Security Zone Integration

This topic describes the Database service's support of OCIsecurity zones.

A security zone is associated with one or more compartments in your tenancy, and created with a set of security policies called a security recipe. While you can create custom security recipes for particular use cases, OCI offers an Oracle-managed Maximum Security Recipe which provides the highest level of protection for your Database resources. The policies of a particular security recipe are enforced on any resource that is provisioned or moved into a security zone that uses the recipe. Thus, the only way to apply security zone policies is to control the compartment assignments of your Oracle Cloud Infrastructure resources.

For a complete overview of security zones, including instructions for creating security zones and security recipes, see the Security Zones section of the Oracle Cloud Infrastructure user guide.

Restrictions on Database Service Resources Located in Maximum Security Recipe Compartments

The Maximum Security Recipe includes all available security zone policies. For example, restrictions placed on databases in a security zone that uses the Maximum Security Recipe include:

    • The database cannot allow public network access
    • The database must have automatic backups enabled
    • The database cannot have Data Guard associations that aren't in compartments within the same security zone
For a complete list of the Database restrictions implemented by the Maximum Security Recipe, see Security Zone Policies.

Your can also create custom recipes that do not include all possible security restrictions for Database service resources, and assign a custom recipe to a security zone. See Managing Recipes.

Supported Database Service Resources

The following Database service resources can be provisioned and managed in security zones that use the Maximum Security Recipe:

  • Autonomous Database: Databases using dedicated Exadata infrastructure and using shared Exadata infrastructure with private endpoint access
  • Bare metal and virtual machine DB systems
  • Exadata Cloud DB systems

Always Free Autonomous Databases, Autonomous Database configured with public endpoints, and the Exadata Database Service on Cloud@Customer service are not compatible with Maximum Security Recipe compartments.