Configure Network Access with Private Endpoints

You can specify that Autonomous Database uses a private endpoint inside your Virtual Cloud Network (VCN) in your tenancy. You can configure a private endpoint during provisioning or cloning your Autonomous Database, or you can switch to using a private endpoint in an existing database that uses a public endpoint. This allows you to keep all traffic to and from your database off of the public internet.

Specifying the virtual cloud network configuration allows traffic only from the virtual cloud network you specify and blocks access to the database from all public IPs or VCNs. This allows you to define security rules with Security Lists or at the Network Security Group (NSG) level to specify ingress/egress for your Autonomous Database instance. Using a private endpoint and defining Security Lists or NSGs allows you to control traffic to and from your Autonomous Database instance.

Note:

If you configure your Autonomous Database instance to use a private endpoint and you also want to allow connections from specific public IP addresses or from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway, select the Allow public access option. This adds a public endpoint for a database that is configured with a private endpoint. See Use a Private Endpoint with Public Access Allowed for more information.

The Allow public access option is available only when the database uses the ECPU compute model.

Topics

Configure Private Endpoints

You can specify that Autonomous Database uses a private endpoint and configure a Virtual Cloud Network (VCN) in your tenancy to use with the private endpoint.

Prerequisite Steps to Configure Private Endpoints

Describes the prerequisite steps you need to perform before you configure a private endpoint for an Autonomous Database instance.

Perform the following prerequisite steps before configuring a private endpoint:

  • Set required policies for the resources you are working with. See IAM Policies Required to Manage Private Endpoints for more information.

  • Create a VCN within the region that will contain your Autonomous Database. See VCNs and Subnets for more information.

  • Configure a subnet within your VCN configured with default DHCP options. See DNS in Your Virtual Cloud Network for more information.

  • (Optional) Perform the following optional step before configuring a private endpoint:

    Specify a Network Security Group (NSG) within your VCN. The NSG specifies rules for connections to your Autonomous Database. See Network Security Groups for more information.

IAM Policies Required to Manage Private Endpoints

In addition to the policies required to provision and manage an Autonomous Database, some network policies are needed to use private endpoints.

The following table lists the IAM policies required for a cloud user to add a private endpoint. The listed policies are the minimum requirements to add a private endpoint. You can also use a policy rule that is broader. For example, if you set the policy rule:

Allow group MyGroupName to manage virtual-network-family in tenancy

This rule also works because it is a superset that contains all the required policies.

Operation Required IAM Policies

Configure a private endpoint

use vcns for the compartment which the VCN is in

use subnets for the compartment which the VCN is in

use network-security-groups for the compartment which the network security group is in

manage private-ips for the compartment which the VCN is in

manage vnics for the compartment which the VCN is in

manage vnics for the compartment which the database is provisioned or is to be provisioned in

Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the Console, REST API, CLI, SDK, or others).

The IAM service uses groups, compartments and policies to control which cloud users can access which resources. In particular, a policy defines what kind of access a group of users has to a particular kind of resource in a particular compartment. For more information, see Getting Started with Policies.

Configure Private Endpoints When You Provision or Clone an Instance

You can configure a private endpoint when you provision or clone an Autonomous Database instance.

These steps assume you are provisioning or cloning an instance and you have completed the prerequisite steps, and you are at the Choose network access step of the provisioning or cloning steps:

  1. Select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.



    If you select Private endpoint access only, this only allows connections from the specified private network (VCN), from peered VCNs, and from on-prem networks connected to your VCN. You can configure an Autonomous Database instance on a private endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.

    If you want to allow connections from public IP addresses or from allowed IPs and VCNs, you have the following options:

    • Select Secure access from everywhere.

    • Select Secure access from allowed IPs and VCNs only.

    • If you select Private endpoint access only, expand Show advanced options and select Allow public access. See Configure Private Endpoint Advanced Options for more information.

