Create Database Links from Autonomous Database to an Autonomous Database on a Private Endpoint

You can create database links from an Autonomous Database to a target Autonomous Database that is on a private endpoint.

Note:

Database links from an Autonomous Database to a target Autonomous Database that is on a private endpoint are only supported in commercial regions and US Government regions.

This feature is enabled by default in all commercial regions.

This feature is enabled by default in US Government regions for newly provisioned databases.

For existing US Government databases on a private endpoint, if you want to create database links from an Autonomous Database to a target in a US Government region, you can file a Service Request at Oracle Cloud Support and request to enable the private endpoint in government regions database linking feature.

US Government regions include the following:

• Oracle Cloud Infrastructure US Government Cloud with FedRAMP Authorization
• Oracle Cloud Infrastructure US Federal Cloud with DISA Impact Level 5 Authorization

Depending on configuration of the target Autonomous Database, you have these options:

• Create Database Links to a Target Autonomous Database on a Private Endpoint without a Wallet (TLS)

• Create Database Links to a Target Autonomous Database on a Private Endpoint with a Wallet (mTLS)

See How to Create a Database Link from Your Autonomous Database to a Database Cloud Service Instance for more information.

Topics

• Prerequisites for Database Links from Autonomous Database to a Target Autonomous Database on a Private Endpoint
  Lists the prerequisites to create database links to a target Autonomous Database that is on a private endpoint.
• Create Database Links to a Target Autonomous Database on a Private Endpoint without a Wallet (TLS)
  You can create database links from an Autonomous Database to a target Autonomous Database that is on a private endpoint and connect without a wallet (TLS).
• Create Database Links to a Target Autonomous Database on a Private Endpoint with a Wallet (mTLS)
  You can create database links from an Autonomous Database to a target Autonomous Database that is on a private endpoint (mTLS).

Prerequisites for Database Links from Autonomous Database to a Target Autonomous Database on a Private Endpoint

Lists the prerequisites to create database links to a target Autonomous Database that is on a private endpoint.

To create a database link to a target Autonomous Database on a private endpoint:

• The target database must be accessible from the source database's Oracle Cloud Infrastructure VCN. For example, you can connect to the target database when:

  • The target database is on a private endpoint.

  • Both the source database and the target database are in the same Oracle Cloud Infrastructure VCN.

  • The source database and the target database are in different Oracle Cloud Infrastructure VCNs that are paired.

  • The target database is connected to the source database's Oracle Cloud Infrastructure VCN using FastConnect or VPN.

• For a target on a private endpoint, DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK supports specifying a single hostname with the hostname parameter. On a private endpoint, using an IP address, SCAN IP, or a SCAN hostname is not supported (when the target is on a public endpoint, CREATE_DATABASE_LINK supports using an IP address, a SCAN IP, or a SCAN hostname).

• DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK does not support a value of localhost for the hostname parameter.

• The following ingress and egress rules must be defined for the private endpoint:

  • Define an egress rule in the source database's subnet security list or network security group such that the traffic over TCP is allowed to the target database's IP address and port number.

  • Define an ingress rule in the target database's subnet security list or network security group such that the traffic over TCP is allowed from the source database IP address to the destination port.

  See Configure Network Access with Private Endpoints for information on configuring private endpoints with ingress and egress rules.

Note:

When your Autonomous Database instance is configured with a private endpoint, set the ROUTE_OUTBOUND_CONNECTIONS database property to 'PRIVATE_ENDPOINT' to specify that all outgoing database links are subject to the Autonomous Database instance private endpoint VCN's egress rules. See Enhanced Security for Outbound Connections with Private Endpoints for more information.

Create Database Links to a Target Autonomous Database on a Private Endpoint without a Wallet (TLS)

You can create database links from an Autonomous Database to a target Autonomous Database that is on a private endpoint and connect without a wallet (TLS).

Perform the prerequisite steps, as required. See Prerequisites for Database Links from Autonomous Database to a Target Autonomous Database on a Private Endpoint for details.

To create a database link to a target Autonomous Database on a private endpoint without a wallet:

1. If you have not already done so, enable TLS connections on your Autonomous Database instance.

   See Update your Autonomous Database Instance to Allow both TLS and mTLS Authentication for details.

2. Create credentials to access the target Autonomous Database instance. The username and password you specify with DBMS_CLOUD.CREATE_CREDENTIAL are the credentials for the target database used within the database link, (where the target database is accessed through the VCN).

   For example:

   BEGIN
        DBMS_CLOUD.CREATE_CREDENTIAL(
            credential_name => 'PRIVATE_ENDPOINT_CRED',
            username => 'NICK',
            password => 'password'
            );
   END;
   /

   The characters in the username parameter must be all uppercase letters.

   Note:

   You can use a vault secret credential for the target database credential in a database link. See Use Vault Secret Credentials for more information.

   This operation stores the credentials in the database in an encrypted format. You can use any name for the credential name.

3. Create the database link to the target database using DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

   For example:

   BEGIN
        DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
            db_link_name => 'PRIVATE_ENDPOINT_LINK', 
            hostname => 'exampleHostname',
            port => '1521',
            service_name => 'example_high.adb.oraclecloud.com',
            credential_name => 'PRIVATE_ENDPOINT_CRED',
            directory_name => NULL,
            private_target => TRUE);
   END;
   /

   For a target on a private endpoint, DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK supports specifying a single hostname with the hostname parameter. On a private endpoint, using an IP address, SCAN IP, or a SCAN hostname is not supported (when the target is on a public endpoint, CREATE_DATABASE_LINK supports using an IP address, a SCAN IP, or a SCAN hostname).

