To add an ACL when you provision your Autonomous Database, under Choose network access select Configure access control rules and then enter rules as described in Step 2, Step 3, and Step 4.



See Provision Autonomous Transaction Processing for information on provisioning your Autonomous Database.

To add or change ACLs for an Autonomous Database instance, do the following:

  • Sign in to your Oracle Cloud Account at cloud.oracle.com.

  • From the Oracle Cloud Infrastructure left navigation list click Autonomous Transaction Processing.

  • On the Autonomous Databases page select an Autonomous Transaction Processing instance from the links under the Name column.

  1. On the Details page, from the More Actions drop-down list, select Access Control List.
  2. On the Edit Access Control List page select from the choices:
    • IP Address:

      In Values field enter values for the IP Address. An IP address specified in a network ACL entry is the public IP address of the client that is visible on the public internet that you want to grant access. For example, for an Oracle Cloud Infrastructure VM, this is the IP address shown in the Public IP field on the Oracle Cloud Infrastructure console for that VM.

    • CIDR Block:

      In Values field enter values for the CIDR Block. The CIDR block specified is the public CIDR block of the clients that are visible on the public internet that you want to grant access.

    • Virtual Cloud Network:
      • In Virtual Cloud Network field select the VCN that you want to grant access from. If you do not have the privileges to see the VCNs in your tenancy this list is empty. In this case use the selection Virtual Cloud Network (OCID) to specify the OCID of the VCN.
      • Optionally, in the IP Addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to whitelist specific clients in the VCN.
    • Virtual Cloud Network (OCID):
      • In the Values field enter the OCID of the VCN you want to grant access from.
      • Optionally, in the IP Addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to whitelist specific clients in the VCN.


  3. Click + Another Entry to add a new value to the access control list.
  4. Click x to remove an entry.
    You can also clear the value in the IP Addresses or CIDR Blocks field to remove an entry.
  5. Click Save Changes.

If the Lifecycle State is Available when you click Save Changes the Lifecycle State changes to Updating until the ACL is set. The database is still up and accessible, there is no downtime. When the update is complete the Lifecycle State returns to Available and the network ACLs from the access control list are in effect.

Access Control List Notes:

  • If you want to only allow connections coming through a service gateway you need to use the IP address of the service gateway in your ACL definition. To do this you need to add an ACL definition with the CIDR source type with the value 240.0.0.0/4. Note that this is not recommended, instead of this you can specify individual VCNs in your ACL definition for the VCNs you want to allow access from.

    See Access to Oracle Services: Service Gateway for more information.

  • When you restore a database the existing ACLs are not overwritten by the restore.

  • The network ACLs apply to the database connections and Oracle Machine Learning notebooks. If an ACL is defined, if you try to login to Oracle Machine Learning from a client whose IP is not specified on the ACL this shows the "login rejected based on access control list set by the administrator" error.

  • Oracle Application Express (APEX), RESTful services, and SQL Developer Web are subject to ACLs. You can use Virtual Cloud Network, Virtual Cloud Network (OCID), IP address, or CIDR block ACLs to control access to these tools.

  • The Autonomous Transaction Processing Service console is not subject to ACLs.

  • If you have a private subnet in your VCN that is configured to access the public internet through a NAT Gateway, you need to enter the public IP address of the NAT Gateway in your ACL definition. Clients in the private subnet do not have public IP addresses. See NAT Gateway for more information.