Register Autonomous Databases on Shared Exadata Infrastructure with Private VCN Access

You can register an Autonomous Database on Shared Exadata Infrastructure with private virtual cloud network (VCN) access in Oracle Cloud Infrastructure.

This article has the following topics:

Overview

When you configured your Autonomous Database on Shared Exadata Infrastructure to use private virtual cloud network (VCN) access, Oracle Cloud Infrastructure created a private endpoint for your database in your VCN. For Oracle Data Safe to communicate with your database, you need to create an Oracle Data Safe private endpoint on the same VCN as your database's private endpoint. You can use any subnet, however, Oracle recommends that you use the same subnet as your database. In this scenario, as illustrated in the diagram below, the two private endpoints communicate with each other, allowing Oracle Data Safe to communicate with your database.

Autonomous Database on Shared Exadata Infrastructure with Private VCN Access

Workflow

The following table outlines the steps for registering an Autonomous Database on Shared Exadata Infrastructure with private VCN access. If an Oracle Data Safe private endpoint already exists in the same VCN as your database, then you can skip steps 2, 3, and 4.

Step Description Reference

1

Obtain the required permissions in Oracle Cloud Infrastructure and Oracle Data Safe to register your Autonomous Database.

Obtain the Required Permissions for Registering Your Autonomous Database

2

Obtain the required permissions for managing virtual networking resources in Oracle Cloud Infrastructure.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

3

Obtain the required permissions for creating an Oracle Data Safe private endpoint.

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

4

Create an Oracle Data Safe private endpoint in Oracle Cloud Infrastructure.

Create an Oracle Data Safe Private Endpoint

5

Update the security rules to allow communication between Oracle Data Safe and your Autonomous Database.

Update the Security Rules to Allow Communication Between Oracle Data Safe and Your Database

6

Register your Autonomous Database in its Console in Oracle Cloud Infrastructure.

Register an Autonomous Database on Shared Exadata Infrastructure with Private VCN Access

7

Grant or revoke roles from the Oracle Data Safe service account.

Grant Roles to the Oracle Data Safe Service Account on Your Autonomous Database

Obtain the Required Permissions for Registering Your Autonomous Database

To register an Autonomous Database with Oracle Data Safe, you require permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM), on the database, and in Oracle Data Safe.

  • Permission in IAM to access to the database. The user group to which you belong requires at least the use permission on the autonomous-database resource type. For example, to grant the Data-Safe-Admins group the use permission on all Autonomous Databases in the Finance compartment, a tenancy administrator could write the following policy statement:
    allow group Data-Safe-Admins to use autonomous-database in compartment Finance
  • Permission to log in to the database as an administrator. You need to be able to log in as a PDB administrator (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL package in order to grant additional roles to the DS$ADMIN service account for Oracle Data Safe.
  • Permission to manage at least one feature in Oracle Data Safe. The user group to which you belong needs to be granted the manage privilege on at least one feature in Oracle Data Safe (Assessment, Activity Auditing, or Discovery and Masking) so that you can register, update, and delete target databases for that feature.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

Prior to creating an Oracle Data Safe private endpoint, you need to obtain permissions for managing virtual networking resources in Oracle Cloud Infrastructure. You require certain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. The following table lists the required permissions for virtual networking resources for each type of private endpoint operation.

Operation Required Access on Underlying Resources

Create a private endpoint

For the private endpoint compartment:

  • Create/Delete VNIC
  • Update members in a network security group
  • Associate a network security group

For the subnet compartment:

  • Attach/detach subnet

Update a private endpoint

For the private endpoint compartment:

  • Update VNIC
  • Update members in a network security group
  • Associate a network security group

Delete a private endpoint

For the private endpoint compartment:

  • Delete VNIC
  • Update members in a network security group

For the subnet compartment

  • Detach subnet

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-1 Broad permission

In this example, the dbadmin group has broad permission to use all virtual networking resources in the compartment ADWcmp1.

allow group dbadmin to manage virtual-network-family in compartment ADWcmp1

Example 3-2 Specific permissions

In this example, the dbadmin group has specific permissions on network resources. The third statement is required only if you want to use network security groups to control traffic to and from the private endpoint.

allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1 

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

To create, update, or delete Oracle Data Safe private endpoints, you require permissions on Oracle Data Safe resources in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. There are two types of Oracle Data Safe resources on which you can grant permissions:

  • data-safe-family
  • data-safe-private-endpoints

The following table describes the different permissions for an Oracle Data Safe private endpoint.