  2. Select a Virtual cloud network in your compartment or if the VCN is in a different compartment click Change Compartment and select the compartment that contains the VCN and then select a virtual cloud network.

    See VCNs and Subnets for more information.

  3. Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a different compartment click Change Compartment and select the compartment that contains the Subnet and then select a subnet.

    See VCNs and Subnets for more information.

  4. (Optional) Click Show advanced options to show additional private endpoint options.

    See Configure Private Endpoint Advanced Options for details on the advanced options.

  5. Require mutual TLS (mTLS) authentication.

    The Require mutual TLS (mTLS) authentication options are:

    • When Require mutual TLS (mTLS) authentication is deselected, TLS and mTLS connections are allowed. This is the default configuration.

    • When Require mutual TLS (mTLS) authentication is selected, only mTLS connections are allowed (TLS authentication is not allowed).

    See Update Network Options to Allow TLS or Require Only Mutual TLS (mTLS) Authentication on Autonomous Database for more information.

  6. Complete the remaining provisioning or cloning steps, as specified in Provision an Autonomous Database Instance, Clone an Autonomous Database Instance, or Clone an Autonomous Database from a Backup.

See Private Endpoints Notes for more information.

Change from Public to Private Endpoints with Autonomous Database

If your Autonomous Database instance is configured to use a public endpoint you can change the configuration to a private endpoint.

  1. On the Details page, from the More actions drop-down list, select Update network access.

    To change an instance from a public to a private endpoint, the Autonomous Database instance must be in the Available state (Lifecycle State: Available).

  2. In the Update network access dialog, select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.

    Description of adb_network_private_update.png follows
    Description of the illustration adb_network_private_update.png

    If you select Private endpoint access only, this only allows connections from the specified private network (VCN), from peered VCNs, and from on-prem networks connected to your VCN. You can configure an Autonomous Database instance on a private endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.

    If you want to allow connections from public IP addresses or from allowed IPs and VCNs, you have the following options:

    • Select Secure access from everywhere.

    • Select Secure access from allowed IPs and VCNs only.

    • If you select Private endpoint access only, expand Show advanced options and select Allow public access. See Configure Private Endpoint Advanced Options for more information.

  3. Select a Virtual cloud network in your compartment or if the VCN is in a different compartment click Change Compartment and select the compartment that contains the VCN and then select a virtual cloud network.

    See VCNs and Subnets for more information.

  4. Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a different compartment click Change Compartment and select the compartment that contains the Subnet and then select a subnet.

    See VCNs and Subnets for more information.

  5. (Optional) Click Show advanced options to see additional options.

    See Configure Private Endpoint Advanced Options for details on the advanced options.

  6. Click Update.
  7. In the Confirm dialog, type the Autonomous Database name to confirm the change.
  8. In the Confirm dialog, click Update.

The Lifecycle State changes to Updating until the operation completes.

Notes for changing from public to private network access:

  • After updating the network access type all database users must obtain a new wallet and use the new wallet to access the database. See Download Client Credentials (Wallets) for more information.

  • If you had ACLs defined for the public endpoint, the ACLs do not apply for the private endpoint.

  • After you update the network access to use a private endpoint, the URL for the Database Tools is different compared to using a public endpoint. You can find the updated URLs on the console, after changing from a public endpoint to a private endpoint.

Update the Configuration for a Private Endpoint

You can change some options in the configuration of a private endpoint on an existing Autonomous Database instance.

  1. On the Details page, from the More actions drop-down list, select Update network access.
  2. Select Private endpoint access only.

    If you want to allow connections from public IP addresses or from allowed IPs and VCNs, you have the following options:

    • Select Secure access from everywhere.

    • Select Secure access from allowed IPs and VCNs only.

    • When you select Private endpoint access only and Allow public access, the private endpoint database has both a private endpoint and a public endpoint.

