1. Create a data mart from multiple on-premises Oracle databases for continuous analytics
  2. Provide Security Rules for the Private Subnet

Provide Security Rules for the Private Subnet

You must provide security rules to allow access to the remote data gateway (RDG), Oracle GoldenGate, and Autonomous Data Warehouse in the private subnet.

The remote data gateway (RDG) and Oracle GoldenGate use rules assigned to a security list. Autonomous Data Warehouse uses rules assigned to a network security group (NSG).

  • Security lists: Defines a set of security rules that applies to all the VNICs in an entire subnet. To use a given security list with a particular subnet, you associate the security list with the subnet either during subnet creation or later. Any VNICs that are created in that subnet are subject to the security lists associated with the subnet.
  • Network security groups (NSGs): Defines a set of security rules that applies to a group of VNICs (resources, such as Autonomous Data Warehouse) of your choice. To use a given NSG, you add the VNICs of interest to the group or assign the NSG when provisioning the service. Not all services support NSGs. Any VNICs added to that group are subject to that group's security rules.

Create a Security List

Security lists act as virtual firewalls using a set of ingress and egress security rules that apply to all the virtual network interface cards (VNICs) in any subnet that is associated with the security list.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click Create Security List.
  5. Enter the following:
    • Name: A descriptive name for the security list. For example: my-domain-sec-list. The name doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.
    • Create in Compartment: The compartment where you want to create the security list, if different from the compartment you're currently working in.
  6. Add ingress or egress security rules. You can also add, revise, and delete security rules after you create the security list.
  7. Click Create Security List.

Add Ingress Rules for the Remote Data Gateway

A security rule allows a particular type of traffic in or out of a virtual network interface card (NVIC).

The remote data gateway (RDG) requires port 22 for secure shell access (SSH) to Linux and port 8080 for HTTP access.

To add ingress rules to a security list to allow access to the remote data gateway:

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click the security list you are interested in.
  5. To add a rule that allows public access using secure shell (SSH), for example to migrate on-premises data sources to a database in the cloud:
    1. Click Add Ingress Rule.
    2. Specify 0.0.0.0/0 as the source CIDR (0.0.0.0/0 indicates all IP addresses).
    3. Select SSH as the IP protocol.
    4. Specify 22 as the destination port range.
  6. To add a rule that allows TCP access from servers or applications in a different VCN:
    1. Click Add Ingress Rule.
    2. Specify the VCN CIDR block as the source CIDR.
    3. Select TCP as the IP protocol.
    4. Specify 8080 as the destination port range.

Add an Ingress Rule for Oracle GoldenGate

A security rule allows a particular type of traffic in or out of a virtual network interface card (NVIC).

Oracle GoldenGate requires port 443 for TCP access.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Security Lists.
  4. Click the security list you are interested in.
  5. To add a rule that allows TCP access to Oracle GoldenGate from servers or applications in a different VCN:
    1. Click Add Ingress Rule.
    2. Specify the VCN CIDR block as the source CIDR.
    3. Select TCP as the IP protocol.
    4. Specify 443 as the destination port range.

Add a Security List to a Private Subnet

You can add security lists to or remove security lists from an existing virtual cloud network (VCN) subnet.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click Subnets.
  3. Click the VCN you're interested in.
  4. Click Subnets.
  5. Click the private subnet you're interested in. Verify that it is a private subnet by checking the value listed under Subnet Access.
  6. Under Resources, click Security Lists.
  7. If you want to add a security list, click Add Security List, and select the security list you want the subnet to use.

    If you want to remove a security list, click the Actions icon (three dots), and then click Remove. Remember that a subnet must always have at least one security list associated with it.

    The changes take effect within a few seconds.

Create a Network Security Group (NSG) for Private Endpoint Access

Network security groups (NSGs) let you define a set of security rules that apply to a group of VNICs (or resources) of your choice.

When you provision the resource, such as Oracle Autonomous Data Warehouse, you can assign the network security group. Not all services support NSGs.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click Network Security Groups.
  4. Click Create Network Security Group.
  5. Enter the following:
    • Name: A descriptive name for the network security group. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Create in Compartment: The compartment where you want to create the security list, if different from the compartment you're currently working in.
  6. Click Next.
  7. For the first security rule, enter the following items:
    • Stateless: Leave unselected. Connection tracking is used for traffic matching the rule.
    • Direction: Select Ingress (inbound traffic to the VNIC).
    • Source Type: Select CIDR.
    • Source CIDR: Specify the CIDR block for the private subnet that contains the service, such as Oracle Autonomous Data Warehouse.
    • IP Protocol: Select TCP.
    • Source port range: Specify 1522.
    • Destination port range: Leave blank (denotes all ports).
  8. When you're done, click Create.