Deploy Oracle Fusion Data Intelligence with a Private Endpoint

When you set up an Oracle Fusion Data Intelligence instance, you have the option to restrict access through a private endpoint.

A private endpoint is accessible through private network traffic and direct public internet access is prohibited. When you deploy Oracle Fusion Data Intelligence with a private endpoint, Oracle Autonomous Data Warehouse and Oracle Analytics Cloud use private endpoints in your private subnet. You can provide access to Oracle Fusion Data Intelligence from an Oracle Cloud Infrastructure VCN that's deployed in any regions, tenancies, and on-premises too.

About Private Endpoints

Private endpoint refers to a network setup for your Oracle Fusion Data Intelligence instance where all network traffic moves through a private endpoint within a virtual cloud network in your tenancy.

Using a private endpoint for Oracle Fusion Data Intelligence meets the organization's security requirement that restricts the use of public endpoints. Private endpoint configuration doesn't use public subnets and allows you to keep all traffic to and from your Oracle Fusion Data Intelligence instance away from the public internet.

See About Private Endpoints in Private Access.

Prerequisites for a Private Endpoint

To provision an Oracle Fusion Data Intelligence instance with a private endpoint, you must have the following resources already created:

1. A virtual cloud network (VCN) within the region where you plan to deploy Oracle Fusion Data Intelligence and a private subnet in your VCN with availability of /28 (14 IP addresses) IP address or more. You can change this after provisioning.
   See Working with VCNs and Subnets.
2. Ensure that you (or whoever plans to create the Oracle Fusion Data Intelligence instance) have the required policies to access the VCN.

   Choose the most appropriate level for you from these options:

   Limited Resource Access Policy

   • Allow any-user to use vnics in tenancy where request.principal.type = 'fawservice'

   • Allow any-user to read vcns in tenancy where request.principal.type = 'fawservice'

   • Allow any-user to use network-security-groups in tenancy where request.principal.type = 'fawservice'

   • Allow any-user to use private-ips in tenancy where request.principal.type = 'fawservice'

   • Allow any-user to use subnets in tenancy where request.principal.type = 'fawservice'

   If you want to view and manage your virtual network family from the Oracle Cloud Infrastructure Console, then you may want to create these policies:

   • Allow group FAWAdmin.grp to read virtual-network-family <in compartment your-compartment or in tenancy>

   • Allow group FAWAdmin.grp to manage vnics <in compartment your-compartment or in tenancy>

   • Allow group FAWAdmin.grp to use subnets <in compartment your-compartment or in tenancy>

   • Allow group FAWAdmin.grp to use private-ips <in compartment your-compartment or in tenancy>

   Broad Resource Access Policy

   Allow any-user to manage virtual-network-family in tenancy where
         request.principal.type = 'fawservice'

   If you want to view and manage your virtual network family from the Oracle Cloud Infrastructure Console, then you may want to create this policy:

   Allow group FAWAdmin.grp to manage virtual-network-family <in compartment compartment-name or in tenancy>

   Apart from these, you must create the following general service policies:

   • Allow group FAWAdmin.grp to manage analytics-warehouse <in compartment your-compartment or in tenancy>

   • Allow group FAWAdmin.grp to read analytics-warehouse-work-requests <in compartment your-compartment or in tenancy>

   • Allow group FAWAdmin.grp to manage autonomous-database-family <in compartment your-compartment or in tenancy>

   • Allow group FAWAdmin.grp to manage analytics-instances <in compartment your-compartment or in tenancy>

   • Allow group FAWAdmin.grp to read analytics-instance-work-requests <in compartment your-compartment or in tenancy>

3. Optional: If you plan to restrict traffic (ingress and egress) using network security group rules, then you must do so when you create your Oracle Fusion Data Intelligence instance. You can specify up to 5 network security groups to meet your business requirements. Ensure that the network security groups exist in the same VCN as your Oracle Fusion Data Intelligence and you have this required policy to use network security groups:

   Allow group FAWAdmin.grp to use network-security-groups <in compartment your-compartment or in tenancy>

   See “To create an NSG” in Network Security Groups.

4. Inbound traffic specified on Port 1522 for Oracle Autonomous Data Warehouse and Port 443 for Oracle Analytics Cloud while entering the security rule information for the network security group or VCN. Ensure that the VCN/SUBNET CIDR block allows ingress and egress in the rules to ports 443 and 1522.

   Note:

   Both of these ports are required for the functioning of Oracle Fusion Data Intelligence instance with a private endpoint.

