Autonomous Database with Private Endpoint

Note

This topic applies only to Autonomous Databases with shared Exadata infrastructure.

Private endpoint refers to a network setup for your Autonomous Database with shared Exadata infrastructure where all network traffic moves through a private endpoint within a VCN  in your tenancy. If your organization has strict security mandates that do not allow you to have a public endpoint for your database, this provides you with the necessary private endpoint. Additionally, this configuration uses no public subnets and allows you to keep all traffic to and from your Autonomous Database off of the public internet.

Overview of Private Endpoint

Enabling a private endpoint for an Autonomous Database ensures that the only access path to the database is via a VCN inside your Oracle Cloud Infrastructure tenancy. This network configuration completely blocks access to the database from public endpoints. A private endpoint offers the following advantages over other methods of private network access:

  • Does not require you to set up transit routing in you VCN and use a service gateway to connect.
  • Can satisfy security requirements that forbid the use of a public endpoint.
The private endpoint option is available for both new and existing Autonomous Databases on shared Exadata infrastructure. See To create an Autonomous Database on shared Exadata infrastructure for instructions on creating a new Autonomous Database with a private endpoint. See To change the network access of an Autonomous Database on shared Exadata infrastructure from private endpoint to public endpoint for information on switching network access configuration of an existing database. Note that your Oracle Database version must be 19c or higher to perform an in-place switch the network access type after provisioning.

Networking Prerequisites Needed for Private Endpoint

To provision an Autonomous Database with a private endpoint, you must have the following resources already created:

  • A VCN within the region that will contain your Autonomous Database with shared Exadata infrastructure. Cannot be changed after provisioning.
  • A private subnet within your VCN configured with default DHCP options. Cannot be changed after provisioning.
  • At least 1 network security group (NSG) within your VCN for the Autonomous Database. Can be changed or edited after provisioning.

NSGs create a virtual firewall for your Autonomous Database using security rules. You can specify up to five NSGs to control access to your Autonomous Database.

NSG security rule guidelines for private endpoint

Your security rules for the NSG of your Autonomous Database need to be configured as follows:

  • The private endpoint feature supports both stateful and stateless security rules within NSGs.
  • Your rule covering ingress traffic must specify the IP Protocol "TCP", and your Destination Port Range must be 1522.

To connect another resource located inside Oracle Cloud Infrastructure (for example, a Compute instance) to your Autonomous Database, the second resource needs a security rule that allows all egress traffic to the NSG of the Autonomous Database. This means you specify the NSG of the Autonomous Database as the Destination for this security rule. The second resource's security rule can be part of an NSG or a security list.

See Network Security Groups and To create an NSG for more information on working with NSGs.

Connecting to an Autonomous Database with a Private Endpoint

You can connect to an Autonomous Database that uses a private endpoint from within Oracle Cloud Infrastructure resources, or from your data center. See To find the Fully Qualified Domain Name (FQDN) and IP address of your private endpoint for information on locating the IP address and URL of your endpoint.

Example 1: Connecting from Within Oracle Cloud Infrastructure

You can connect from a resource (like a Compute instance) within the same VCN as the private endpoint. Note that you can also connect from a resource located in a different VCN from the private endpoint by using local or remote VCN peering.

This image shows the general concept of a private access point that allows network traffic to move between your Autonomous Database using shared Exadata infrastructure and other Oracle Cloud Infrastructure resources within your VCN.

Example network layout for connecting to an Autonomous Database with a private endpoint from within Oracle Cloud Infrastructure

You set up:

  • VCN and a private subnet
  • An NSG for the Autonomous Database that includes either stateful or stateless security rules, as described in Networking Prerequisites Needed for Private Endpoint

    This image shows the stateful Network Security Group security rule associated with an Autonomous Database private access point, allowing ingress and egreess traffic between the endpoint and other resources within the same Oracle Cloud Infrastructure VCN.

    Example stateful security rule for the Autonomous Database NSG. Note that stateless rules are also supported.

  • An NSG security rule for the resource that will be allowed access to the Autonomous Database. This stateful egress security rule allows all egress traffic to the NSG of the Autonomous Database.

    This image shows the Network Security Group stateful security rule needed to allow traffic from a VM Compute instance to move to the private endpoint of an Autonomous Database.

    Example stateful egress security rule for the NSG of the resource connecting to the Autonomous Database

Example 2: Connecting from an On-Premise Data Center

This image shows the general concept of a private access point that allows network traffic to move between your Autonomous Database using shared Exadata infrastructure and your on-premise data center.

Example network layout for connecting to an Autonomous Database with a private endpoint from an on-premises network

You set up:

Tip

When connecting from an on-premises network, Oracle recommends using a FastConnect connection. If you are using an IPSec VPN connection, see the configuration tips in the Hanging Connection topic in the Networking service documentation to avoid connection problems.
To find the Fully Qualified Domain Name (FQDN) and IP address of your private endpoint

Your database's private endpoint IP address is displayed on the Autonomous Database Details page in the Oracle Cloud Infrastructure Console.

  1. Open the navigation menu. Under Database, click Autonomous Transaction Processing or Autonomous Data Warehouse.
  2. Choose your Compartment.
  3. In the list of Autonomous Databases, click the display name of the database you want to connect to.
  4. On the Autonomous Database Details page, in the Network section, the Private Endpoint IP Private Endpoint URL fields display the IP address and URL of the endpoint.
To resolve the Autonomous Database private endpoint in your on-premise host's /etc/hosts file

To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name (FQDN) requires that you add an entry in your on-premise host's /etc/hosts file. For example:

# example /etc/hosts entry
10.0.2.7 example.adb.us-phoenix-1.oraclecloud.com

You find the private endpoint IP and the FQDN as follows:

  • The Private IP is shown on the Oracle Cloud Infrastructure Console Autonomous Database details page for the instance.
  • The FQDN is shown in the tnsnames.ora file in the Autonomous Database client credential wallet.

Alternatively you can set up a hybrid DNS in Oracle Cloud Infrastructure for DNS name resolution.

Additional Information

See To create an Autonomous Database on shared Exadata infrastructure for instructions on provisioning an Autonomous Database that uses a private endpoint.

See To update the network configuration of an Autonomous Database on shared Exadata infrastructure that uses a private endpoint for information on editing networking settings related to a private endpoint.

See Private Access in the Networking service documentation for an overview of the options for enabling private access to services within Oracle Cloud Infrastructure.

See Hanging Connection in the Networking service documentation for troubleshooting IPSec VPN connection issues that can occur when connecting from your on-premises network.