Connectivity Options for Target Databases

Oracle Data Safe can connect to Oracle databases that have public or private IP addresses. To connect to databases with private IP addresses, you can use either an Oracle Data Safe private endpoint or an Oracle Data Safe on-premises connector. Oracle Data Safe supports TLS and TCP protocols.

This article has the following topics:

Public Versus Private Endpoints

If your database's IP address is public, the IP address is referred to as a public endpoint, and the IP address is accessible from the internet through an internet gateway. If your database's IP address is private (within a private subnet), the IP address is referred to as a private endpoint, and internet traffic cannot access the database.

Oracle Data Safe can connect to target databases with public or private IP addresses. For Autonomous Databases and Oracle Cloud Databases that have public IP addresses, you can configure a direct connection to them without using any special resources. For databases with private IP addresses, databases on compute instances, and databases outside of Oracle Cloud Infrastructure, you need to connect to them via an Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.

Public Endpoint Example

The following diagram shows network connections between Oracle Data Safe and target databases with public IP addresses.

In the diagram, Oracle Data Safe has its own virtual cloud network (VCN) and the customer has two VCNs - one for the DB systems and another for the Autonomous Databases. There is one internet gateway per customer VCN.

Traffic from Oracle Data Safe to a DB system (VM or BM) with a public IP address is encrypted and flows through the Internet and gateways on the Oracle Cloud Infrastructure network. From Oracle Data Safe, traffic first goes to a network address translation (NAT) gateway on the Oracle Data Safe VCN. Next, the traffic travels on the Internet to an internet gateway in the customer VCN in Oracle Cloud Infrastructure. Lastly, the traffic travels to the database.

Traffic from Oracle Data Safe to an Autonomous Database with a public IP address flows entirely on the Oracle Cloud Infrastructure network. From Oracle Data Safe, traffic first goes to a service gateway on the Oracle Data Safe VCN. From there, it flows to an internet gateway on the customer VCN. Lastly, the traffic flows to the database.

Oracle Data Safe Private Endpoints

You can create Oracle Data Safe private endpoints in your virtual cloud network (VCN) in Oracle Cloud Infrastructure to connect Oracle Data Safe to target databases with private IP addresses, target databases outside of Oracle Cloud Infrastructure, and target databases on compute instances. The private endpoint essentially represents the Oracle Data Safe service in your VCN and manifests as a VNIC with a private IP address in a subnet of your choice.

You typically create a private endpoint in the same virtual cloud network (VCN) as your target database. The only exception is if you are using VCN peering. In that case, you can select another VCN for which VCN peering with your database's VCN is set up. The private IP address does not need to be on the same subnet as your database, although, it does need to be on a subnet that can communicate with the database. You can create a maximum of one private endpoint per VCN. If a private endpoint already exists in the same VCN as your database, then you do not need to create a private endpoint.

A security list and/or network security group for your database VCN is required when you set up a private endpoint. Both specify egress and ingress security rules at the IP address level. You can configure these in the target registration wizards. For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.

You can use a private endpoint with the following Oracle databases:

  • Autonomous Database on Shared Exadata Infrastructure (with a private IP address)
  • Autononomous Database on Dedicated Exadata Infrastructure
  • DB System (with a private IP address)
  • Oracle Database on a compute instance (with a private IP address) - Oracle recommends you use a private endpoint when the compute instance runs in the Oracle Cloud, as opposed to a non-Oracle cloud.
  • On-premises Oracle Database (with a private IP address) - Requires FastConnect or VPN Connect
  • Exadata Cloud@Customer - Requires FastConnect or VPN Connect

To use a private endpoint with a target database on your network outside of Oracle Cloud Infrastructure, you need to have FastConnect or VPN Connect set up between your outside network and a virtual cloud network (VCN) in Oracle Cloud Infrastructure. FastConnect in Oracle Cloud Infrastructure is a secure connection between your outside network and Oracle Cloud Infrastructure over a private network. VPN Connect in Oracle Cloud Infrastructure is a site-to-site IPSec virtual private network that securely connects your outside network to Oracle Cloud Infrastructure, using your existing internet connection.