    1. Optionally add Network security groups (NSGs).

      Optionally, to allow connections to the Autonomous Database instance define security rules in an NSG; this creates a virtual firewall for your Autonomous Database.

      • Select a Network Security Group in your compartment to attach the Autonomous Database to, or if the Network Security Group is in a different compartment, click Change Compartment and select a different compartment and then select a Network Security Group in that compartment.
      • Click + Another Network Security Group to add another Network Security Group.
      • Click x to remove a Network Security Group entry.

      For the NSG you select for the private endpoint define a security rule as follows:

      • For mutual TLS (mTLS) authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522. See About Mutual TLS (mTLS) Authentication for more information.

      • For TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.

      • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

      Note:

      Incoming and outgoing connections are limited by the combination of ingress and egress rules defined in NSGs and the Security Lists defined with the VCN. When there are no NSGs, ingress and egress rules defined in the Security Lists for the VCN still apply. See Security Lists for more information on working with Security Lists.

      See Private Endpoints Configuration Examples on Autonomous Database for examples.

      See Network Security Groups for more information.

    2. Optionally, select Allow public access or if this is already selected, you can configure access control rules to the public endpoint that is configured with the private endpoint database.

      The Allow public access option is available only when the database uses the ECPU compute model.

      When you select Allow public access, this shows the Configure access control options to enter the allowed IP addresses, CIDR blocks, or Virtual cloud networks that can connect to the database.

      Select one of:

      • IP address:

        In Values field enter values for the IP address. An IP address specified in a network ACL entry is the public IP address of the client that is visible on the public internet that you want to grant access. For example, for an Oracle Cloud Infrastructure VM, this is the IP address shown in the Public IP field on the Oracle Cloud Infrastructure console for that VM.

        Optionally click Add my IP address to add your current IP address to the ACL entry.

      • CIDR block:

        In Values field enter values for the CIDR block. The CIDR block specified is the public CIDR block of the clients that are visible on the public internet that you want to grant access.

      • Virtual cloud network:

        Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

        Use this option to specify the VCN for use with an Oracle Cloud Infrastructure Service Gateway:

        • In Virtual cloud network field select the VCN that you want to grant access from. If you do not have the privileges to see the VCNs in your tenancy this list is empty. In this case use the selection Virtual cloud network (OCID) to specify the OCID of the VCN.
        • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.
      • Virtual cloud network (OCID):

        Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

        • In the Values field enter the OCID of the VCN you want to grant access from.
        • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.

      If you want to specify multiple IP addresses or CIDR ranges within the same VCN, do not create multiple ACL entries. Use one ACL entry with the values for the multiple IP addresses or CIDR ranges separated by commas.

  3. Click Update.

If the Lifecycle State is Available when you click Update, the Lifecycle State changes to Updating until the changes are applied. The database is still up and accessible, there is no downtime. When the update is complete the Lifecycle State returns to Available.

See Private Endpoints Notes for more information.

Configure Private Endpoint Advanced Options

The private endpoint access advanced options allow you to enter a user specified private IP address and host name, select one or more network security groups, or specify details to allow public access to a private endpoint database.

These steps assume you are provisioning or cloning an Autonomous Database instance or changing from public access to private access for an existing Autonomous Database instance and you are at the Choose network access step.

  1. Select Private endpoint access only.

    This shows the Virtual cloud network private access configuration area.

  2. (Optional) Click Show advanced options to show additional private endpoint options.
    1. Optionally enter a Private IP address.

      Use this field to enter a custom private IP address. The private IP address you enter must be within the selected subnet's CIDR range.

      If you do not provide a custom private IP address the IP address is automatically assigned.

    2. Optionally enter a Hostname prefix.

      This specifies a hostname prefix for the Autonomous Database and associates a DNS name with the database instance, in the following form:

      hostname_prefix.adb.region.oraclecloud.com

      If you do not specify a hostname prefix, a system generated hostname prefix is supplied.

