Configure Access Control Lists When You Provision or Clone an Instance

When you provision or clone Autonomous Database with the Secure access from allowed IPs and VCNs only option, you can restrict network access by defining an Access Control List (ACL).

See Provision Autonomous Database for information on provisioning your Autonomous Database.

Configure one ore more Access Control Rules (ACLs), as follows:

  1. In the Choose network access area, select Secure access from allowed IPs and VCNs only.

    With Secure access from allowed IPs and VCNs only selected, the console shows the fields and options to specify ACLs:

    Description of adb_network_access_acl_provision.png follows
    Description of the illustration adb_network_access_acl_provision.png
  2. In the Choose network access area, specify the access control rules by selecting an IP notation type and entering Values appropriate for the type you select:
    • IP Address:

      In Values field enter values for the IP Address. An IP address specified in a network ACL entry is the public IP address of the client that is visible on the public internet that you want to grant access. For example, for an Oracle Cloud Infrastructure VM, this is the IP address shown in the Public IP field on the Oracle Cloud Infrastructure console for that VM.

      Note:

      Optionally click Add My IP Address to add your current IP address to the ACL entry.
    • CIDR Block:

      In Values field enter values for the CIDR Block. The CIDR block specified is the public CIDR block of the clients that are visible on the public internet that you want to grant access.

    • Virtual Cloud Network:

      Use this option to specify the VCN for use with an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

      • In Virtual Cloud Network field select the VCN that you want to grant access from. If you do not have the privileges to see the VCNs in your tenancy this list is empty. In this case use the selection Virtual Cloud Network (OCID) to specify the OCID of the VCN.
      • Optionally, in the IP Addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to whitelist specific clients in the VCN.
    • Virtual Cloud Network (OCID):

      Use this option to specify the VCN (OCID) for use with an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

      • In the Values field enter the OCID of the VCN you want to grant access from.
      • Optionally, in the IP Addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to whitelist specific clients in the VCN.

    If you want to specify multiple IP addresses or CIDR ranges within the same VCN, do not create multiple ACL entries. Use one ACL entry with the values for the multiple IP addresses or CIDR ranges separated by commas.

  3. Click + Access Control Rule to add a new value to the access control list.
  4. Click x to remove an entry.
    You can also clear the value in the IP Addresses or CIDR Blocks field to remove an entry.
  5. Require mutual TLS (mTLS) authentication.

    After you enter an IP notation type and a value, you have the option to deselect this option. The options are:

    • When Require mutual TLS (mTLS) authentication is selected, only mTLS connections are allowed (TLS authentication is not allowed). This is the default configuration.

    • You can deselect Require mutual TLS (mTLS) authentication when your network access has ACLs defined or when your network access is through a Private Endpoint. Otherwise, you cannot change this setting.

      TLS and mTLS connections are allowed when Require mutual TLS (mTLS) authentication is deselected.

    See Update Network Options to Allow TLS or Require Only Mutual TLS (mTLS) Authentication on Autonomous Database for more information.

  6. Complete the remaining provisioning or cloning steps, as specified in Provision Autonomous Database, Clone an Autonomous Database Instance, or Clone Autonomous Database from a Backup.

After provisioning completes, you can update public endpoint ACLs or you can change the Autonomous Database configuration to use a private endpoint.

See Configure Access Control Lists for an Existing Autonomous Database Instance for information on updating ACLs.

See Change from Public to Private Endpoints with Autonomous Database for information on changing to a private endpoint.