When registering a target database with Oracle Data Safe, a common connection is through an Oracle Data Safe private endpoint.
Databases that support connection through a private endpoint include the below with a note stating which databases recommend the private endpoint.
- Oracle Base Database
- Oracle Exadata Database Service on Dedicated Infrastructure
- Oracle Exadata Database Service on Exascale Infrastructure
- Oracle Exadata Database Cloud@Customer
- Oracle Autonomous Database on Cloud@Customer
- Oracle on-premises database
- Oracle Database on a compute instance in a non-Oracle environment
- Amazon RDS for Oracle
- Oracle Database@Azure
- Oracle Database on Oracle Cloud Infrastructure Compute (Recommended)
- Oracle Autonomous Database Severless with private endpoint access only (Recommended)
- Oracle Autonomous Database on Dedicated Exadata Infrastructure (Recommended)
The private endpoint essentially represents the Oracle Data Safe service in your virtual cloud network (VCN) and manifests as a virtual network interface card (VNIC) with a private IP address in a subnet of your choice. Oracle Data Safe sends requests to your target database through the private endpoint which is connected to your target database through a TCP or TLS connection. If the target database is within your Oracle Cloud VCN the request is sent directly to your target database, assuming that the appropriate security rules are granted. It is also possible to connect the private endpoint to a target database in a secondary VCN in the same region if network peering is established between the two VCN's. If the target database is outside of your Oracle Cloud VCN, such as those databases on Exadata Cloud@Customer, on-premises, or on compute instances in non-Oracle cloud environments, the request is sent through a Dynamic Routing Gateway (DRG) on your Oracle Cloud VCN and travels via a pre-established network peering connection, also assuming that the appropriate security rules are granted.
Security rules are required to allow communication between a private endpoint and a target database. You can configure the rules in network security groups (NSGs), which is recommended, or security lists (SLs). In general, the purpose of the egress rule is to allow the private endpoint (from any port) to send requests to the target database IP address(es) on its port. The purpose of the ingress rule is to allow the target database to receive incoming traffic on its port from the private IP address of the private endpoint (from any port). The ingress rule is created either in Oracle Cloud Infrastructure or on the customer network, depending on the location of the Oracle database.
There is a limit of one Oracle Data Safe private endpoint per VCN, however one private endpoint can support multiple target databases. There is an additional limit of 100 Oracle Data Safe private endpoints per tenancy and region, provided the number of unused (no registered target databases) private endpoints is below five. It is possible to submit a service request to have this limit increased.