    3. Optionally add Network security groups (NSGs).

      Optionally, to allow connections to the Autonomous Database instance define security rules in an NSG; this creates a virtual firewall for your Autonomous Database.

      • Select a Network Security Group in your compartment to attach the Autonomous Database to, or if the Network Security Group is in a different compartment, click Change Compartment and select a different compartment and then select a Network Security Group in that compartment.
      • Click + Another Network Security Group to add another Network Security Group.
      • Click x to remove a Network Security Group entry.

      For the NSG you select for the private endpoint define a security rule as follows:

      • For mutual TLS (mTLS) authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522. See About Mutual TLS (mTLS) Authentication for more information.

      • For TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.

      • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

      Note:

      Incoming and outgoing connections are limited by the combination of ingress and egress rules defined in NSGs and the Security Lists defined with the VCN. When there are no NSGs, ingress and egress rules defined in the Security Lists for the VCN still apply. See Security Lists for more information on working with Security Lists.

      See Private Endpoints Configuration Examples on Autonomous Database for examples.

      See Network Security Groups for more information.

    4. Optionally, select Allow public access and configure access control rules to add a public endpoint for the private endpoint database.

      The Allow public access option is available only when the database uses the ECPU compute model.

      When you select Allow public access, this shows the Configure access control options to enter the allowed IP addresses, CIDR blocks, or Virtual cloud networks that can connect to the database.

      Select one of:

      • IP address:

        In Values field enter values for the IP address. An IP address specified in a network ACL entry is the public IP address of the client that is visible on the public internet that you want to grant access. For example, for an Oracle Cloud Infrastructure VM, this is the IP address shown in the Public IP field on the Oracle Cloud Infrastructure console for that VM.

        Optionally click Add my IP address to add your current IP address to the ACL entry.

      • CIDR block:

        In Values field enter values for the CIDR block. The CIDR block specified is the public CIDR block of the clients that are visible on the public internet that you want to grant access.

      • Virtual cloud network:

        Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

        Use this option to specify the VCN for use with an Oracle Cloud Infrastructure Service Gateway:

        • In Virtual cloud network field select the VCN that you want to grant access from. If you do not have the privileges to see the VCNs in your tenancy this list is empty. In this case use the selection Virtual cloud network (OCID) to specify the OCID of the VCN.
        • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.
      • Virtual cloud network (OCID):

        Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

        • In the Values field enter the OCID of the VCN you want to grant access from.
        • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.

      If you want to specify multiple IP addresses or CIDR ranges within the same VCN, do not create multiple ACL entries. Use one ACL entry with the values for the multiple IP addresses or CIDR ranges separated by commas.

  3. Complete the remaining private endpoint configuration steps.

Use a Private Endpoint with Public Access Allowed

Select the Allow public access option when you want to configure an Autonomous Database to use a private endpoint and you also want to allow connections from specific public IP addresses or from specific VCNs (if the VCNs are configured to privately connect to Autonomous Database using a Service Gateway).

This option adds a public endpoint for a database that is configured on a private endpoint. You configure a private endpoint for your Autonomous Database instance when you provision or clone the instance, or when you update the network configuration for an existing Autonomous Database. See the following for details on the steps to configure an Autonomous Database instance with a private endpoint:

When public access is enabled with Allow public access on a private endpoint database, the instance has both a private endpoint and a public endpoint:

  • The private hostname, endpoint URL, and private IP address allow you to connect to the database from the VCN where the database resides.

  • The public hostname allows you to connect to the database from specific public IP addresses or from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway.

Autonomous Database Connection String Additions for a Private Endpoint Database with Allow Public Access Enabled

When Allow public access is enabled for a private endpoint database, there are additional connection strings that allow you to connect to the database from the public endpoint:

  • The connection strings in tnsnames.ora in the Autonomous Database wallet zip include the public connection strings to use with connections coming from the public internet. The connection strings for the public endpoint use the following naming convention:

    dbname_public_consumerGroup

    For example:

    adbfinance_public_low

    See Download Client Credentials (Wallets) for more information.

