Configuring Network Access with Private Endpoints

You can specify that Autonomous Database uses a private endpoint inside your Virtual Cloud Network (VCN) in your tenancy. You can configure a private endpoint during provisioning or cloning your Autonomous Database, or you can switch to using a private endpoint in an existing database that uses a public endpoint. This allows you to keep all traffic to and from your database off of the public internet.

Specifying the virtual cloud network configuration allows traffic only from the virtual cloud network you specify and blocks access to the database from all public IPs or VCNs. This allows you to define security rules with Security Lists or at the Network Security Group (NSG) level to specify ingress/egress for your Autonomous Database instance. Using a private endpoint and defining Security Lists or NSGs allows you to control traffic to and from your Autonomous Database instance.

Configure Private Endpoints

You can specify that Autonomous Database uses a private endpoint and configure a Virtual Cloud Network (VCN) in your tenancy to use with the private endpoint.

Perform the following prerequisite steps before configuring a private endpoint:

You can configure the private endpoint for an existing Autonomous Database instance or when you provision or clone a new instance:

Prerequisite: IAM Policies Required to Manage Private Endpoints

Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the Console, REST API, CLI, SDK, or others).

The IAM service uses groups, compartments and policies to control which cloud users can access which resources. In particular, a policy defines what kind of access a group of users has to a particular kind of resource in a particular compartment. For more information, see Getting Started with Policies.

In addition to the policies required to provision and manage an Autonomous Database, some network policies are needed to use private endpoints. The following table lists the IAM policies required for a cloud user to add a private endpoint.

Note

The listed policies are the minimum requirements to add a private endpoint. You can also use a policy rule that is broader. For example, if you set the policy rule:
Allow group MyGroupName to manage virtual-network-family in tenancy

This rule also works because it is a superset that contains all the required policies.

Operation Required IAM Policies

Configure a private endpoint

use vcns for the compartment which the VCN is in

use subnets for the compartment which the VCN is in

use network-security-groups for the compartment which the network security group is in

manage private-ips for the compartment which the VCN is in

manage vnics for the compartment which the VCN is in

manage vnics for the compartment which the database is provisioned or is to be provisioned in

See Common Policies for more information.

Configure Private Endpoints When You Provision or Clone an Instance

You can configure a private endpoint when you provision or clone an Autonomous Database instance.

These steps assume you are provisioning or cloning an instance and you have completed the prerequisite steps, and you are at the Choose network access step of the provisioning or cloning steps:

  1. Select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.


    Description of adb_private_vcn.png follows

    Note

    If you select Private endpoint access only, this only allows connections from the specified private network (VCN), from peered VCNs, and from on-prem networks connected to your VCN. You can configure an Autonomous Database instance on a private endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.

    If you want to allow connections from public IP addresses, then you need to select either Secure access from everywhere or Secure access from allowed IPs and VCNs only when you provision or clone your Autonomous Database.

  2. Select a Virtual cloud network in your compartment or if the VCN is in a different compartment click Change Compartment and select the compartment that contains the VCN and then select a virtual cloud network.

    See VCNs and Subnets for more information.

  3. Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a different compartment click Change Compartment and select the compartment that contains the Subnet and then select a subnet.

    See VCNs and Subnets for more information.

  4. (Optional) Click Show advanced options to configure additional private endpoint options.
    1. Optionally enter a Private IP address.

      Use this field to enter a custom private IP address. The private IP address you enter must be within the selected subnet's CIDR range.

      If you do not provide a custom private IP address the IP address is automatically assigned.

    2. Optionally enter a Hostname prefix.

      This specifies a hostname prefix for the Autonomous Database and associates a DNS name with the database instance, in the following form:

      hostname_prefix.adb.region.oraclecloud.com

      If you do not specify a hostname prefix, a system generated hostname prefix is supplied.

    3. Optionally add Network security groups (NSGs).

      Optionally, to allow connections to the Autonomous Database instance define security rules in an NSG; this creates a virtual firewall for your Autonomous Database.

      • Select a Network Security Group in your compartment to attach the Autonomous Database to, or if the Network Security Group is in a different compartment, click Change Compartment and select a different compartment and then select a Network Security Group in that compartment.
      • Click + Another Network Security Group to add another Network Security Group.
      • Click x to remove a Network Security Group entry.