Permission What you can do

inspect

List an Oracle Data Safe resource in Oracle Cloud Infrastructure

read or use

Inspect and view properties for an Oracle Data Safe resource in Oracle Cloud Infrastructure

manage

Inspect, read, create, update, delete, and move an Oracle Data Safe resource in Oracle Cloud Infrastructure

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-3 Broad permission

In this example, the dsadmins group (for example, a group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in the compartment ADWcmp1.

allow group dsadmins to manage data-safe-family in compartment ADWcmp1

Example 3-4 Specific permission

In this example, the ProjectA group has specific permission to manage the resource called data-safe-private-endpoints.

allow group ProjectA to manage data-safe-private-endpoints in compartment ADWcmp1

Create an Oracle Data Safe Private Endpoint

You can create private endpoints on the Data Safe page in Oracle Cloud Infrastructure. You typically create the private endpoint in the same VCN as your database. The only exception is, if you are using VCN peering. In that case, you can select another VCN for which VCN peering with your database's VCN is set up. The private IP address does not need to be on the same subnet as your database, although, it does need to be on a subnet that can communicate with the database. You can create a maximum of one private endpoint per VCN.

Note:

If a private endpoint already exists in the same VCN as your database, then you do not need to create a private endpoint.

When you create a private endpoint, you have the option to associate network security groups (NSGs) with it. You may need to do this to ensure the private endpoint can access your target database. A network security group specifies egress and ingress security rules at the IP address level. You can create network security groups by using Oracle Cloud Infrastructure's networking service. See Access and Security in the Oracle Cloud Infrastructure documentation.

  1. Obtain the network information for your database:
    • For a DB system that has a private IP address:

      From the navigation menu in Oracle Cloud Infrastructure, select Bare Metal, VM, and Exadata. Click the name of your DB system. On the DB System Information tab, under Network, make note of the VCN and subnet names.

    • For an Autonomous Database on Dedicated Exadata Infrastructure that has a private IP address:

      From the navigation menu in Oracle Cloud Infrastructure, select Autonomous Data Warehouse or Autonomous Transaction Processing. On the left, under Dedicated Infrastructure, click Autonomous Exadata Infrastructure. On the right, in the Autonomous Exadata Infrastructure table, click the name of the infrastructure in which your database exists. Under Network, make note of the VCN and subnet names.

    • For an Autonomous Database on Shared Exadata Infrastructure that has a private IP address:

      From the navigation menu in Oracle Cloud Infrastructure, select Autonomous Data Warehouse or Autonomous Transaction Processing. From the Compartment drop-down list, select the compartment that contains your Autonomous Database. On the right, click the name of your Autonomous Database. Under Network on the the Autonomous Database Information tab, make note of the VCN and subnet names.

    • For an Oracle Database on a Compute instance:

      From the navigation menu in Oracle Cloud Infrastructure, select Compute. Click the name of your compute instance. On the Instance Information tab, make note of the VCN and subnet names.

  2. From the navigation menu in Oracle Cloud Infrastructure, select Data Safe.
    The Data Safe page is displayed.
  3. On the left, click Private Endpoints.
    The Private Endpoints page is displayed.Private Endpoints page
  4. Click Create Private Endpoint.
    The Create Private Endpoint page is displayed.
  5. In the NAME field, enter a name for your private endpoint.
  6. Select a compartment in which to store your private endpoint.
  7. Scroll down to the Private Endpoint Information section.
  8. From the VIRTUAL CLOUD NETWORK drop-down list, select your database's VCN. If needed, click CHANGE COMPARTMENT and select the compartment that stores your VCN.
    You can select a different VCN than your database's VCN if VCN peering is set up between your database's VCN and the VCN that you select here.
  9. From the SUBNET drop-down list, select a subnet within the selected VCN. If needed, click CHANGE COMPARTMENT and select the compartment that stores the subnet that you want to use.
    The subnet can be in a different compartment than the VCN. The subnet that you select needs to have access to the database's subnet.
  10. (Optional) In the PRIVATE IP field, specify a private IP address.
    If you do not specify a private IP address, Oracle Cloud Infrastructure automatically generates one for you in the selected subnet.
  11. (Optional) Select a network security group.
  12. (Optional) To add another network security group, click + Another Network Security Group, and select another network security group.