   Users other than ADMIN require privileges to run DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

   As shown in the example, to create a database link with DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK to a target database on a private endpoint without a wallet, all of the following are required:

   • The directory_name parameter must be NULL.

   • The ssl_server_cert_dn parameter can either be omitted or if included, specify a NULL value.

   • The private_target parameter must be TRUE.

     Note:

     If you set ROUTE_OUTBOUND_CONNECTIONS to PRIVATE_ENDPOINT, setting the private_target parameter to TRUE is not required in this API. See Enhanced Security for Outbound Connections with Private Endpoints for more information.
4. Use the database link you created to access data in the target database.

   For example:

   SELECT * FROM employees@PRIVATE_ENDPOINT_LINK;
                 

Note:

For the credentials you create in Step 1, the Oracle Database credentials, if the password of the target user changes you can update the credential that contains the target user's credentials as follows:

BEGIN
     DBMS_CLOUD.UPDATE_CREDENTIAL (
         credential_name => 'DB_LINK_CRED',
         attribute => 'PASSWORD',
         value => 'password');
END;
/

Where password is the new password.

After this operation, the existing database links that use this credential continue to work without having to drop and recreate the database links.

See CREATE_DATABASE_LINK Procedure for additional information.

Create Database Links to a Target Autonomous Database on a Private Endpoint with a Wallet (mTLS)

You can create database links from an Autonomous Database to a target Autonomous Database that is on a private endpoint (mTLS).

Perform the prerequisite steps, as required. See Prerequisites for Database Links from Autonomous Database to a Target Autonomous Database on a Private Endpoint for details.

To create a database link to a target Autonomous Database on a private endpoint, with a wallet:

1. Copy your target database wallet, cwallet.sso, containing the certificates for the target database to Object Store.

   Note:

   The wallet file, along with the Database user ID and password provide access to data in the target Oracle database. Store wallet files in a secure location. Share wallet files only with authorized users.
2. Create credentials to access your Object Store where you store the cwallet.sso. See CREATE_CREDENTIAL Procedure for information about the username and password parameters for different object storage services.
3. Create a directory on Autonomous Database for the wallet file cwallet.sso.

   For example:

   CREATE DIRECTORY wallet_dir AS 'directory_path_of_your_choice';
                 

   See Create Directory in Autonomous Database for information on creating directories.

4. Use DBMS_CLOUD.GET_OBJECT to upload the target database wallet to the directory you created in the previous step, WALLET_DIR.

   For example:

   BEGIN 
       DBMS_CLOUD.GET_OBJECT(
           credential_name => 'DEF_CRED_NAME',
           object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/cwallet.sso',
           directory_name => 'WALLET_DIR'); 
   END;
   /

   In this example, namespace-string is the Oracle Cloud Infrastructure object storage namespace and bucketname is the bucket name. See Understanding Object Storage Namespaces for more information.

   Note:

   The credential_name you use in this step is the credentials for the Object Store. In the next step you create the credentials to access the target database.
5. On Autonomous Database create credentials to access the target database. The username and password you specify with DBMS_CLOUD.CREATE_CREDENTIAL are the credentials for the target database used within the database link, (where the target database is accessed through the VCN).

   Note:

   Supplying the credential_name parameter is required.

   For example:

   BEGIN
       DBMS_CLOUD.CREATE_CREDENTIAL(
          credential_name => 'DB_LINK_CRED',
          username => 'NICK',
          password => 'password');
   END;
   /

   The characters in the username parameter must be all uppercase letters.

   Note:

   You can use a vault secret credential for the target database credential in a database link. See Use Vault Secret Credentials for more information.

   This operation stores the credentials in the database in an encrypted format. You can use any name for the credential name.

6. Create the database link to the target database using DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

   For example:

   BEGIN
       DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
           db_link_name => 'PEDBLINK1', 
           hostname => 'example1.adb.ap-osaka-1.oraclecloud.com',
           port => '1522',
           service_name => 'example_high.adb.oraclecloud.com',
           ssl_server_cert_dn => 'ssl_server_cert_dn',
           credential_name => 'DB_LINK_CRED',
           directory_name => 'WALLET_DIR',
           private_target => TRUE);
   END;
   /

   Note:

   If you set ROUTE_OUTBOUND_CONNECTIONS to PRIVATE_ENDPOINT, setting the private_target parameter to TRUE is not required in this API. See Enhanced Security for Outbound Connections with Private Endpoints for more information.

   For a target on a private endpoint, DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK supports specifying a single hostname with the hostname parameter. On a private endpoint, using an IP address, SCAN IP, or a SCAN hostname is not supported (when the target is on a public endpoint, CREATE_DATABASE_LINK supports using an IP address, a SCAN IP, or a SCAN hostname).

   DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK does not support a value of localhost for the hostname parameter.

   Users other than ADMIN require privileges to run DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

7. Use the database link you created to access data in the target database.

   For example:

   SELECT * FROM employees@PEDBLINK1;
                 

Note:

For the credentials you create in Step 5, the Oracle Database credentials, if the password of the target user changes you can update the credential that contains the target user's credentials as follows:

BEGIN
    DBMS_CLOUD.UPDATE_CREDENTIAL (
        credential_name => 'DB_LINK_CRED',
        attribute => 'PASSWORD',
        value => 'password');
END;
/

Where password is the new password.

After this operation, the existing database links that use this credential continue to work without having to drop and recreate the database links.

See CREATE_DATABASE_LINK Procedure for additional information.