      For the NSG you select for the private endpoint define a security rule as follows:

      • For mutual TLS (mTLS) authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522. See About Mutual TLS (mTLS) Authentication for more information.

      • For TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.

      • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

      Note

      Incoming and outgoing connections are limited by the combination of ingress and egress rules defined in NSGs and the Security Lists defined with the VCN. When there are no NSGs, ingress and egress rules defined in the Security Lists for the VCN still apply. See Security Lists for more information on working with Security Lists.

      See Private Endpoints Configuration Examples on Autonomous Database for examples.

      See Network Security Groups for more information.

  5. Require mutual TLS (mTLS) authentication.

    The Require mutual TLS (mTLS) authentication options are:

    • When Require mutual TLS (mTLS) authentication is deselected, TLS and mTLS connections are allowed. This is the default configuration.

    • When Require mutual TLS (mTLS) authentication is selected, only mTLS connections are allowed (TLS authentication is not allowed).

    See Update Network Options to Allow TLS or Require Only Mutual TLS (mTLS) Authentication on Autonomous Database for more information.

  6. Complete the remaining provisioning or cloning steps, as specified in Provision Autonomous Database, Clone an Autonomous Database Instance, or Clone an Autonomous Database from a Backup.

See Private Endpoints Notes for more information.

Change from Public to Private Endpoints with Autonomous Database

If your Autonomous Database instance is configured to use a public endpoint you can change the configuration to a private endpoint.

  1. On the Details page, from the More actions drop-down list, select Update network access.

    To change an instance from a public to a private endpoint, the Autonomous Database instance must be in the Available state (Lifecycle State: Available).

  2. In the Update network access dialog, select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.

    Description of adb_network_private_update.png follows
    Note

    If you select Private endpoint access only, this only allows connections from the specified private network (VCN), from peered VCNs, and from on-prem networks connected to your VCN. Thus, you can configure an Autonomous Database instance on a private endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.
  3. (Optional) Click Show advanced options for additional options.
    1. Optionally enter a Private IP address.

      Use this field to enter a custom private IP address. The private IP address you enter must be within the selected subnet's CIDR range.

      If you do not provide a custom private IP address the IP address is automatically assigned.

    2. Optionally enter a Hostname prefix.

      This specifies a hostname prefix for the Autonomous Database and associates a DNS name with the database instance, in the following form:

      hostname_prefix.adb.region.oraclecloud.com

      If you do not specify a hostname prefix, a system generated hostname prefix is supplied.

    3. Optionally add Network security groups (NSGs).

      Optionally, to allow connections to the Autonomous Database instance define security rules in an NSG; this creates a virtual firewall for your Autonomous Database.

      • Select a Network Security Group in your compartment to attach the Autonomous Database to, or if the Network Security Group is in a different compartment, click Change Compartment and select a different compartment and then select a Network Security Group in that compartment.
      • Click + Another Network Security Group to add another Network Security Group.
      • Click x to remove a Network Security Group entry.

      For the NSG you select for the private endpoint define a security rule as follows:

      • For mutual TLS (mTLS) authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522. See About Mutual TLS (mTLS) Authentication for more information.

      • For TLS authentication, add a stateful ingress rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.

      • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

      Note

      Incoming and outgoing connections are limited by the combination of ingress and egress rules defined in NSGs and the Security Lists defined with the VCN. When there are no NSGs, ingress and egress rules defined in the Security Lists for the VCN still apply. See Security Lists for more information on working with Security Lists.

      See Private Endpoints Configuration Examples on Autonomous Database for examples.

      See Network Security Groups for more information.

  4. Click Update.
  5. In the Confirm dialog, type the Autonomous Database name to confirm the change.
  6. In the Confirm dialog, click Update.

The Lifecycle State changes to Updating until the operation completes.

Notes for changing from public to private network access:

  • After updating the network access type all database users must obtain a new wallet and use the new wallet to access the database. See Download Client Credentials (Wallets) for more information.

  • If you had ACLs defined for the public endpoint, the ACLs do not apply for the private endpoint.

