1. Learn about options for private access to Oracle Services
  2. Learn About Options for Private Access to Oracle Services

Learn About Options for Private Access to Oracle Services

You may need secure, private access from your virtual cloud network (VCN) or on premises networks to Oracle Services. Understand how you can enable service private endpoint or service gateway for private connectivity, compare both the types of private access to help you understand the differences and different use-cases to make your deployment successful.

Oracle services include customer favorites such as Object Storage and Autonomous Database, along with many other foundation services provided with Oracle Cloud Infrastructure. You can privately access services hosted in the Oracle Services from your on premises network by using Oracle Cloud Infrastructure private access technologies, such as FastConnect private peering and VPN Connect. Access can be from hosts within your VCN or your on premises network.

About Service Private Endpoint

A service private endpoint is a private IP address within your VCN that you can use to access a given service within Oracle Cloud Infrastructure.

Each service has a private IP address (also-known-as endpoint) in the consumer's VCN. Consumers will need to create a service private endpoint for each Oracle service (or service instance) they need to use. Instances in a consumer's private network will be able to access the service by initiating a connection to the private IP address. Services can also initiate a connection to other private IPs on the network via the service private IP on the consumer's private network.

The service private endpoint gives hosts within your VCN and your on premises network access to a single resource within the Oracle service of interest. For example, one Autonomous Database with shared Exadata infrastructure. If you created five Autonomous Databases for a given VCN, there would be five separate service private endpoints: one for each Autonomous Database, and each with its own private IP address.

About Service Gateway

A service gateway lets resources in your VCN privately and securely access Oracle services such as Autonomous Data Warehouse in the Oracle Services Network, without exposing your data on the internet.

Each service in the services network will be identified by its public IP addresses. Service gateway thus offers a private connectivity model that is based on establishing a virtual link between the consumer's private network and the service's public endpoint residing outside the consumer's private network. You need to add a service gateway as a resource in your VCN to access the service. So consumers can select access to either Object Storage or all services using labels.

To use a service gateway from a particular subnet within your VCN, you set up a route rule in the subnet's route table, and specify the service gateway as the target of the rule. You also set up security rules to control access between hosts in the VCN and the services available through the service gateway. If you have more than one VCN in your tenancy, you can configure each with its own service gateway.

Service Private Endpoint Vs Service Gateway

Though both service gateway and service private endpoint enable private connectivity between private customer networks and Oracle Services, there are subtle differences in how they satisfy private access requirements.

Functionality Service Private Endpoint Service Gateway
Service endpoint representation Represented using the private IP address inside the consumer network. Represented as a gateway to enable private access. Service is represented using the public IP address outside the consumer network.
Private connectivity direction Service Private Endpoint support connections in both directions. Consumer can initiate a connection to the service, but service cannot initiate a connection to the consumer private network.
Selective access Single endpoint can give access to single service. Single gateway can give access to multiple services.
Supported services Autonomous database, Oracle Analytics Cloud, Oracle Data Safe, Streaming, and Data Catalog are the only services that can be accessed through service private endpoint. Available Services can be accessed through service gateway.
Ease of access Consumers cannot open access to multiple services with one service private endpoint. They need to create a service private endpoint for each service (or service instance) they need access. Consumers can choose to open access to individual services or to a category of services using a single service gateway.
Limiting services Further limit traffic using security list/Network Security Groups (NSG) of the service VNIC. Not possible to limit the service.
Specific address Need to know specific private IP addresses for the service's private endpoints, which is inside the VCN's CIDR. No need to know the specific CIDR blocks for the service's public endpoints.