Enabling IPSec VPN Access to Exadata Cloud Service

Oracle Cloud can provide add-on VPN services, which are available for an additional subscription fee. Using these services, you can create a secure virtual private network (VPN) tunnel over the Internet that connects your corporate network to Oracle Cloud services, such as Oracle Database Exadata Cloud Service. Oracle Cloud VPN services use IPsec, which is a suite of protocols designed to authenticate and encrypt all IP traffic between two locations.

To use this facility, you must have a VPN gateway device that uses current IPSec standards to establish a secure tunnel between your network and Oracle Cloud. Specifically, the device must support:

  • IPv4 traffic with support for ICMP, TCP and UDP. Multicast traffic is not supported.

  • Tunnel mode sessions: Tunnel mode is used to create a virtual private network between your network and Oracle Cloud, rather than between a specific set of hosts. It is used to protect all communications between both networks.

  • Pre-shared key authentication: The supported authentication method for enabling IPSec VPN access to Exadata Cloud Service uses pre-shared keys. With pre-shared keys, the same pre-shared key is configured on each IPSec VPN gateway device.

  • Dynamic rekeying: IPsec uses a method called dynamic rekeying to control how often a new key is generated during communication. Communication is sent in blocks and each block of data is secured with a different key.


For information on IPSec standards, see the Internet Engineering Task Force (IETF) Request for Comments (RFC) 6071: IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap.

In order to avoid any IP address conflict with your client network, Oracle Cloud implements a registered public but non-routable network segment dedicated to act as the destination subnet. This ensures a unique routing target for your clients. Additionally, Oracle requires that you mask your internal systems with a public or non-RFC 1918 address range, which makes an IP address conflict practically impossible in the end-to-end network.

The VPN provisioning process is a collaborative effort between Oracle Cloud network engineers and your corporate network administrators. Key steps in the provisioning process include:

  1. An order for Oracle Cloud VPN services is placed. This can be a separate order, or it can be in conjunction with an order for Exadata Cloud Service.

  2. You are sent an Oracle Cloud Network VPN Form. This is a pre-filled form based on the service type and hosting location of your Oracle Cloud services. The form requests information required to provision the VPN connection.

  3. Oracle receives the completed form and checks that all the prerequisites are met.

  4. Oracle provisions the VPN service in conjunction with your network engineers during an agreed maintenance window.

  5. Oracle runs through a post-configuration checklist with you to ensure that the VPN is working and that the setup is completed.

See How to Request Service Configuration for Oracle Database Exadata Cloud Service.