Autonomous Database with Private Endpoint
This topic applies only to Autonomous Databases with shared Exadata infrastructure.
Private endpoint refers to a network setup for your Autonomous Database with shared Exadata infrastructure where all network traffic moves through a private endpoint within a VCN in your tenancy. If your organization has strict security mandates that do not allow you to have a public endpoint for your database, this provides you with the necessary private endpoint. Additionally, this configuration uses no public subnets and allows you to keep all traffic to and from your Autonomous Database off of the public internet.
Overview of Private Endpoint
Enabling a private endpoint for an Autonomous Database ensures that the only access path to the database is via a VCN inside your Oracle Cloud Infrastructure tenancy. This network configuration completely blocks access to the database from public endpoints. A private endpoint offers the following advantages over other methods of private network access:
- Does not require you to set up transit routing in you VCN and use a service gateway to connect.
- Can satisfy security requirements that forbid the use of a public endpoint.
The private endpoint option must be selected and configured during database creation. Once your database is provisioned, you cannot change the network access type on the original database. However, you can clone a database and select a different network access type for the clone. See To create an Autonomous Database on shared Exadata infrastructure for instructions on creating a new Autonomous Database. See To clone an Autonomous Database to shared Exadata infrastructure for instructions on cloning an existing Autonomous Database.
Networking Prerequisites Needed for Private Endpoint
To provision an Autonomous Database with a private endpoint, you must have the following resources already created:
- A VCN within the region that will contain your Autonomous Database with shared Exadata infrastructure. Cannot be changed after provisioning.
- A private subnet within your VCN configured with default DHCP options. Cannot be changed after provisioning.
- At least 1 network security group (NSG) within your VCN for the Autonomous Database. Can be changed or edited after provisioning.
NSGs create a virtual firewall for your Autonomous Database using security rules. You can specify up to five NSGs to control access to your Autonomous Database.
NSG security rule guidelines for private endpoint
Your security rules for the NSG of your Autonomous Database need to be configured as follows:
- The private endpoint feature supports both stateful and stateless security rules within NSGs.
- Your rule covering ingress traffic must specify the IP Protocol "TCP", and your Destination Port Range must be 1522.
To connect another resource located inside Oracle Cloud Infrastructure (for example, a Compute instance) to your Autonomous Database, the second resource needs a security rule that allows all egress traffic to the NSG of the Autonomous Database. This means you specify the NSG of the Autonomous Database as the Destination for this security rule. The second resource's security rule can be part of an NSG or a security list.
See Network Security Groups and To create an NSG for more information on working with NSGs.
Connecting to an Autonomous Database with a Private Endpoint
You can connect to an Autonomous Database that uses a private endpoint from within Oracle Cloud Infrastructure resources, or from your data center.
Example 1: Connecting from Within Oracle Cloud Infrastructure
You can connect from a resource (like a Compute instance) within the same VCN as the private endpoint. Note that you can also connect from a resource located in a different VCN from the private endpoint by using local or remote VCN peering.
Example network layout for connecting to an Autonomous Database with a private endpoint from within Oracle Cloud Infrastructure
You set up:
- A VCN and a private subnet
An NSG for the Autonomous Database that includes either stateful or stateless security rules, as described in Networking Prerequisites Needed for Private Endpoint
Example stateful security rule for the Autonomous Database NSG. Note that stateless rules are also supported.
An NSG security rule for the resource that will be allowed access to the Autonomous Database. This stateful egress security rule allows all egress traffic to the NSG of the Autonomous Database.
Example stateful egress security rule for the NSG of the resource connecting to the Autonomous Database
Example 2: Connecting from an On-Premise Data Center
Example network layout for connecting to an Autonomous Database with a private endpoint from an on-premises network
You set up:
When connecting from an on-premises network, Oracle recommends using a FastConnect connection. If you are using an IPSec VPN connection, see the configuration tips in the Hanging Connection topic in the Networking service documentation to avoid connection problems.
To resolve the Autonomous Database private endpoint in your on-premise host's /etc/hosts file
To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name (FQDN), requires that you add an entry in your on-premise host's
/etc/hosts file. For example:
# example /etc/hosts entry
You find the private endpoint IP and the FQDN as follows:
- The Private IP is shown on the Oracle Cloud Infrastructure Console Autonomous Database details page for the instance.
- The FQDN is shown in the
tnsnames.ora file in the Autonomous Database client credential wallet.
Alternatively you can set up a hybrid DNS in Oracle Cloud Infrastructure for DNS name resolution.
See To create an Autonomous Database on shared Exadata infrastructure for instructions on provisioning an Autonomous Database that uses a private endpoint.
See To update the network configuration of an Autonomous Database that uses a private endpoint for information on editing networking settings related to a private endpoint.
See Private Access in the Networking service documentation for an overview of the options for enabling private access to services within Oracle Cloud Infrastructure.
See Hanging Connection in the Networking service documentation for troubleshooting IPSec VPN connection issues that can occur when connecting from your on-premises network.