Configure Private Endpoints When You Provision or Clone an Instance

You can configure a private endpoint when you provision or clone an Autonomous Database instance.

These steps assume you are provisioning or cloning an instance and you have completed the prerequisite steps, and you are at the Choose network access step of the provisioning or cloning steps:

  1. Select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.



    Note:

    If you configure a private endpoint, this only allows connections from the specified private network (VCN). If you want to allow connections from public IP addresses, then you need to select either Secure access from everywhere or Secure access from allowed IPs and VCNs only when you provision or clone your Autonomous Database.
  2. Select a Virtual cloud network in your compartment or if the VCN is in a different compartment click Change Compartment and select the compartment that contains the VCN and then select a virtual cloud network.

    See VCNs and Subnets for more information.

  3. Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a different compartment click Change Compartment and select the compartment that contains the Subnet and then select a subnet.

    See VCNs and Subnets for more information.

  4. (Optional) Enter a Hostname prefix.

    This specifies a hostname prefix for the Autonomous Database and associates a DNS name with the database instance, in the following form:

    hostname_prefix.adb.region.oraclecloud.com

    If you do not specify a hostname prefix, a system generated hostname prefix is supplied.

  5. Add Network security groups (NSGs).

    To allow connections to the Autonomous Database instance, you need to define security rules in an NSG; this creates a virtual firewall for your Autonomous Database.

    1. Select a Network Security Group in your compartment to attach the Autonomous Database to, or if the Network Security Group is in a different compartment, click Change Compartment and select a different compartment and then select a Network Security Group in that compartment.
    2. Click + Another Network Security Group to add another Network Security Group.
    3. Click x to remove a Network Security Group entry.

    For the NSG you select for the private endpoint define a security rule as follows:

    • For mutual TLS (mTLS) authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522. See About Mutual TLS (mTLS) Authentication for more information.

    • For TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.

    • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

    See Private Endpoints Configuration Examples on Autonomous Database for examples.

    See Network Security Groups for more information.

  6. Require mutual TLS (mTLS) authentication.

    The Require mutual TLS (mTLS) authentication options are:

    • When Require mutual TLS (mTLS) authentication is selected, only mTLS connections are allowed (TLS authentication is not allowed). This is the default configuration.

    • You can deselect Require mutual TLS (mTLS) authentication when your network access is through a Private Endpoint or when ACLs are defined. Otherwise, you cannot change this setting.

      TLS and mTLS connections are allowed when Require mutual TLS (mTLS) authentication is deselected.

    See Update Network Options to Allow TLS or Require Only Mutual TLS (mTLS) Authentication on Autonomous Database for more information.

  7. Complete the remaining provisioning or cloning steps, as specified in Provision Autonomous Database, Clone an Autonomous Database Instance, or Clone Autonomous Database from a Backup.

See Private Endpoints Notes for more information.