  • You can view the connection strings for both the public endpoint and the private endpoint from the Oracle Cloud Infrastructure Console (or using the API).

    See View TNS Names and Connection Strings for an Autonomous Database Instance for more information.

Autonomous Database Tools Additions for a Private Endpoint Database with Allow Public Access Enabled

When Allow public access is enabled for a private endpoint database, the database tools allow you to connect from specific public IP addresses or from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway:

Enhanced Security for Outbound Connections with Private Endpoints

When you use a private endpoint with your Autonomous Database instance you can provide enhanced security by setting the ROUTE_OUTBOUND_CONNECTIONS database property to the value PRIVATE_ENDPOINT.

Setting the ROUTE_OUTBOUND_CONNECTIONS database property to the value PRIVATE_ENDPOINT enforces that all outgoing connections to a target host are subject to and limited by the private endpoint's egress rules. You define egress rules in the Virtual Cloud Network (VCN) security list or in the Network Security Group (NSG) associated with the Autonomous Database instance private endpoint.

Before you set the ROUTE_OUTBOUND_CONNECTIONS database property, configure your Autonomous Database instance to use a private endpoint. See Configure Private Endpoints for more information.

Set the ROUTE_OUTBOUND_CONNECTIONS database property to PRIVATE_ENDPOINT to specify that all outgoing connections are subject to the Autonomous Database instance private endpoint VCN's egress rules. With the value PRIVATE_ENDPOINT the database restricts outgoing connections to locations specified by the private endpoint's egress rules and also changes DNS resolution such that hostnames are resolved using your VCN's DNS resolver (not using a public DNS resolver).

Note:

With ROUTE_OUTBOUND_CONNECTIONS not set to PRIVATE_ENDPOINT, all outgoing connections to the public internet pass through the Network Address Translation (NAT) Gateway of the service VCN. In this case, if the target host is on a public endpoint the outgoing connections are not subject to the Autonomous Database instance private endpoint VCN or NSG egress rules.

When you configure a private endpoint for your Autonomous Database instance and set ROUTE_OUTBOUND_CONNECTIONS to PRIVATE_ENDPOINT, this setting changes the handling of outbound connections and DNS resolution for the following:

To set ROUTE_OUTBOUND_CONNECTIONS:

  1. Connect to your database.
  2. Set the database property ROUTE_OUTBOUND_CONNECTIONS.

    For example:

    ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = 'PRIVATE_ENDPOINT';

Notes for setting ROUTE_OUTBOUND_CONNECTIONS:

  • Use the following command to restore the default parameter value:

    ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = '';
  • Use the following command to query the current parameter value:

    SELECT * FROM DATABASE_PROPERTIES
            WHERE PROPERTY_NAME = 'ROUTE_OUTBOUND_CONNECTIONS';

    If the property is not set the query does not return results.

  • This property only applies for database links that you create after you set the property to the value PRIVATE_ENDPOINT. Thus, database links that you created prior to setting the property continue to use the NAT Gateway of the service VCN and are not subject to the Autonomous Database instance private endpoint's egress rules.

  • Only set ROUTE_OUTBOUND_CONNECTIONS to the value PRIVATE_ENDPOINT when you are using Autonomous Database with a private endpoint.

  • When your database is on a private endpoint and you want your outbound connections to be resolved by your VCN, you need to set the ROUTE_OUTBOUND_CONNECTIONS parameter to PRIVATE_ENDPOINT.

See NAT Gateway for more information on Network Address Translation (NAT) gateway.

Private Endpoints Notes

Describes restrictions and notes for private endpoints on Autonomous Database.

  • After you update the network access to use a private endpoint, or after the provisioning or cloning completes where you configure a private endpoint, you can view the network configuration on the Autonomous Database Details page under the Network section.

