Oracle Data Safe supports an Oracle AI Database on a compute instance in Oracle Cloud Infrastructure or in a non-Oracle cloud environment. Oracle Data Safe sits on its own Virtual Cloud Network (VCN) within your working region on the Oracle Cloud Infrastructure (OCI) Network. To register a target database with Data Safe you must ensure that you have the appropriate permissions enabled through Oracle Cloud Infrastructure Identity and Access Management (IAM) which will be assigned to you by your administrator. This includes permission to register a target database with Oracle Data Safe, and permission to use or create either an Oracle Data Safe on-premises connector or private endpoint.

The registration of Active Data Guard associated databases is supported for databases on compute. This allows you to audit the primary database and its standby databases as a single target with multiple unified audit trails.

When registering an Oracle AI Database running in a compute instance there are two connectivity options: through a Data Safe private endpoint or through an on-premises connector. Oracle recommends that you use a private endpoint for an Oracle AI Database running in an OCI compute instance, and an on-premises connector for an Oracle AI Database running in a non-Oracle cloud compute instance. Though these are the recommendations, connecting through a private endpoint or an on-premises connector is a valid option for Oracle AI Databases running in both OCI and non-Oracle cloud compute instances. If you intend to connect your Oracle AI Database running in a non-Oracle cloud compute instance through a private endpoint, you must have an established network peering connection, such as FastConnect or VPN Connect, between your OCI tenancy and your non-Oracle cloud environment prior to registering your target database. 

Private Endpoint 

Registering a target database through a private endpoint requires the private endpoint to sit within a private subnet on your VCN. During target registration with a private endpoint you can either select an existing endpoint (as one private endpoint can be used to register multiple target databases) or create a new one. However, there can only be one private endpoint per VCN.

The connection between the private endpoint and your Oracle AI Database on a compute instance can be either a TCP or TLS connection. If you choose TLS and client authentication is enabled on your target database, you need to upload your truststore and keystore files and provide the wallet's password during target registration. If client authentication is not enabled, you only need to upload the truststore file. The wallet or certificate need to be created prior to starting target database registration.

If your Oracle AI Database is on a non-Oracle cloud compute instance, the traffic from the private endpoint will be routed through a Dynamic Routing Gateway (DRG) that sits on your VCN. The traffic will then travel to your database through the pre-established network peering connection, such as FastConnect or VPN Connect. If your Oracle AI Database is on an Oracle cloud compute instance, the traffic from the Data Safe Private Endpoint will be routed directly to the database through the TCP or TLS connection you established. 

Security rules are required to allow communication between the private endpoint and your target database. You can configure the rules in network security groups (NSGs), which is recommended, or security lists (SLs). The egress rule, which needs to be configured in the private endpoint's NSG or SL, allows the private endpoint (from any port) to send requests to the target database IP address on its port. The ingress rule, which is configured in the target database's NSG or SL, allows the database to receive incoming traffic on its port from the private IP address of the private endpoint (from any port). If the target database is on a compute instance in a non-Oracle cloud environment, the ingress rule is configured on the firewall of the compute instance. For security rules within Oracle Cloud Infrastructure, you can let the database on compute registration wizard configure the security rules for you or you can do it manually.

On-Premises Connector

When registering a target database through an on-premises connector Oracle recommends that you install the on-premises connector on a different host machine than the target database, although you can install it on the same machine, if needed. You will need to download the on-premises connector install bundle from Data Safe post registration. This install bundle will be run on the host machine where you intend the on-premises connector to sit. In a production environment, Oracle recommends that you install the same on-premises connector on two Linux hosts for high availability. If one of your hosts goes down due to system failure or maintenance, Oracle Data Safe connections automatically fail over to the on-premises connector running on the other host, and the on-going Oracle Data Safe operations are not affected. Once the on-premises connector has been properly installed and connected to the Oracle AI Database, Oracle Data Safe will be able to send requests to your Oracle AI Database on Compute by routing the request through the Cloud Connections Manager that sits on the Data Safe VCN. The connection between the Cloud Connections Manager and the on-premises connector is an encrypted TLS tunnel that is established from the on-premises connector. 

During target registration with on-premises connector you can either select an existing on-premises connector (as one connector can support multiple target databases) or create a new one. 

The connection between the on-premises connector and your Oracle AI Database on a compute instance can be either a TCP or TLS connection. Make sure the firewall of the compute instance is configured to allow ingress traffic from the on-premises connector.