1. Administering Oracle Data Safe
  2. Target Database Registration
  3. Pre and Post Registration Tasks
  4. Add Security Rules

Add Security Rules

If you plan to connect to your target database with an Oracle Data Safe private endpoint, prior to registering your target database, you need to add security rules to your virtual cloud network (VCN) to allow communication between your target database and Oracle Data Safe.

Overview

You can add the necessary security rules to your virtual cloud network's (VCN's) security lists or network security groups (NSGs). Both stateful and stateless security rules are allowed. In general, the security rules need to 1) allow your target database to receive incoming traffic from Oracle Data Safe, and 2) allow Oracle Data Safe to send requests to the target database.

There are two approaches that you can take when creating the security rules. The first approach is to allow communication between Oracle Data Safe and all IP addresses within the same subnet (0.0.0.0/0). With this configuration, Oracle Data Safe can connect to all of your target databases in the subnet.

The other approach is to be more specific by configuring separate ingress and egress rules as follows:
  • In the NSG or security list for your target database, add an ingress rule that allows your target database's private endpoint IP address on the target database's port to receive incoming traffic from Oracle Data Safe's private endpoint IP address from all ports.
  • In the NSG or security list for your Oracle Data Safe private endpoint, add an egress rule that allows Oracle Data Safe's private endpoint IP address on all ports to send requests to the target database's private endpoint IP address on the target database's port. If the target database has multiple IP addresses, you need configure an egress rule for each IP address. In the case of an Oracle On-Premises Database, you only need to configure an egress rule, and not an ingress rule.

For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.

Add Security Rules for an Oracle Autonomous Database Serverless with Private VCN Access

For an Oracle Autonomous Database Serverless with Private VCN Access, you need to create an ingress rule and an egress rule in the target database's virtual cloud network (VCN) in Oracle Cloud Infrastructure..

  1. Obtain the private IP address and NSG or security list for your target database.
    You can find the network information on the Autonomous Database Information tab under Network in your database's Console in Oracle Cloud Infrastructure. For example, suppose your target database's private endpoint's IP address is 10.0.0.112 and the NSG name is nsg-atp.
  2. Obtain the private IP address and NSG or security list for your Oracle Data Safe private endpoint.
    You can find the network information for your Oracle Data Safe private endpoint on the Private Endpoint Information page in the Oracle Data Safe service in Oracle Cloud Infrastructure.
  3. Open the VCN for your target database.
  4. In your target database's NSG or security list, create an ingress rule that allows your target database's private endpoint IP address (for example, 10.0.0.112/32) on the target database's port (for example, 1522) to receive incoming traffic from Oracle Data Safe's private endpoint IP address (for example, 10.0.0.79/32) from all ports.
    Ingress rule for NSG
  5. In your Oracle Data Safe private endpoint's NSG or security list, create an egress rule that allows Oracle Data Safe's private endpoint IP address (for example, 10.0.0.79/32) on all ports to send requests to the target database's private endpoint IP address (for example, 10.0.0.112/32) on the target database's port (for example, port 1522).
    Egress security rule for NSG

Add Security Rules for an Autonomous Database on Dedicated Exadata Infrastructure

For an Autonomous Database on Dedicated Exadata Infrastructure, you need to create an ingress rule and an egress rule in the target database's virtual cloud network (VCN) in Oracle Cloud Infrastructure.
  1. Obtain the subnet (or floating IP addresses if known) and the name of the NSG or security list for your target database.
    An Autonomous Database on Dedicated Exadata Infrastructure can have up to 8 floating IP addresses for the database nodes.
  2. Obtain the private IP address and the name of the NSG or security list for your Oracle Data Safe private endpoint.
    You can find this information on the Private Endpoint Information page in the Oracle Data Safe service in Oracle Cloud Infrastructure.
  3. Open the VCN for your target database.
  4. In your target database's NSG or security list: Create an ingress rule that allows your target database's private endpoint on port 2484 to receive incoming traffic from Oracle Data Safe's private endpoint IP address (from all ports).
  5. In your Oracle Data Safe private endpoint's NSG or security list, do one of the following:
    • Create an egress rule that allows the Oracle Data Safe private endpoint (from all ports) to send requests to all IP addresses on the target database's subnet on port 2484.
    • For each floating IP address, create an egress rule that allows the Oracle Data Safe private endpoint (from all ports) to send requests to the floating IP address on port 2484.

Add Security Rules for an Oracle Cloud Database

For an Oracle Cloud Database, you need to create an ingress rule and an egress rule in the target database's virtual cloud network (VCN) in Oracle Cloud Infrastructure.

  1. Obtain the IP address(es) and NSG name for your target database's private endpoint.
    • You can find your target database information in your target database's Console in Oracle Cloud Infrastructure.
    • A bare metal or vitual machine DB system has one private IP address.
    • An Exadata Cloud Service database can have multiple floating IP addresses for the database nodes. It can also have scan IP addresses for the database system. Oracle recommends that you use one of the scan IP addresses. You can find a scan IP address under Network on the DB System Information tab in Oracle Cloud Infrastructure. Alternatively, you can enter the private floating IP address of any one of the database nodes.
  2. Obtain the private IP address and NSG name for the Oracle Data Safe private endpoint.
    You can find the Oracle Data Safe private endpoint information on the Private Endpoint Information page in the Oracle Data Safe service in Oracle Cloud Infrastructure.
  3. Open the VCN for your target database.
  4. In your target database's NSG, create an ingress rule that allows your target database's private endpoint IP address (for example, 10.0.0.112/32) on the target database's port (for example, 1521) to receive incoming traffic from Oracle Data Safe's private endpoint IP address (for example, 10.0.0.79/32) from all ports.
  5. In your Oracle Data Safe private endpoint's NSG, create an egress rule that allows Oracle Data Safe's private endpoint IP address (for example, 10.0.0.79/32) on all ports to send requests to the target database's private endpoint IP address (for example, 10.0.0.112/32) on the target database's port (for example, port 1521).

