Oracle Cloud Infrastructure Documentation

Connecting to a DB System

This topic explains how to connect to an active DB system. How you connect depends on the client tool or protocol you use, the purpose of the connection, and how your cloud network is set up. You can find information on various networking scenarios in Overview of Networking, but for specific recommendations on how you should connect to a database in the cloud, contact your network security administrator.


This section describes prerequisites you'll need to perform various tasks in this topic.

  • To use the Console or the API to get the default administration service connection strings, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in. See Authentication and Authorization for more information on user authorizations for the Oracle Cloud Infrastructure Database service.
  • To connect to the database, you'll need the public or private IP address of the DB system. Use the private IP address to connect to the DB system from your on-premises network, or from within the virtual cloud network (VCN). This includes connecting from a host located on-premises connecting through a VPN or FastConnect to your VCN, or from another host in the same VCN. Use the DB System's public IP address to connect to the system from outside the cloud (with no VPN). You can find the IP addresses in the Oracle Cloud Infrastructure Console on the DB System Details page by clicking Nodes under the Resources list. The values are displayed in the Public IP Address and Private IP Address & DNS Name columns of the Nodes table.
  • For Secure Shell (SSH) access to the DB system, you'll need the full path to the file that contains the private key associated with the public key used when the DB system was launched.

If you have problems connecting, see Troubleshooting Connection Issues.

Database Services and Connection Strings

Database services allow you to control client access to a database instance depending on the functionality needed. For example, you might need to access the database for administration purposes only or you might need to connect an application to the database. Connection strings are specific to a database service.

When you provision a DB system, a default database administration service is automatically created. For 12c and later Oracle Databases, this service is for administrating the database at the CDB level. Because this service provides limited functionality, it is not suitable for connecting an application. Oracle recommends that you create a default application service for the initial database after you create your DB system. For 12c and later Oracle Databases, application services connect at the PDB level. Here are some important functions an application service can provide:

  • Workload identification
  • Load balancing
  • Application continuity and Transaction Guard
  • Fast Application Notification
  • Resource assignment based on the service name

For details about these and other High Availability capabilities, see Client Failover Best Practices for Highly Available Oracle Databases.

Creating an Application Service

You use the srvctl utility to create an application service. Before you can connect to the service, you must start it.

To create an application service for a PDB or an 11g Oracle database

For more information about services for a PDB, see Managing Services for PDBs.

Database Connection Strings

You must use the appropriate connection string to access a database administration or application service. You can use the Console or the API to get the string for connecting to the default administration service from within a VCN. For 12c and later Oracle Databases, this service is for administrating the database at the CDB level. The string is provided in both the Easy Connect and in the full connect descriptor (long) format. Use the long format for the connection if hostname resolution is not available. You can also use the long format to create an alias in the tnsnames.ora file.

For accessing a database service within the VCN, the connection string for a Real Application Cluster (RAC) DB system uses the Single Client Access Name (SCAN) while the connection string for single instance DB system uses the hostname instead.

The private SCAN name is a Round Robin DNS entry created when you launch a 2-node RAC DB system. The private SCAN name is resolvable only within the VCN. If the client and the database are in the same VCN, the connection mechanism is the same as an on-premises RAC database; all the features provided by VIPs and SCAN VIPs, such as server side load balancing and VIP failover, are available.


If you manually change the DB_UNIQUE_NAME, DB_DOMAIN, or listener port on the DB system, the connection strings you see in the Console or API will not reflect your changes. Ensure that you use the actual values of these parameters when you make a connection.

To get the connection strings for the default administration service

You can derive the connection strings for other database services by replacing part of the default application service connection string with the applicable values.

To derive the connection string for a PDB administration service or an application service

Connecting to a Database Service by Using SQL*Net

This section describes how to connect to a database service from a computer that has a SQL*Net client installed. Port 1521 must be open to support the SQL*Net protocol.

Connecting from Within the VCN

For security reasons, Oracle recommends that you connect to your database services from within the VCN. You can use this method whether you are connecting to an administration service or to an application service.

