Autonomous Database with Private Endpoint

Note

This topic applies only to Autonomous Databases with shared Exadata infrastructure.

Private endpoint refers to a network setup for your Autonomous Database with shared Exadata infrastructure where all network traffic moves through a private endpoint within a VCN  in your tenancy. If your organization has strict security mandates that do not allow you to have a public endpoint for your database, this provides you with the necessary private endpoint. Additionally, this configuration uses no public subnets and allows you to keep all traffic to and from your Autonomous Database off of the public internet.

Overview of Private Endpoint

Enabling a private endpoint for an Autonomous Database ensures that the only access path to the database is via a VCN inside your Oracle Cloud Infrastructure tenancy. This network configuration completely blocks access to the database from public endpoints. A private endpoint offers the following advantages over other methods of private network access:

  • Does not require you to set up transit routing in you VCN and use a service gateway to connect.
  • Can satisfy security requirements that forbid the use of a public endpoint.

The private endpoint option must be selected and configured during database creation. Once your database is provisioned, you cannot change the network access type on the original database. However, you can clone a database and select a different network access type for the clone. See To create an Autonomous Database on shared Exadata infrastructure for instructions on creating a new Autonomous Database. See To clone an Autonomous Database to shared Exadata infrastructure for instructions on cloning an existing Autonomous Database.

Networking Prerequisites Needed for Private Endpoint

To provision an Autonomous Database with a private endpoint, you must have the following resources already created:

  • A VCN within the region that will contain your Autonomous Database with shared Exadata infrastructure. Cannot be changed after provisioning.
  • A private subnet within your VCN configured with default DHCP options. Cannot be changed after provisioning.
  • At least 1 network security group (NSG) within your VCN for the Autonomous Database. Can be changed or edited after provisioning.

NSGs create a virtual firewall for your Autonomous Database using security rules. You can specify up to five NSGs to control access to your Autonomous Database.

NSG security rule guidelines for private endpoint

Connecting to an Autonomous Database with a Private Endpoint

You can connect to an Autonomous Database that uses a private endpoint from within Oracle Cloud Infrastructure resources, or from your data center.

Example 1: Connecting from Within Oracle Cloud Infrastructure

You can connect from a resource (like a Compute instance) within the same VCN as the private endpoint. Note that you can also connect from a resource located in a different VCN from the private endpoint by using local or remote VCN peering.

This image shows the general concept of a private access point that allows network traffic to move between your Autonomous Database using shared Exadata infrastructure and other Oracle Cloud Infrastructure resources within your VCN.

Example network layout for connecting to an Autonomous Database with a private endpoint from within Oracle Cloud Infrastructure

You set up:

  • VCN and a private subnet
  • An NSG for the Autonomous Database that includes either stateful or stateless security rules, as described in Networking Prerequisites Needed for Private Endpoint

    This image shows the stateful Network Security Group security rule associated with an Autonomous Database private access point, allowing ingress and egreess traffic between the endpoint and other resources within the same Oracle Cloud Infrastructure VCN.

    Example stateful security rule for the Autonomous Database NSG. Note that stateless rules are also supported.

  • An NSG security rule for the resource that will be allowed access to the Autonomous Database. This stateful egress security rule allows all egress traffic to the NSG of the Autonomous Database.

    This image shows the Network Security Group stateful security rule needed to allow traffic from a VM Compute instance to move to the private endpoint of an Autonomous Database.

    Example stateful egress security rule for the NSG of the resource connecting to the Autonomous Database

Example 2: Connecting from an On-Premise Data Center

This image shows the general concept of a private access point that allows network traffic to move between your Autonomous Database using shared Exadata infrastructure and your on-premise data center.

Example network layout for connecting to an Autonomous Database with a private endpoint from an on-premises network

You set up:

Tip

When connecting from an on-premises network, Oracle recommends using a FastConnect connection. If you are using an IPSec VPN connection, see the configuration tips in the Hanging Connection topic in the Networking service documentation to avoid connection problems.

To resolve the Autonomous Database private endpoint in your on-premise host's /etc/hosts file

Additional Information

See To create an Autonomous Database on shared Exadata infrastructure for instructions on provisioning an Autonomous Database that uses a private endpoint.

See To update the network configuration of an Autonomous Database that uses a private endpoint for information on editing networking settings related to a private endpoint.

See Private Access in the Networking service documentation for an overview of the options for enabling private access to services within Oracle Cloud Infrastructure.

See Hanging Connection in the Networking service documentation for troubleshooting IPSec VPN connection issues that can occur when connecting from your on-premises network.