    The following screenshot shows you an example configuration for a private endpoint:


    Create Private Endpoint page

  13. Click Create Private Endpoint.
    A private endpoint is provisioned in the customer VCN (the VCN that you selected). The following screenshot shows you the private endpoint listed on the Private Endpoints page.Private endpoint is listed on the Private Endpoint page
  14. To view details for your private endpoint, click its name. Please take note of the Private IP address that was assigned to the Private Endpoint (or that you assigned to it). It is needed when you configure the security rules in the next steps.
    Private Endpoint Information page

Update the Security Rules to Allow Communication Between Oracle Data Safe and Your Database

Update the ingress and egress security rules for the Network Security Groups (NSGs) on your private VCN in Oracle Cloud Infrastructure to allow traffic from Oracle Data Safe's private endpoint to your Autonomous Database's private endpoint. While both an NSG and a security list act as virtual firewalls for your database, Oracle recommends that you use NSGs. For more information, see Network Security Groups.

Example 3-5 Configure security rules for an Autonomous Database on Shared Exadata Infrastructure with private VCN access

Suppose you provision an Autonomous Database on Shared Exadata Infrastructure with private VCN access in Oracle Cloud Infrastructure. During provisioning, Oracle Cloud Infrastructure automatically creates a private endpoint for your database and you associate an NSG with your database.

To obtain the private IP address for your database's private endpoint and view the NSG name, you access the Autonomous Database Information tab in your database's Console in Oracle Cloud Infrastructure. As shown in the following screenshot, under Network, the private endpoint's IP address is 10.0.10.232 and the NSG name is test_nsg.

Autonomous Database Information tab for an Autonomous Database on Shared Exadata Infrastructure with private VCN access

To obtain the private IP address and NSG for Oracle Data Safe's private endpoint, you access the Private Endpoint Information tab on the Data Safe page in Oracle Cloud Infrastructure. As shown in the following screenshot, the IP address is 10.0.10.160 and the NSG name is nsg_not_allow_pdb_pe_ip.

Private Endpoint Information tab

Next, you create a security rule for each of the NSGs the following way:

  • Ingress rule for the database private endpoint NSG: The database's private endpoint IP address, 10.0.10.232/32 (on port 1522) can receive incoming traffic from Oracle Data Safe's private endpoint IP address, 10.0.0.6/32 (from any port).
  • Egress rule for the Oracle Data Safe private endpoint NSG: Oracle Data Safe's private endpoint IP address, 10.0.0.6/32 (from any port), can send requests to the database's private endpoint IP address, 10.0.10.232/32 (on port 1522).

The following diagram illustrates the security rules.

Register an Autonomous Database on Shared Exadata Infrastructure with Private VCN Access

You can register an Autonomous Database on Shared Exadata Infrastructure with private VCN access from the database's Console in Oracle Cloud Infrastructure. Prior to registration, be sure to create an Oracle Data Safe private endpoint in your database's VCN or registration will fail.

  1. Sign in to your tenancy in Oracle Cloud Infrastructure.
  2. In the upper right corner, select the region in which your Autonomous Database resides.
  3. From the navigation menu, select Autonomous Data Warehouse or Autonomous Transaction Processing.
  4. From the Compartment drop-down list, select the compartment that contains your Autonomous Database.
  5. Click the name of your Autonomous Database.
    The Autonomous Database Information tab on the Autonomous Database Details page is displayed.
  6. Under Data Safe, click Register.
    If you did not create an Oracle Data Safe private endpoint prior to clicking Register, you are prompted to do so. Otherwise, a Confirm dialog box asks if you are sure you want to register the database with Oracle Data Safe.
  7. Click Confirm.
  8. Wait for registration to finish.
    The registration process is started and a work request is created. The registration process automatically searches for and uses the Oracle Data Safe private endpoint on your database's VCN. When registration is completed, the Status reads Registered. A resource group is created in the Oracle Data Safe Console with the same name as the compartment that contains the database in Oracle Cloud Infrastructure.
  9. (Optional) Click View Console to navigate to the Oracle Data Safe Console for the database.
    Because you are coming from the database's Console, the Oracle Data Safe dashboard is automatically filtered to show data only for your database. The filter is displayed in the upper right corner of the dashboard. You can remove it, if needed.

