1 Introduction
The Oracle Retail Data Store (RDS) is accessible through the APEX Developer Environment as well as through custom APEX applications and services developed by the customer. Private endpoints extend access to RDS within your virtual cloud network (VCN) on Oracle Cloud Infrastructure or to other networks peered to the VCN such as your corporate network. That is, you can access RDS from hosts within your virtual cloud network (VCN) or from your on-premises network.
Prerequisites
To implement Private Endpoint access to Oracle Retail Data Store, your organization must have:
-
A paid Oracle Cloud Infrastructure (OCI) tenancy with appropriate service limits.
-
An OCI Virtual Cloud Network (VCN) with at least one subnet in the same region as the RDS deployment.
-
Networking expertise or access to experienced resources familiar with OCI networking, including VPN or FastConnect setup and DNS configuration.
What Is a Private Endpoint?
With a private endpoint, traffic does not go over the internet. A private endpoint is a private IP address within your VCN that you can use to access a given service within Oracle Cloud Infrastructure. The service sets up the private endpoint in a subnet of your choice within the VCN. You can think of the private endpoint as just another Virtual Network Interface Card (VNIC) in your VCN. You control access to it as you would for any other VNIC by using security rules. When you set up a private endpoint for RDS, however, the VNIC is set up for you, and its availability is maintained on your behalf. Your only responsibility is to maintain the subnet and the security rules.
Forward and Reverse Access
As seen in Figure 1-1, private endpoints and reverse connections enable secure, non-internet communication between your network and Oracle Retail Data Store.
Figure 1-1 Overview
This diagram shows how Retail Data Store (RDS) is accessed through a private endpoint deployed in the customer’s VCN. Forward connections allow customer systems or services to access RDS and related SaaS services. Reverse connections (such as for the Credential Exchange Service) enable Oracle-hosted services to securely reach designated targets within the customer’s network.
Table 1-1 Figure 1-1 Acronyms
| RDS | Retail Data Store | Oracle Retail data warehouse offering accessed through APEX, REST, or SQL interfaces. |
| PE | Private Endpoint | A private IP address in your VCN used to access Oracle services without going over the internet. |
| DRG | Dynamic Routing Gateway | Network gateway that connects your on-premises network to your OCI VCN using VPN or FastConnect. |
| VPN | Virtual Private Network | A secure encrypted tunnel between customer on-premises systems and OCI. |
| FastConnect | OCI FastConnect | Dedicated, private network connection between customer on-premises data center and OCI. |
| CPE | Customer-Premises Equipment | Device on the customer’s side that connects to the VPN or FastConnect. |
| ADW | Autonomous Data Warehouse | Oracle’s cloud-native data warehouse service. |
| CNE DNS |
Cloud Native Environment DNS |
Internal DNS resolver used by Oracle-hosted Kubernetes clusters and services. |
| VCN | Virtual Cloud Network | A customizable private network in OCI, similar to a traditional data center network. |
|
VCN DNS Resolver |
VCN DNS Resolver | DNS resolution service for resources within a VCN. |
Networking Expertise Required
Effectively using a private endpoint requires substantial networking expertise. For additional information, consult Oracle documentation on OCI networking, OCI private access, FastConnect, and site-to-site VPN.
Private Endpoint Setup Timeline
When you request a private endpoint for RDS, you receive an endpoint for each of your environments: production, stage, and so on. You also receive a second private endpoint that gives you access to a Credential Exchange Service (discussed in more detail below). Establishing a private endpoint requires some lead time and a short outage on each environment (two to eight hours depending on environment size). The outage on each environment precedes the availability of the endpoint by several days. In short, the time between your request for private endpoint access and its availability is measured in days not hours or minutes. Oracle support will contact you to schedule environment outages.