Change from Public to Private Endpoints with Autonomous Database

If your Autonomous Database instance is configured to use a public endpoint you can change the configuration to a private endpoint.

  1. On the Details page, from the More Actions drop-down list, select Update Network Access.

    To change an instance from a public to a private endpoint, the Autonomous Database instance must be in the Available state (Lifecycle State: Available).

  2. In the Update Network Access dialog, select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.

    Description of adb_network_private_update.png follows
    Description of the illustration adb_network_private_update.png

    Note:

    If you select Private endpoint access only, this only allows connections from the specified private network (VCN), from peered VCNs, and from on-prem networks connected to your VCN. Thus, you can configure an Autonomous Database instance on a private endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.
  3. Select a Virtual cloud network in your compartment or if the VCN is in a different compartment click Change Compartment and select the compartment that contains the VCN and then select a virtual cloud network.

    See VCNs and Subnets for more information.

  4. Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a different compartment click Change Compartment and select the compartment that contains the Subnet and then select a subnet.

    See VCNs and Subnets for more information.

  5. (Optional) Enter a Hostname prefix.

    This specifies a hostname prefix for the Autonomous Database and associates a DNS name with the database instance, in the following form:

    hostname_prefix.adb.region.oraclecloud.com

    If you do not specify a hostname prefix, a system generated hostname prefix is supplied.

  6. (Optional) Add Network security groups (NSGs).

    Optionally, add one or more NSGs to allow connections to the Autonomous Database instance and define security rules for the NSGs; this creates a virtual firewall for your Autonomous Database.

    1. Select a Network Security Group in your compartment to attach the Autonomous Database to, or if the Network Security Group is in a different compartment, click Change Compartment and select a different compartment and then select a Network Security Group in that compartment.
    2. Click + Another Network Security Group to add another Network Security Group.
    3. Click x to remove a Network Security Group entry.

    For the NSG you select for the private endpoint define a security rule as follows:

    • For mutual TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522. See About Mutual TLS (mTLS) Authentication for more information.

    • For TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.

    • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

    Note:

    Incoming and outgoing connections are limited by the combination of ingress and egress rules defined in NSGs and the Security Lists defined with the VCN. When there are no NSGs, ingress and egress rules defined in the Security Lists for the VCN still apply. See Security Lists for more information on working with Security Lists.

    See Private Endpoints Configuration Examples on Autonomous Database for examples.

    See Network Security Groups for more information.

  7. Click Update.
  8. In the Confirm dialog, type the Autonomous Database name to confirm the change.
  9. In the Confirm dialog, click Update.

The Lifecycle State changes to Updating until the operation completes.

Notes for changing from public to private network access:

  • After updating the network access type all database users must obtain a new wallet and use the new wallet to access the database. See Download Client Credentials (Wallets) for more information.

  • If you had ACLs defined for the public endpoint, the ACLs do not apply for the private endpoint.

  • After you update the network access to use a private endpoint, the URL for the Database Tools is different compared to using a public endpoint. You can find the updated URLs on the console, after changing from a public endpoint to a private endpoint.