Grant Roles to the Oracle Data Safe Service Account on Your Autonomous Database

By default, your Autonomous Database comes with a database account specifically created for Oracle Data Safe named DS$ADMIN. The roles that you grant to this account determine the Oracle Data Safe features that you can use with your Autonomous Database.

For an Autonomous Database on Shared Exadata Infrastructure, all roles are already granted by default, except for DS$DATA_MASKING_ROLE.

For an Autonomous Database on Dedicated Exadata Infrastructure, only DS$ASSESSMENT_ROLE and DS$AUDIT_COLLECTION_ROLE are granted by default. You need to grant the other roles.

Note:

If Database Vault is enabled on your Autonomous Database, be aware that there are specific steps to take in the procedure below to get Oracle Data Safe to work with Database Vault.
The following table describes the available roles for Autonomous Databases.
Autonomous Database Role Description

DS$ASSESSMENT_ROLE

Privileges required for the User Assessment and Security Assessment features

DS$AUDIT_COLLECTION_ROLE

Privileges required for accessing audit trails for the target database

DS$DATA_DISCOVERY_ROLE

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

DS$DATA_MASKING_ROLE

Privileges required for the Data Masking feature (masking sensitive data in the target database)

DS$AUDIT_SETTING_ROLE

Privileges required for updating target database audit policies

To grant or revoke roles from the Oracle Data Safe service account on an Autonomous Database database, you can run the DS_TARGET_UTIL PL/SQL package on the Autonomous Database. You need to run this package as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.

You can grant or revoke roles as often as needed.

  1. If Database Vault is enabled on your database and you want to use the User Assessment or Security Assessment features in Oracle Data Safe, connect to your database as a user with the DV_OWNER role and grant the DV_SECANALYST role to the DS$ADMIN user.
  2. To grant or revoke a role from the Oracle Data Safe service account, do the following:
    1. Using a tool like SQL*Plus or SQL Developer, log in to your Autonomous Database as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.
    2. Run one of the following commands:
      EXECUTE DS_TARGET_UTIL.GRANT_ROLE('role_name');

      or

      EXECUTE DS_TARGET_UTIL.REVOKE_ROLE('role_name');

      where role_name is the name of an Oracle Data Safe role. role_name must be in quotation marks.

      Note:

      If Database Vault is enabled on your database and you grant the DS$DATA_MASKING_ROLE role, expect an ORA-20001 error and proceed to step 3.
  3. If Database Vault is enabled on your database and you want to use the Data Masking feature in Oracle Data Safe, do the following:
    1. Connect to the database as a user with the DV_OWNER role and authorize the ADMIN user to the Oracle System Privilege and Role Management Realm.
    2. Connect to the database as the ADMIN user and grant UNLIMITED TABLESPACE to the DS$ADMIN user.
    You can now use the Data Masking feature.
  4. (Optional) If Database Vault is enabled on your database and you want to revoke the User Assessment or Security Assessment feature: Connect to the database as the a user with the DV_OWNER role and revoke the DV_SECANALYST role from the DS$ADMIN user.
    The Assessment features are no longer available for the database.
  5. (Optional) If Database Vault is enabled on your database and you want to revoke the Data Masking feature:
    1. Connect to the database as the ADMIN user and revoke UNLIMITED TABLESPACE from the DS$ADMIN user.
    2. Connect to the database as a user with the DV_OWNER role and unauthorize the ADMIN user from the Oracle System Privilege and Role Management Realm.
    The Data Masking feature is no longer available for the database.