Private Endpoints Configuration Examples on Autonomous Database

Shows several Private Endpoint (VCN) configuration samples for Autonomous Database.

This section includes the following:

  • Sample 1: Connecting from Inside Oracle Cloud Infrastructure VCN

  • Sample 2: Connecting from Your Data Center to Autonomous Database

Sample 1: Connecting from Inside Oracle Cloud Infrastructure VCN

This example demonstrates an application running inside Oracle Cloud Infrastructure on a virtual machine (VM) in the same VCN which is configured with your Autonomous Database.

Description of adb_private_endpoint1.png follows
Description of the illustration adb_private_endpoint1.png

There is an Autonomous Database instance which has a private endpoint in the VCN named "Your VCN". The VCN includes two subnets: "SUBNET B" (CIDR 10.0.1.0/24) and "SUBNET A" (CIDR 10.0.2.0/24).

The Network Security Group (NSG) associated with the Autonomous Database instance is shown as "NSG 1 - Security Rules". This Network Security Group defines security rules that allow incoming and outgoing traffic to and from the Autonomous Database instance. Define a rule for the Autonomous Database instance as follows:

  • A stateful ingress rule to allow connections from the source to the Autonomous Database instance; the source is set to the address range you want to allow to connect to your database, IP Protocol is set to TCP, and the Destination Port Range is set to 1522.

The following figure shows a sample stateful security rule to control traffic for the Autonomous Database instance:

Description of adb_private_vcn_nsg_stateful1.png follows
Description of the illustration adb_private_vcn_nsg_stateful1.png

The application connecting to the Autonomous Database is running on a VM in SUBNET B. You also add a security rule to allow traffic to and from the VM (as shown, with label "NSG 2 Security Rules"). You can use a stateful security rule for the VM, so simply add a rule for egress to NSG 2 Security Rules (this allows access to the destination subnet A).

The following figure shows sample security rules that control traffic for the VM:

Description of adb_private_vcn_rules2.png follows
Description of the illustration adb_private_vcn_rules2.png

After you configure the security rules, your application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.

See Network Security Groups for information on configuring Network Security Groups.

Sample 2: Connecting from Your Data Center to Autonomous Database

This example demonstrates how to connect privately to an Autonomous Database from your on-premise data center. In this scenario, traffic never goes over the public internet.

Description of adb_private_endpoint2.png follows
Description of the illustration adb_private_endpoint2.png

To connect from your data center, you connect the on-premise network to the VCN with FastConnect and then set up a Dynamic Routing Gateway (DRG). To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name (FQDN), requires that you add an entry in your on-premise host's /etc/hosts file. For example:

etc/hosts entry -> 10.0.2.7 example.adb.ca-toronto-1oraclecloud.com

You find the private endpoint IP and the FQDN as follows:

  • The Private IP is shown on the Oracle Cloud Infrastructure console Autonomous Database details page for the instance.

  • The FQDN is shown in the tnsnames.ora file in the Autonomous Database client credential wallet.

Alternatively you can set up a hybrid DNS in Oracle Cloud Infrastructure for DNS name resolution.

In this example there is a Dynamic Routing Gateway (DRG) between the on-premise data center and "Your VCN". The VCN contains the Autonomous Database. This also shows a route table for the VCN associated with the Autonomous Database, for outgoing traffic to CIDR 172.16.0.0/16 through the DRG.

In addition to setting up the DRG, define a Network Security Group (NSG) rule to allow traffic to and from the Autonomous Database, by adding a rule for the data center CIDR range (172.16.0.0/16). In this example, define a security rule in "NSG 1" as follows:

  • Create a stateful rule to allow ingress traffic from the data center. This is a stateful ingress rule with the source set to the address range you want to allow to connect to your database, protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination port set to 1522.

The following figure shows the security rule that controls traffic for the Autonomous Database instance:

Description of adb_private_vcn_nsg_stateful2.png follows
Description of the illustration adb_private_vcn_nsg_stateful2.png

After you configure the security rule, your on-premise database application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.