    For an Exadata Cloud Database, create an egress rule for one of the scan IP addresses. Alternatively, you can use the private floating IP address of any one of the database nodes. The database port number is 1521.

Add Security Rules for an Oracle Database on Compute

If you plan to connect to your Oracle Database on Compute by using an Oracle Data Safe private endpoint, create an ingress rule and an egress rule on the target database's virtual cloud network (VCN) in Oracle Cloud Infrastructure. If the target database is in a non-Oracle cloud environment, configure the ingress rule in the non-Oracle Cloud environment.

  1. Obtain the IP address and the name of the NSG or security list for your target database's private endpoint. You can find your target database information in your target database's Console in Oracle Cloud Infrastructure.
  2. Obtain the IP address and the name of the NSG or security list for the Oracle Data Safe private endpoint. You can find the Oracle Data Safe private endpoint information on the Private Endpoint Information page in the Oracle Data Safe service in Oracle Cloud Infrastructure.
  3. Open the VCN for your target database, either in Oracle Cloud Infrastructure or in a non-Oracle cloud environment. In the target database's NSG or security list, create an ingress rule that allows your target database's private endpoint IP address (for example, 10.0.0.112/32) on the target database's port (for example, 1521) to receive incoming traffic from Oracle Data Safe's private endpoint IP address (for example, 10.0.0.79/32) from all ports.
  4. In Oracle Cloud Infrastructure, open the VCN for your Oracle Data Safe private endpoint. In the Oracle Data Safe private endpoint's NSG or security list, create an egress rule that allows Oracle Data Safe's private endpoint IP address (for example, 10.0.0.79/32) on all ports to send requests to the target database's private endpoint IP address (for example, 10.0.0.112/32) on the target database's port (for example, port 1521).

Add Security Rules for an Oracle On-Premises Database

For an Oracle On-Premises Database, you need to create an egress rule in the virtual cloud network (VCN) for your Oracle Data Safe private endpoint. You do not need to create an ingress rule.

  1. Obtain the private IP address of your target database. The IP address is where the listener is running. For example, suppose the Oracle database listener is running on 10.0.0.2.

    For a Real Application Cluster (RAC) database, you need to specify the IP addresses for the RAC database nodes and not the SCAN IP addresses. Whether you specify all the nodes in your RAC database depends on how you configured your pluggable databases (PDBs).

  2. Obtain the private IP address and the name of the NSG or security list for your Oracle Data Safe private endpoint.
    You can find the Oracle Data Safe private endpoint information on the Private Endpoint Information page in the Oracle Data Safe service in Oracle Cloud Infrastructure.
  3. Open the VCN for your Oracle Data Safe private endpoint. In your Oracle Data Safe private endpoint's NSG or security list, create an egress rule that allows Oracle Data Safe's private endpoint IP address (for example, 10.0.0.79/32) on all ports to send requests to the target database's private IP address (for example, 10.0.0.2/32) on the target database's port (for example, port 1521).
    Egress rule for an Oracle On-Premises Database

Add Security Rules for an Exadata Cloud@Customer Database

Update the security list for your virtual cloud network (VCN) in Oracle Cloud Infrastructure, and if implemented, the network security group for your database subnet, to allow traffic from the Oracle Data Safe private endpoint to your database. This step allows Oracle Data Safe to access your database. A security list acts as a virtual firewall for your database and consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. Both stateful and stateless security rules in the security list are allowed. For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.

By default, every database deployment on Oracle Database Exadata Cloud@Customer is associated with a Single Client Access Name (SCAN), and the SCAN is associated with 3 IP addresses. Each Oracle Exadata Cloud@Customer system configuration contains compute nodes (database servers). In the Exadata Cloud@Customer infrastructure, there is one database server VIP address per compute node in the VM cluster.

When you use an Oracle Data Safe private endpoint to connect your Exadata Cloud@Customer database to Oracle Data Safe, you need to create an egress security rule for the Oracle Data Safe private endpoint. Configure the rule to allow communication between the Oracle Data Safe private endpoint (from any port) and all database server VIPs and SCAN addresses (all three).

Example 3-3 Configure a stateful security rule for an Exadata Cloud@Customer database and an Oracle Data Safe private endpoint

This example shows a stateful security rule for an Exadata Cloud@Customer database and an Oracle Data Safe private endpoint. The egress security rule on the virtual cloud network (VCN) in Oracle Cloud Infrastructure allows the private endpoint (from any port) to send requests to two database server VIPs ( 1.1.1.3 and 1.1.1.5) and three SCAN addresses (1.1.1.6, 1.1.1.7, and 1.1.1.8) on port 1521. Always include the database server VIPs in the egress security rule.

The following diagram illustrates the Oracle Data Safe private endpoint, the Exadata Cloud@Customer database, and the egress security rule.

Description of exacc-egress-rule.png follows
Description of the illustration exacc-egress-rule.png

The following screenshot shows you the Exadata Cloud@Customer network configuration for the VM cluster in Oracle Cloud Infrastructure, where you can find the SCAN addresses and database server VIPs.

Description of exacc-network-configuration.png follows
Description of the illustration exacc-network-configuration.png