Enhanced Security for Outbound Connections with Private Endpoints

When you define a private endpoint for your Autonomous Database instance you can provide enhanced security by setting a database property to enforce that all outgoing connections to a target host are subject to and limited by the private endpoint's egress rules. You define egress rules in the Virtual Cloud Network (VCN) security list or in the Network Security Group (NSG) associated with the Autonomous Database instance private endpoint.

Before you set this database property configure your Autonomous Database instance to use a private endpoint. See Configure Private Endpoints for more information.

Set the ROUTE_OUTBOUND_CONNECTIONS database property to PRIVATE_ENDPOINT to specify that all outgoing connections are subject to the Autonomous Database instance private endpoint VCN's egress rules. With the value PRIVATE_ENDPOINT the database restricts outgoing connections to locations specified by the private endpoint's egress rules.

Note:

With ROUTE_OUTBOUND_CONNECTIONS not set to PRIVATE_ENDPOINT, all outgoing connections to the public internet pass through the Network Address Translation (NAT) Gateway of the service VCN. In this case, if the target host is on a public endpoint the outgoing connections are not subject to the Autonomous Database instance private endpoint VCN or NSG egress rules.

When you configure a private endpoint for your Autonomous Database instance and set ROUTE_OUTBOUND_CONNECTIONS to PRIVATE_ENDPOINT, this setting changes the handling of outbound connections for the following:

  • Database links

  • APEX_LDAP, APEX_MAIL, and APEX_WEB_SERVICE

  • UTL_HTTP, UTL_SMTP, and UTL_TCP

  • DBMS_LDAP

To set ROUTE_OUTBOUND_CONNECTIONS:

  1. Connect to your database.
  2. Set the database property ROUTE_OUTBOUND_CONNECTIONS.

    For example:

    ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = 'PRIVATE_ENDPOINT';

Notes for setting ROUTE_OUTBOUND_CONNECTIONS:

  • Use the following command to restore the default parameter value:

    ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = '';
  • Use the following command to query the current parameter value:

    SELECT * FROM DATABASE_PROPERTIES
            WHERE PROPERTY_NAME = 'ROUTE_OUTBOUND_CONNECTIONS';

    If the property is not set the query does not return results.

  • This property only applies for database links that you create after you set the property to the value PRIVATE_ENDPOINT. Thus, database links that you created prior to setting the property continue to use the NAT Gateway of the service VCN and are not subject to the Autonomous Database instance private endpoint's egress rules.

  • Only set ROUTE_OUTBOUND_CONNECTIONS to the value PRIVATE_ENDPOINT when you are using Autonomous Database with a private endpoint.

  • By default, when you are accessing other private endpoints, the connection is subject to your VCN's egress rules. Setting ROUTE_OUTBOUND_CONNECTIONS has no effect in this case. The ROUTE_OUTBOUND_CONNECTIONS property applies when you want outgoing connections to follow the private endpoint egress rules even when accessing public endpoints.

See NAT Gateway for more information on Network Address Translation (NAT) gateway.