1. Administering Oracle Database Exadata Cloud Service (OCI-C)
  2. Managing Network Access to Exadata Cloud Service
  3. Controlling Network Access to Exadata Cloud Service

Controlling Network Access to Exadata Cloud Service

You can control network access to your Oracle Database Exadata Cloud Service by listing network addresses that are either invited to connect, or excluded from connecting as follows:

  • You can define a list of clients that are allowed access through the firewall surrounding your Exadata Cloud Service environment. See Enabling Network Access to a Compute Node. After the list is defined, the firewall rejects all network traffic that does not conform. All network protocols are affected using this mechanism.

  • You can use Oracle Net Services valid node checking to define a list that Oracle Net Services uses to allow or disallow connections from. You enable and control valid node checking by setting parameters in the sqlnet.ora file, which is typically located at $ORACLE_HOME/network/admin/dbname/sqlnet.ora. Oracle Net Services valid node checking only controls Oracle Net Services connections. Connections by other means, such as SSH, are not arbitrated by Oracle Net Services valid node checking.

    To enable Oracle Net Services valid node checking, set TCP.VALIDNODE_CHECKING = yes in the sqlnet.ora file. To control Oracle Net Services valid node checking use the following parameters:

    • TCP.EXCLUDED_NODES specifies clients that are denied access to the database. The parameter can be set to a list of host names or addresses and the list may include wildcards for IPv4 addresses and CIDR (Classless Inter-Domain Routing) notation for IPv4 and IPv6 addresses. For example: 

      TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.168.2.25, 172.30.*, 2001:DB8:200C:417A/32)

    • TCP.INVITED_NODES specifies clients that are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present. The parameter can be set to a list of host names or addresses and the list may include wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses. For example: 

      TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.168.*, 2001:DB8:200C:433B/32)

      Note:

      Regardless of whether you enable Oracle Net Services valid node checking, to enable any Oracle Net Services connections you must enable access to the Oracle Net Listener port (typically port 1521) on your Exadata Cloud Service compute nodes. See Connecting Remotely to the Database by Using Oracle Net Services.