Create an Oracle Fusion Data Intelligence Private Instance

After your Oracle Fusion Data Intelligence private access service has been provisioned by Oracle, create an Oracle Fusion Data Intelligence private instance.

If you've provisioned Oracle Fusion Data Intelligence with single sign-on, then sign in using the federated Oracle Identity Cloud Service strips corresponding to the environment (Test, Production). See Set Up Provisioning with Single Sign-On. Oracle sends an email to the designated email address when your service is ready. When the status changes from creating to active, the service is ready to use.

You must ensure that the prerequisites are in place. See Prerequisites for a Private Endpoint.

1. Sign in to the Oracle Cloud Infrastructure Console.
2. In Oracle Cloud Infrastructure Console, click the Navigation menu icon in the top left corner.
3. Click Analytics & AI. Under Analytics, click Data Intelligence.
4. On the Instances page, in Compartment, select a compartment if you want to place the service instance in a compartment other than the default root compartment that Oracle created for you.

   Note:

   Ensure that you have created a compartment before you select it here. See Managing Compartments.
5. On the Instances page, click Create Instance.

   Note:

   If you haven't purchased a subscription, then the Create Instance button isn't active.
6. Enter a Display Name for the service using alphanumeric and special characters.
7. Enter a Name for the instance that's unique in your tenancy using only alphanumeric characters without spaces or reuse the name of a deleted instance.
8. Optional: Enter a Description for the service using up to 255 alphanumeric and special characters.
9. Select Development/Test as your first instance.
10. Under Offerings, enable Subscription Configuration.
    Oracle Fusion Data Intelligence automatically configures the offerings based on your subscription details. For example, if you've subscribed for 20 ERP users, then you see the number of users for the instance automatically configured to 20 ERP users.
11. In Fusion Application Connection, provide the URL of your Oracle Fusion Cloud Applications instance.
12. In Authentication, select the type of authentication you want to use: Oracle recommended JWT Based or Password Based.
    • If you choose JWT Based (JSON web token), then upload or copy and paste the private key and public certificate files. Select Keys have been uploaded to Fusion Source to enable Test Connection.

      Note:

      See Configure JWT Authentication Provider.

      Ensure that the generated RSA encryption private key contains at least 2048 characters and that you wait at least 15 minutes for the uploaded public certificate to become effective in your Oracle Fusion Cloud Applications instance.

    • If you choose Password Based, then enter and confirm the password of the default FAWService user from your Oracle Fusion Cloud Applications instance.

      The FAWService user is a predefined user provisioned in Oracle Fusion Cloud Applications and is used by the data pipeline functionality in Oracle Fusion Data Intelligence. This user account has the appropriate data security privileges granted on the Oracle Fusion Cloud Applications view objects to bulk extract data from Oracle Fusion Cloud Applications into the data warehouse.

      Note:

      Ensure that you assign the BIACM_ADMIN and BICC_UCM_CONTENT_ADMIN roles to the FAWService user using the Security Console of Oracle Fusion Cloud Applications. See Overview of Access Provisioning.

      Ensure that you have reset the password for the FAWService user in Oracle Fusion Cloud Applications prior to entering the new password. See Reset Passwords.

13. Click Test Connection to check the connection to the Oracle Fusion Cloud Applications instance and confirm whether the credentials are valid.
14. In Autonomous Data Warehouse Administrator Credentials, provide an administrator password for the Oracle Autonomous Data Warehouse that's provisioned in your tenancy to store the transformed data.
15. In Network Access, click Private.
    
    

    

    
    
16. Select the Virtual Cloud Network, Subnet, and Network Security Group that you had set up and want to use to access Oracle Fusion Data Intelligence.
    See Prerequisites for a Private Endpoint.
17. The email address for notification is pre-populated from the user name. If the user name isn't an email address, then provide a valid email address for notifications.
    You receive an email notification, for example, when your Oracle Fusion Cloud Applications password is invalid.
18. Optional: Add tags to your instance.
19. Click Create Instance.

Navigate to the Details page for the new service to access the Oracle Fusion Data Intelligence URL and associated Oracle Autonomous Data Warehouse. From here, you can also view or modify details such as the password for your Oracle Fusion Cloud Applications instance and the administrator password for the Oracle Autonomous Data Warehouse. You can also delete the service instance that's no longer required.

If you had set up provisioning of Oracle Fusion Data Intelligence with single sign-on, then your service is associated with the federated Oracle Identity Cloud Service instance. If you hadn’t set up single sign-on for Oracle Fusion Data Intelligence, then your service is associated with the default Oracle Identity Cloud Service instance that you received with your Oracle Cloud account.