3 Requesting a Private Endpoint

This chapter describes the steps required to request a Private Endpoint for AIFCS in OCI. It outlines the prerequisites, guided console workflows, and required information you must provide when submitting your request.

You begin by identifying your tenancy and creating a dedicated subcompartment and VCN. You then create a private subnet that AIFCS will use for private endpoint access. In single Availability Domain (AD) regions, you also configure a matching standby environment.

You are responsible for creating the required IAM policies that grant the ORACLE_INDUSTRY_SAAS service permission to manage networking resources in your compartment. Once all components are in place, you collect and submit a list of OCIDs to Oracle Support to complete the private endpoint provisioning process.

Optional guidance is provided for customers who want to receive credential rotation notifications through a private HTTP or HTTPS endpoint. This chapter concludes with a reference to disaster recovery instructions for single AD regions.

Obtain your Tenancy OCID

1. Sign in to the OCI Console for your tenancy. Ensure you are in the same region as the AIFCS deployment.
2. Click the navigation menu in the upper left corner of the OCI Console, and then select Governance & Administration > Tenancy Details.
3. Copy and retain your tenancy OCID in the Tenancy Information panel.

Create a Dedicated Sub-Compartment

1. Sign in to the OCI Console for your tenancy. Ensure you are in the same region as the AIFCS deployment.
2. Click the navigation menu in the upper left corner of the OCI Console, and then select Identity & Security > Compartments.
3. Locate and click the name of your parent compartment (that is, your tenancy root or project compartment).
4. Click Create Compartment.
5. In the Create Compartment dialog:
   1. Name: Enter a name for your subcompartment (for example, aif-vcn-compartment).
   2. Description: (Optional) Enter a description to help identify its purpose.
   3. Parent Compartment: Confirm it is the intended parent.
   4. Leave tags as is unless your tenancy uses them.
6. Click Create Compartment.
7. Retain the name of your PE sub-compartment. Copy and retain the OCID for your sub-compartment.

Create a Private Subnet

1. Sign in to the OCI Console for your tenancy. Ensure you are in the same region as the AIFCS deployment.
2. Click the navigation menu in the upper left corner of the OCI Console, and then select Networking > Virtual Cloud Networks.
3. At the top of the VCN list page, click Start VCN Wizard in the Actions menu.
4. Select Create VCN with Internet Connectivity for the Connection Type. Click Start VCN Wizard.
5. In the Create VCN with Internet Connectivity panel:
   1. Name: Enter a name for your VCN (for example, aif-pe-vcn).
   2. Compartment: Select your dedicated private endpoint compartment.
   3. CIDR Block: Accept the default (10.0.0.0/16) or define a custom IPv4 CIDR block.
   4. Ipv6 in this VCN: Leave disabled.
   5. DNS resolution: Leave enabled.
   6. Accept the default configurations for both public and private subnets.
6. Click Next.
7. Click Create.
8. To view your VCN, click View VCN.
9. Copy and retain your VCN OCID.
10. Click the Subnets tab.
11. At the end of the row for your private subnet, click the three-dot menu (...), and then select Copy OCID from the drop-down menu. Retain the OCID for your private subnet.

Additional Requirements for Single AD Regions

If you are in a single AD region, you need to:

• Create a dedicated private endpoint subcompartment in the standby region.
• Create a private subnet in the standby region.

Use the same process already described. Copy and retain the Tenancy OCID, Compartment Name, Compartment OCID, VCN OCID, and Private Subnet details for your standby region.

Create Compartment Policies

1. Sign in to the OCI Console for your tenancy. Use the identity domain where AIFCS is deployed.
2. Click the navigation menu in the upper left corner of the OCI Console, and then select Identity & Security > Policies.
3. In Applied Filters, select the compartment for your Private Endpoint.
4. Click Create Policy.
5. In the Create Policy panel:
   1. Name: Enter a name for the policy (for example, aif-vcn-vnic-access).
   2. Description: (Optional) Provide a description (for example, Allows AIFCS to manage VNICs in this compartment).
   3. Compartment: Select the compartment for your private endpoint.
6. Under Policy Builder, do the following:
   1. Select Show manual editor.

   2. Paste the following policy statements with the appropriate compartment name. These policies grant the ORACLE_INDUSTRY_SAAS service access only within the specified compartment. Be sure to replace <Your PE Compartment Name> with the exact name of your compartment.

      Allow service ORACLE_INDUSTRY_SAAS to manage vnics in compartment <Your PE Compartment Name>
      Allow service ORACLE_INDUSTRY_SAAS to use subnets in compartment <Your PE Compartment Name>
      Allow service ORACLE_INDUSTRY_SAAS to use network-security-groups in compartment <Your PE Compartment Name>
      Allow service ORACLE_INDUSTRY_SAAS to inspect work-requests in compartment <Your PE Compartment Name>

Submit your Private Endpoint Request

Submit your request for a private endpoint with the following information, which you gathered during the compartment and private subnet setup process:

• Tenancy OCID
• Compartment Name
• Compartment OCID
• VCN OCID
• Private Subnet OCID

Submit Standby Information for Single AD Regions

When you submit your request, provide the Tenancy OCID, Compartment Name, Compartment OCID, VCN OCI, and Private Subnet for your standby region as well.

Notification Support

Oracle uses the Credential Exchange Service to notify you of database credential rotation and securely deliver database credentials to your environment. You may choose one of the following notification methods:

• Email: Oracle sends a notification to a specified email address.
• HTTP or HTTPS Endpoint: Oracle sends notification to a private service endpoint.
• None: No notification is sent. Your system fetches the credentials when needed.

If you choose HTTP or HTTPS, you must complete additional setup steps. Oracle will use the Credential Exchange Service to initiate connections to your private endpoint, which must be reachable through the Oracle network.

Additional Requirements for HTTP/HTTPS Notification

This section is required only if you choose HTTP or HTTPS notification. If you choose email or no notification, you may skip this section.

If using an HTTP or HTTPS endpoint, you must:

1. Create a dedicated private subnet in a separate compartment specifically for the notification endpoint.
2. Repeat the subnet setup process described earlier in this chapter:
   1. Create a subcompartment.
   2. Create a VCN and a private subnet, and retain the associated OCIDs.
3. If necessary, add an ingress rule to the subnet’s network security group or security list to allow traffic from the Credential Exchange Service to your notification endpoint.

Include the Following in Your Request

When submitting your private endpoint request, state that you wish to receive credential rotation notifications through an HTTP or HTTPS endpoint. Provide the following details about your notification subnet:

• VCN OCID
• Private Subnet OCID
• Private Subnet CIDR
• Fully Qualified Domain Name (FQDN) of the notification endpoint

If you are unsure whether you will use HTTP or HTTPS notification or if the endpoint details are not yet available, you may choose to submit this information in a later request.

Single AD Region Disaster Recovery

In the event of a Disaster Recovery in a single AD region, the customer must perform a number of DNS updates. When the disaster is mitigated, the customer must reverse those updates. For detailed steps on DNS updates during failover and failback in single AD regions, see Oracle Retail Cloud Services Private Connection Setup Guidance on My Oracle Support at Doc ID 2991525.1.