To connect using SQL*Plus, you run the following command using the applicable connection string:

sqlplus system/<password>@<connection_string>

Consider the following:

  • If your system is not using the VCN Resolver, ensure that the DB system's hostname (for single-node systems) or SCAN name (for multi-node systems) can be resolved. See DNS in Your Virtual Cloud Network for information about DNS name resolution.
  • For connecting to the administration service of a PDB, ensure that the PDB is open or the service will not be available.
  • For connecting to an application service, ensure that the service is started. For Fast Application Notification to work, ensure that port 6200 can be reached. See Client Failover Best Practices for Highly Available Oracle Databases for information about Fast Application Notification.

Connecting from the Internet

Although Oracle does not recommend connecting to your database from the Internet, you can connect to a database service by using a public IP address if port 1521 is open to the public for ingress.

To use this method, you run the following command using the public IP address instead of the hostname or SCAN in the connection string:

sqlplus system/<password>@<public_IP>:1521/<service_name>.<DB_domain>

Consider the following:

  • SCANs and hostnames are not resolvable on the Internet, therefore load balancing and failover for multi-node DB systems, which rely on these names, cannot work.
  • For multi-node DB systems, which normally use SCANs, you must specify the IP address of one of the RAC hosts to access the database.

Do not use this method to connect to the database from within the VCN. Doing so negatively impacts performance because traffic to the database is routed out of the VCN and back in through the public IP address.

Example: Connecting in SQL Developer Using SQL*Net


  • Ensure that port 1521 is open for the Oracle default listener. (You can do this by checking the DB system's security list.)
  • If port 1521 is open only to hosts in the VCN, then you must run your SQL Developer client from a machine that has direct access to the VCN. If you are connecting to the database from the Internet instead, then the public IP address of your computer must be granted access to port 1521 in the security list. (Alternatively, the security list can grant full access to port 1521, however, this is not recommended for security reasons.) You must use the public IP address of the host because connecting from the Internet does not support SCAN name resolution.
To connect from within the VCN
To connect from The Internet by using public IP addresses

Connecting to a Database with a Public IP by Using SSH Tunneling

You can access the services of DB system databases with public IP addresses by using SSH tunneling. The main advantage of this method is that port 1521 does not need to be opened to the public internet. However, just like accessing the database with a public IP using a SQL*Net client, load balancing and failover for multi-node DB systems cannot work because they rely on SCANs and hostnames.

Oracle SQL Developer and Oracle SQLcL and are two tools that facilitate the use of tunneling for Oracle Database access.

To open a tunnel, and then connect to a database service by using SQLcL, you run commands like the following:

SQL> sshtunnel opc@<public_IP> -i <private_key> -L <local_port>:<private_IP>:1521
Using port:22
SSH Tunnel connected
SQL> connect system/<password>@localhost:<local_port>/<service_name>.<DB_domain>

See Oracle SQL Developer and Oracle SQLcL for information about these tools.

Connecting to a Database by Using SSH and the Bequeath Protocol

This method allows you to connect to the database without using the network listener. It should be used to connect only for administration purposes.

When connecting to a multi-node DB system, you'll SSH to each individual node in the cluster.

To connect from a UNIX-style system
To connect from a Windows system
To access a database after you connect

Serial Console Access for Troubleshooting and Managing a Bare Metal or VM System

You can create and delete serial console connections to your bare metal or virtual machine DB system in the Oracle Cloud Infrastructure Console. This allows you to manage and troubleshoot your system in single-user mode using an SSH connection. See the following topics for more information:

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the GetDatabase API operation to get the default administration service connection strings.

Troubleshooting Connection Issues

The following issues might occur when connecting to a DB system or database.

ORA-28365: Wallet is Not Open Error

For a 1-node DB system or 2-node RAC DB system, regardless of how you connect to the DB system, before you use OS authentication to connect to a database (for example, sqlplus / as sysdba) be sure to set the ORACLE_UNQNAME variable. Otherwise, commands that require the TDE wallet will result in the error ORA-28365: wallet is not open.

Note that this is not an issue when using a TNS connection because ORACLE_UNQNAME is automatically set in the database CRS resource.

SSH Access Stops Working

If the DB system’s root volume becomes full, you might lose the ability to SSH to the system (the SSH command will fail with permission denied errors). Before you copy a large amount of data to the root volume, for example, to migrate a database, use the dbcli create-dbstorage command to set up storage on the system’s NVMe drives and then copy the database files to that storage. For more information, see Setting Up Storage on the DB System.

What Next?

Before you begin updating your DB system, review the information in Updating a DB System.

For information about setting up an Enterprise Manager console to monitor your databases, see Monitoring a Database.