1 Introduction
The Oracle Retail AI Foundation Cloud Service (AIFCS) database is accessible through Innovation Workbench including APEX and Notebook development environments. Private endpoints extend access to AIFCS within the Virtual Cloud Network (VCN) on Oracle Cloud Infrastructure or to other networks peered to the VCN, such as your corporate network. You can access AIFCS data from hosts within the VCN or from the on-premises network.
Prerequisites
To implement Private Endpoint access to Oracle Retail AI Foundation Cloud service, your organization must have:
- A paid Oracle Cloud Infrastructure (OCI) tenancy with appropriate service limits.
- An OCI Virtual Cloud Network (VCN) with at least one subnet in the same region as the AIFCS deployment.
- Networking expertise or access to experienced resources familiar with OCI networking, including VPN or FastConnect setup and DNS configuration.
What is a Private Endpoint?
With a private endpoint, traffic does not go over the internet. A private endpoint is a private IP address within your VCN that you can use to access a given service within Oracle Cloud Infrastructure. The service sets up the private endpoint in a subnet of your choice within the VCN. You can think of the private endpoint as just another Virtual Network Interface Card (VNIC) in your VCN. You control access to it as you would for any other VNIC by using security rules. When you set up a private endpoint for AIFCS, however, the VNIC is set up for you, and its availability is maintained on your behalf. Your only responsibility is to maintain the subnet and the security rules.
Forward and Reverse Access
As shown in Figure 1-1, private endpoints and reverse connections enable secure, non-internet communication between your network and AIFCS.
Figure 1-1 AIFCS Access through a Private Endpoint
The diagram shows how AIFCS is accessed using a private endpoint deployed in the customer’s VCN. Forward connections allow customer systems or services to access AIFCS and related SaaS services. Reverse connections (such as for Credential Exchange Service) enable Oracle-hosted services to securely reach designated targets within the customer’s network.
Table 1-1 Acronyms
| Acronym | Name | Description |
|---|---|---|
| PE | Private Endpoint | A private IP address in your VCN used to access Oracle services without going over the internet. |
| DRG | Dynamic Routing Gateway | Network gateway that connects your on-premises network to your OCI VCN using VPN or FastConnect. |
| VPN | Virtual Private Network | A secure encrypted tunnel between the customer on-premises systems and OCI. |
| FastConnect | OCI FastConnect | Dedicated, private network connection between the customer on-premises data center and OCI. |
| CPE | Customer-Premises Equipment | Device on the customer’s side that connects to the VPN or FastConnect. |
| ADW | Autonomous Data Warehouse | Oracle’s cloud-native data warehouse service. |
| CNE DNS | Cloud Native Environment DNS | Internal DNS resolver used by Oracle-hosted Kubernetes clusters and services. |
| VCN | Virtual Cloud Network | A customizable private network in OCI, similar to a traditional data center network. |
| VCN DNS Resolver | VCN DNS Resolver | DNS resolution service for resources within a VCN. |
Networking Expertise Required
Effectively using a private endpoint requires substantial networking expertise. For additional information, consult the Oracle documentation on OCI networking, OCI private access, FastConnect, and site-to-site VPN.
Private Endpoint Setup Timeline
When you request a private endpoint for AIFCS, you receive an endpoint for each of your environments: production, stage, and so on. You also receive a second private endpoint that gives you access to a Credential Exchange Service (see Access Setup for the Credential Exchange Service). Establishing a private endpoint requires some lead time and a short outage on each environment (two to eight hours, depending on environment size). The outage on each environment precedes the availability of the endpoint by several days. In short, the time between your request for private endpoint access and its availability is measured in days, not hours or minutes. Oracle support will contact you to schedule environment outages.