Network Access

Not Oracle Cloud InfrastructureNot Oracle Cloud at Customer This topic does not apply to Oracle Cloud Infrastructure or to Oracle Cloud at Customer.

This section provides information about network access to a newly created Oracle Database Cloud Service deployment that uses Oracle Real Application Clusters (Oracle RAC) and Oracle Data Guard.

By default, compute node network access is limited to Secure Shell (SSH) connections by the opc user on port 22. This access restriction ensures that the deployment is secure by default. To access other ports, you can create an SSH tunnel to the port or you can enable access to the port using the Oracle Database Cloud Service console. To provide SSH access to the oracle and grid users, you can add the public key to the user’s $HOME/.ssh/authorized_keys file.

To provide network access to the compute nodes, the following Oracle Compute Cloud Service networking resources are created:

  • A permanent IP reservation named ipreservation is created and associated with each Compute Cloud Service instance (VM).

  • A security list named ora_db is created and associated with all the compute nodes. This security list permits the compute nodes to communicate with each other inside the Oracle Cloud, and it is used in security rules to enable access to specific security applications (port specifications) on the compute nodes. It is configured with its inbound policy set to DENY and its outbound policy set to PERMIT.

  • The following security applications (port specifications) are created so that they can be used in security rules to enable access to specific ports on the compute nodes:

    • ora_dbconsole provides TCP access using port 1158

    • ora_dbexpress provides TCP access using port 5500

    • ora_dblistener provides TCP access using the listener port that you specified when you created the database deployment

  • The following security rules are created to enable access to specific ports on the compute nodes. With the exception of ora_p2_ssh, all these security rules are disabled by default to ensure network security of a newly created deployment. For information about enabling one of these security rules, see Enabling Access to a Compute Node Port.

    • ora_p2_dbconsole controls access from the public internet to the ora_db security list on the ora_dbconsole security application (port 1158 TCP).

    • ora_p2_dbexpress controls access from the public internet to the ora_db security list on the ora_dbexpress security application (port 5500 TCP).

    • ora_p2_dblistener controls access from the public internet to the ora_db security list on the ora_dblistener security application.

    • ora_p2_ssh controls access from the public internet to the ora_db security list on the ssh security application (port 22 TCP).

  • In addition to the SSH key maintained at the Oracle Database Cloud Service service level, which is referred to or uploaded during the database deployment creation process, a second key is created to permit access to the deployment by Oracle Cloud tools. This key has a name of the form:

    domain-name.dbaas.deployment-name.db.tresources.sshkey.ora_tools