2 Customer Responsibilities

Once a Private Endpoint (PE) is set up in Oracle Cloud Infrastructure (OCI), customers are responsible for configuring their network to ensure connectivity. This includes both on-premises network configuration and OCI-side configuration within the VCN hosting the private endpoint.

The customer responsibilities include, but are not limited to the following.

On-Premises Network Configuration

The customer’s network team must do the following:

  • Routing

    Ensure that routing rules allow traffic to and from the private endpoint over VPN or FastConnect using the Dynamic Routing Gateway (DRG).

  • Firewall Rules

    Configure firewall rules to permit necessary traffic between on-premises systems and OCI services through the private endpoint.

  • DNS Resolution

    Validate that Fully Qualified Domain Names (FQDNs) such as those for Autonomous Data Warehouse (ADW) and other AIFCS components resolve to private endpoint IP addresses. This may involve forwarding DNS queries from on-premises DNS servers to the OCI VCN DNS Resolver or Oracle-hosted CNE DNS, depending on the service.

OCI Network Configuration

The customer must also configure networking within OCI:

  • Security Lists and NSGs

    Update the subnet’s security lists and/or Network Security Groups (NSGs) to allow inbound and outbound traffic between the private endpoint and other OCI resources.

  • Route Tables

    Ensure that the VCN’s route tables are updated to direct traffic correctly to and from the private endpoint, and if applicable, the DRG.

  • Subnet Association

    Verify that the subnet containing the private endpoint is correctly associated with the DRG, and that the subnet has sufficient address space to accommodate Oracle-managed VNICs.

  • Reverse Connectivity for Oracle-Initiated Connections

    Some Oracle services (such as Credential Exchange Service) initiate connections back to designated resources within the customer VCN. Ensure that the subnet allows inbound traffic from Oracle over the reverse connection patch and that DNS resolution supports these services.

Testing and Validation

Before considering the setup complete:

  • Connectivity Testing

    Confirm access to the private endpoint from on-premises systems. Use tools such as traceroute, telnet, and nslookup to validate routing, port accessibility, and DNS resolution.

  • OCI Diagnostics

    Use OCI diagnostics tools such as VCN Flow Logs to verify traffic flow and troubleshoot issues.

  • Coordinate with Oracle Support

    If connectivity issues persist and the OCI-side configurations appear to be correct, contact Oracle Support for assistance.

    Testing both the forward and reverse paths is essential to ensure full functionality.

Additional Notes

  • Reverse Path Awareness

    Services such as the Credential Exchange Server rely on Oracle-initiated traffic into the customer’s VCN. Failure to allow reverse traffic may not affect initial setup, but will result in operational failures later.

  • High Availability

    For production workloads, Oracle recommends redundant VPN tunnels or FastConnect circuits. Customers should verify that both paths are configured, operational, and tested.

  • Subnet Ownership

    While Oracle provisions the VNICs used for private endpoints, the subnet is owned and maintained by the customer. Customers must ensure subnet health and configuration, including availability of private IP addresses and security policies.

For detailed guidance on OCI networking best practices, refer to the Oracle Cloud Infrastructure Networking Documentation.