    The Network section shows the following information for a private endpoint:

    • Access type: Specifies the access type for the Autonomous Database configuration. Private endpoint configurations show the access type: Virtual cloud network.
    • Availability domain: Specifies the availability domain of your Autonomous Database instance.
    • Virtual cloud network: This includes a link for the VCN associated with the private endpoint.
    • Subnet: This includes a link for the subnet associated with the private endpoint.
    • Private endpoint IP: Shows the private endpoint IP for the private endpoint configuration.
    • Private endpoint URL: Shows the private endpoint URL for the private endpoint configuration.
    • Network security groups: This field includes links to the NSG(s) configured with the private endpoint.
    • Public access: This field indicates whether public access is enabled for the private endpoint. Click the Edit link to view or change the allowed ACLs or VCNs.
    • Public endpoint URL: This shows when Allow public access is enabled on the private endpoint. This is the public endpoint URL that you can use to connect from allowed IPs or VCNs on the public internet.

    For more details on the network information on the Oracle Cloud Infrastructure Console, see View Network Information on the OCI Console.

  • After provisioning or cloning completes, you can change the Autonomous Database configuration to use a public endpoint.

    See Change from Private to Public Endpoints with Autonomous Database for information on changing to a public endpoint.

  • You can specify up to five NSGs to control access to your Autonomous Database.

  • You can change the private endpoint Network Security Group (NSG) for the Autonomous Database.

    To change the NSG for a private endpoint, do the following:

    1. On the Autonomous Databases page select an Autonomous Database from the links under the Display name column.

    2. On the Autonomous Database Details page, under Network in the Network Security Groups field, click Edit.

  • You can connect your Oracle Analytics Cloud instance to your Autonomous Database that has a private endpoint using the Data Gateway like you do for an on-premises database. See Configure and Register Data Gateway for Data Visualization for more information.

  • The following Autonomous Database tools are supported in databases configured with a private endpoint:

    • Database Actions
    • Oracle APEX
    • Oracle Graph Studio
    • Oracle Machine Learning Notebooks
    • Oracle REST Data Services
    • Oracle Database API for MongoDB

    Additional configuration is required to access these Autonomous Database tools from on-premises environments. See Example: Connecting from Your Data Center to Autonomous Database to learn more.

    Accessing Oracle APEX, Database Actions, Oracle Graph Studio, or Oracle REST Data Services using a private endpoint from on-premises environments without completing the additional private endpoint configuration shows the error:

    404 Not Found
  • After you update the network access to use a private endpoint, the URL for the Database Tools is different compared to using a public endpoint. You can find the updated URLs on the console, after changing from a public endpoint to a private endpoint.

  • In addition to the default Oracle REST Data Services (ORDS) preconfigured with Autonomous Database, you can configure an alternative ORDS deployment that provides more configuration options and that can be used with private endpoints. See About Customer Managed Oracle REST Data Services on Autonomous Database to learn about an alternative ORDS deployment that can be used with private endpoints.

  • Modifying a private IP address is not allowed after you provision or clone an instance, whether the IP address is automatically assigned when you enter a value in the Private IP address field.

Private Endpoints Configuration Examples on Autonomous Database

Shows several Private Endpoint (VCN) configuration samples for Autonomous Database.

Example: Connecting from Inside Oracle Cloud Infrastructure VCN

Demonstrates an application running inside Oracle Cloud Infrastructure on a virtual machine (VM) in the same VCN which is configured with your Autonomous Database.

Description of adb_private_endpoint1.png follows
Description of the illustration adb_private_endpoint1.png

There is an Autonomous Database instance which has a private endpoint in the VCN named "Your VCN". The VCN includes two subnets: "SUBNET B" (CIDR 10.0.1.0/24) and "SUBNET A" (CIDR 10.0.2.0/24).

