Network Access

Not Oracle Cloud Infrastructure This topic does not apply to Oracle Cloud Infrastructure.

This section provides information about network access to a newly created Oracle Database Cloud Service database deployment that uses Oracle Data Guard.

When a Database Cloud Service database deployment is created, compute node network access is limited to Secure Shell (SSH) connections on port 22 by default. This access restriction ensures that the deployment is secure by default. To access other ports, you can create an SSH tunnel to the port or you can enable access to the port using the Oracle Database Cloud Service console. For more information, see:

Additionally, the NAT prerouting rules are configured to redirect TCP and UDP on port 80 to port 8080 so that Oracle REST Data Services (ORDS) can service HTTP communication.

To provide network access to the compute node, the following Oracle Compute Cloud Service networking resources are created:

  • A permanent IP reservation named ipreservation is created and associated with the Compute Cloud Service instance (VM).

  • A security list named ora_db is created and associated with the compute node. This security list is used in security rules to enable access to specific security applications (port specifications) on the compute node. It is configured with its inbound policy set to DENY and its outbound policy set to PERMIT.

  • The following security applications (port specifications) are created so that they can be used in security rules to enable access to specific ports on the compute node:

    • ora_dbconsole provides TCP access using port 1158

    • ora_dbexpress provides TCP access using port 5500

    • ora_dblistener provides TCP access using the listener port that you specified when you created the database deployment

    • ora_http provides TCP access using port 80

    • ora_httpssl provides TCP access using port 443

  • The following security rules are created to enable access to specific ports on the computer node. With the exception of ora_p2_ssh, all these security rules are disabled by default to ensure network security of a newly created deployment. For information about enabling one of these security rules, see Enabling Access to a Compute Node Port.

    • ora_p2_dbconsole controls access from the public internet to the ora_db security list on the ora_dbconsole security application (port 1158 TCP).

    • ora_p2_dbexpress controls access from the public internet to the ora_db security list on the ora_dbexpress security application (port 5500 TCP).

    • ora_p2_dblistener controls access from the public internet to the ora_db security list on the ora_dblistener security application.

    • ora_p2_http controls access from the public internet to the ora_db security list on the ora_http security application (port 80 TCP).

    • ora_p2_httpssl controls access from the public internet to the ora_db security list on the ora_httpssl security application (port 443 TCP).

    • ora_p2_ssh controls access from the public internet to the ora_db security list on the ssh security application (port 22 TCP).

  • In addition to the SSH key at the Oracle Database Cloud Service service level, which is referred to or uploaded during the database deployment creation process, a second key is created to permit access to the deployment by Oracle Cloud tools. This key has a name of the form:

    domain-name.dbaas.deployment-name.db.tresources.sshkey.ora_tools