1. Using Oracle Autonomous Database on Shared Exadata Infrastructure
  2. Managing and Monitoring Autonomous Database
  3. Configuring Network Access with Access Control Rules (ACLs) and Private Endpoints
  4. Configuring Network Access with Private Endpoints
  5. Configure Private Endpoints
  6. Configure Private Endpoints When You Provision or Clone an Instance

Configure Private Endpoints When You Provision or Clone an Instance

You can configure a private endpoint when you provision or clone an Autonomous Database instance.

These steps assume you are provisioning or cloning an instance and you have completed the prerequisite steps, and you are at the Choose network access step of the provisioning or cloning steps:

  1. Select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.


    Description of adb_private_vcn.png follows
    Description of the illustration adb_private_vcn.png

    Note:

    If you select Private endpoint access only, this only allows connections from the specified private network (VCN), from peered VCNs, and from on-prem networks connected to your VCN. You can configure an Autonomous Database instance on a private endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.

    If you want to allow connections from public IP addresses, then you need to select either Secure access from everywhere or Secure access from allowed IPs and VCNs only when you provision or clone your Autonomous Database.

  2. Select a Virtual cloud network in your compartment or if the VCN is in a different compartment click Change Compartment and select the compartment that contains the VCN and then select a virtual cloud network.

    See VCNs and Subnets for more information.

  3. Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a different compartment click Change Compartment and select the compartment that contains the Subnet and then select a subnet.

    See VCNs and Subnets for more information.

  4. (Optional) Click Show advanced options to configure additional private endpoint options.
    1. Optionally enter a Private IP address.

      Use this field to enter a custom private IP address. The private IP address you enter must be within the selected subnet's CIDR range.

      If you do not provide a custom private IP address the IP address is automatically assigned.

    2. Optionally enter a Hostname prefix.

      This specifies a hostname prefix for the Autonomous Database and associates a DNS name with the database instance, in the following form: 

      hostname_prefix.adb.region.oraclecloud.com

      If you do not specify a hostname prefix, a system generated hostname prefix is supplied.

    3. Optionally add Network security groups (NSGs).

      Optionally, to allow connections to the Autonomous Database instance define security rules in an NSG; this creates a virtual firewall for your Autonomous Database.

      • Select a Network Security Group in your compartment to attach the Autonomous Database to, or if the Network Security Group is in a different compartment, click Change Compartment and select a different compartment and then select a Network Security Group in that compartment.
      • Click + Another Network Security Group to add another Network Security Group.
      • Click x to remove a Network Security Group entry.

      For the NSG you select for the private endpoint define a security rule as follows:

      • For mutual TLS (mTLS) authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522. See About Mutual TLS (mTLS) Authentication for more information.

      • For TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.

      • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

      Note:

      Incoming and outgoing connections are limited by the combination of ingress and egress rules defined in NSGs and the Security Lists defined with the VCN. When there are no NSGs, ingress and egress rules defined in the Security Lists for the VCN still apply. See Security Lists for more information on working with Security Lists.

      See Private Endpoints Configuration Examples on Autonomous Database for examples.

      See Network Security Groups for more information.

  5. Require mutual TLS (mTLS) authentication.

    The Require mutual TLS (mTLS) authentication options are:

    • When Require mutual TLS (mTLS) authentication is deselected, TLS and mTLS connections are allowed. This is the default configuration.

    • When Require mutual TLS (mTLS) authentication is selected, only mTLS connections are allowed (TLS authentication is not allowed).

    See Update Network Options to Allow TLS or Require Only Mutual TLS (mTLS) Authentication on Autonomous Database for more information.

  6. Complete the remaining provisioning or cloning steps, as specified in Provision Autonomous Database, Clone an Autonomous Database Instance, or Clone an Autonomous Database from a Backup.

See Private Endpoints Notes for more information.