The Network Security Group (NSG) associated with the Autonomous Database instance is shown as "NSG 1 - Security Rules". This Network Security Group defines security rules that allow incoming and outgoing traffic to and from the Autonomous Database instance. Define a rule for the Autonomous Database instance as follows:

  • For Mutual TLS authentication, add a stateful ingress rule to allow connections from the source to the Autonomous Database instance; the source is set to the address range you want to allow to connect to your database, IP Protocol is set to TCP, and the Destination Port Range is set to 1522.

  • For TLS authentication, add a stateful ingress rule to allow connections from the source to the Autonomous Database instance; the source is set to the address range you want to allow to connect to your database, IP Protocol is set to TCP, and the Destination Port Range is set to 1521.

  • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

The following figure shows a sample stateful security rule to control traffic for the Autonomous Database instance:

Description of adb_private_vcn_nsg_stateful1.png follows
Description of the illustration adb_private_vcn_nsg_stateful1.png

The application connecting to the Autonomous Database is running on a VM in SUBNET B. You also add a security rule to allow traffic to and from the VM (as shown, with label "NSG 2 Security Rules"). You can use a stateful security rule for the VM, so simply add a rule for egress to NSG 2 Security Rules (this allows access to the destination subnet A).

The following figure shows sample security rules that control traffic for the VM:

Description of adb_private_vcn_rules2.png follows
Description of the illustration adb_private_vcn_rules2.png

After you configure the security rules, your application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.

See Network Security Groups for information on configuring Network Security Groups.

Example: Connecting from Your Data Center to Autonomous Database

Demonstrates how to connect privately to an Autonomous Database from your on-premise data center. In this scenario, traffic never goes over the public internet.

Description of adb_private_endpoint2.png follows
Description of the illustration adb_private_endpoint2.png

To connect from your data center, you connect the on-premise network to the VCN with FastConnect and then set up a Dynamic Routing Gateway (DRG). To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name (FQDN), requires that you add an entry in your on-premise client's hosts file. For example, /etc/hosts file for Linux machines. For example:

/etc/hosts entry -> 10.0.2.7 example.adb.ca-toronto-1.oraclecloud.com

To use Oracle APEX, Database Actions, and Oracle REST Data Services, add another entry with the same IP. For example:

/etc/hosts entry -> 10.0.2.7 example.adb.ca-toronto-1.oraclecloudapps.com

You find the private endpoint IP and the FQDN as follows:

  • The Private IP is shown on the Oracle Cloud Infrastructure console Autonomous Database details page for the instance.

  • The FQDN is shown in the tnsnames.ora file in the Autonomous Database client credential wallet.

Alternatively you can use Oracle Cloud Infrastructure private DNS to provide DNS name resolution. See Private DNS for more information.

In this example there is a Dynamic Routing Gateway (DRG) between the on-premise data center and "Your VCN". The VCN contains the Autonomous Database. This also shows a route table for the VCN associated with the Autonomous Database, for outgoing traffic to CIDR 172.16.0.0/16 through the DRG.

In addition to setting up the DRG, define a Network Security Group (NSG) rule to allow traffic to and from the Autonomous Database, by adding a rule for the data center CIDR range (172.16.0.0/16). In this example, define a security rule in "NSG 1" as follows:

  • For Mutual TLS authentication, create a stateful rule to allow ingress traffic from the data center. This is a stateful ingress rule with the source set to the address range you want to allow to connect to your database, protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination port set to 1522.

  • For TLS authentication, create a stateful rule to allow ingress traffic from the data center. This is a stateful ingress rule with the source set to the address range you want to allow to connect to your database, protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination port set to 1521.

  • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

The following figure shows the security rule that controls traffic for the Autonomous Database instance:

Description of adb_private_vcn_nsg_stateful2.png follows
Description of the illustration adb_private_vcn_nsg_stateful2.png

After you configure the security rule, your on-premise database application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.