The following diagram shows an example of a private endpoint configured with an on-premises Oracle database. The private endpoint communicates with the database over a private connection via FastConnect or VPN Connect in Oracle Cloud Infrastructure. The private endpoint also communicates with the Oracle Data Safe service over the Oracle Cloud Infrastructure network.

Example of using an on-premises connector with an on-premises Oracle database

Oracle Data Safe On-Premises Connectors

You can create an Oracle Data Safe on-premises connector in your Oracle Data Safe service in Oracle Cloud Infrastructure to connect target databases to Oracle Data Safe. Oracle recommends you use an on-premises connector to connect to target databases that run outside of Oracle Cloud Infrastructure. You can use a private endpoint, however, to do so you need an existing FastConnect or VPN Connect set up between Oracle Cloud Infrastructure and your non-Oracle cloud environment. The private endpoint then needs to be created in the VCN in Oracle Cloud Infrastructure that has access to your database. Without this setup, Oracle recommends that you use an on-premises connector instead.

The on-premises connector is supported with the following Oracle databases:

  • Oracle Database on a compute instance in Oracle Cloud Infrastructure (recommended for target databases with public IP addresses)
  • Oracle Database on a compute instance in a non-Oracle cloud environment, for example, in Amazon Web Services or Azure.
  • On-premises Oracle Database
  • Exadata Cloud@Customer Database

To use an on-premises connector, you first need to create the connector in Oracle Data Safe, either manually or in a target registration wizard. Next, you download an install bundle and then install an on-premises connector on a host machine on the same network as your target database. The on-premises connector establishes an encrypted TLS tunnel over the Internet to cloud Connection Managers in the Oracle Data Safe service tenancy. You can create one on-premises connector in your Oracle Data Safe service in Oracle Cloud Infrastructure to connect to multiple Oracle databases.

The target registration wizards include the option to select or create an on-premises connector when applicable. If you defer the installation of the on-premises connector while working in the wizard, the wizard still registers the target database. In such case, the target database is placed in an inactive state and the on-premises connector is placed in "needs attention" mode until you install the on-premises connector. If you are manually registering a target database, then you need to complete the on-premises connector installation prior to registering the target database.

The following diagram shows an example of an on-premises connector with an Oracle database on a compute instance in a non-Oracle cloud network. The target database communicates with Connection Manager of the on-premises connector on the non-Oracle Cloud network. Connection Manager communicates with the cloud Connection Managers in Oracle Cloud Infrastructure through an encrypted TLS tunnel.

TLS and TCP Connection Protocols

During target database registration, you can configure a Transmission Control Protocol (TCP) or Transport Layer Security (TLS) connection between Oracle Data Safe and the database. Oracle Data Safe is considered a client of the target database. A TLS connection is a TCPS connection that uses TLS cryptographic protocol. Oracle Data Safe supports version 1.2 of the TLS protocol, but not the Secure Sockets Layer (SSL) cryptographic protocol.

Autonomous Databases, by default, have TLS encryption enabled with client authentication. During registration, Oracle Cloud Infrastructure automatically creates a TLS connection between the Autonomous Database and Oracle Data Safe and takes care of the registration details for you.

For non-Autonomous Databases, you can choose a TCP or TLS connection. If your target database has TLS configured on it, then you should choose TLS over TCP. A TLS connection to a target database provides privacy and data integrity, plus the identity of the communicating parties can be authenticated by using public key cryptography. Although authentication can be optional, the server typically requires it.

To establish a TCP connection between a non-Autonomous Database and Oracle Data Safe, the target database must have both the network encryption and data integrity features enabled. Network encryption is usually enabled by default. The supported encryption algorithm is AES256. Supported cryptographic hash functions for checksum are SHA1, SHA256, SHA384, and SHA512. Non-encrypted TCP connections are not supported.