  • After you update the network access to use a private endpoint, the URL for the Database Tools is different compared to using a public endpoint. You can find the updated URLs on the console, after changing from a public endpoint to a private endpoint.

Enhanced Security for Outbound Connections with Private Endpoints

When you define a private endpoint for your Autonomous Database instance you can provide enhanced security by setting a database property to enforce that all outgoing connections to a target host are subject to and limited by the private endpoint's egress rules. You define egress rules in the Virtual Cloud Network (VCN) security list or in the Network Security Group (NSG) associated with the Autonomous Database instance private endpoint.

Before you set this database property configure your Autonomous Database instance to use a private endpoint. See Configure Private Endpoints for more information.

Set the ROUTE_OUTBOUND_CONNECTIONS database property to PRIVATE_ENDPOINT to specify that all outgoing connections are subject to the Autonomous Database instance private endpoint VCN's egress rules. With the value PRIVATE_ENDPOINT the database restricts outgoing connections to locations specified by the private endpoint's egress rules.

Note

With ROUTE_OUTBOUND_CONNECTIONS not set to PRIVATE_ENDPOINT, all outgoing connections to the public internet pass through the Network Address Translation (NAT) Gateway of the service VCN. In this case, if the target host is on a public endpoint the outgoing connections are not subject to the Autonomous Database instance private endpoint VCN or NSG egress rules.

When you configure a private endpoint for your Autonomous Database instance and set ROUTE_OUTBOUND_CONNECTIONS to PRIVATE_ENDPOINT, this setting changes the handling of outbound connections for the following:

To set ROUTE_OUTBOUND_CONNECTIONS:

  1. Connect to your database.
  2. Set the database property ROUTE_OUTBOUND_CONNECTIONS.

    For example:

    ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = 'PRIVATE_ENDPOINT';

Notes for setting ROUTE_OUTBOUND_CONNECTIONS:

  • Use the following command to restore the default parameter value:

    ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = '';
  • Use the following command to query the current parameter value:

    SELECT * FROM DATABASE_PROPERTIES
            WHERE PROPERTY_NAME = 'ROUTE_OUTBOUND_CONNECTIONS';

    If the property is not set the query does not return results.

  • This property only applies for database links that you create after you set the property to the value PRIVATE_ENDPOINT. Thus, database links that you created prior to setting the property continue to use the NAT Gateway of the service VCN and are not subject to the Autonomous Database instance private endpoint's egress rules.

  • Only set ROUTE_OUTBOUND_CONNECTIONS to the value PRIVATE_ENDPOINT when you are using Autonomous Database with a private endpoint.

  • By default, when you are accessing other private endpoints the connection is subject to your VCN's egress rules. Setting ROUTE_OUTBOUND_CONNECTIONS has no effect in this case. The ROUTE_OUTBOUND_CONNECTIONS property applies when you want outgoing connections to follow the private endpoint egress rules even when accessing public endpoints.

See NAT Gateway for more information on Network Address Translation (NAT) gateway.

Private Endpoints Notes

Describes restrictions and notes for private endpoints on Autonomous Database.

  • After you update the network access to use a private endpoint, or after the provisioning or cloning completes where you configure a private endpoint, you can view the network configuration on the Autonomous Database Details page under the Network section.

    The Network section shows the following information for a private endpoint:

    • Access Type: Specifies the access type for the Autonomous Database configuration. Private endpoint configurations show the access type: Virtual Cloud Network.
    • Virtual Cloud Network: This includes a link for the VCN associated with the private endpoint.
    • Subnet: This includes a link for the subnet associated with the private endpoint.
    • Private IP: Shows the private IP for the private endpoint configuration.
    • Network Security Groups: This field includes links to the NSG(s) configured with the private endpoint.
  • After provisioning or cloning completes, you can change the Autonomous Database configuration to use a public endpoint.

    See Change from Private to Public Endpoints with Autonomous Database for information on changing to a public endpoint.

  • You can specify up to five NSGs to control access to your Autonomous Database.

  • You can change the private endpoint Network Security Group (NSG) for the Autonomous Database.

    To change the NSG for a private endpoint, do the following:

    1. On the Autonomous Databases page select an Autonomous Database from the links under the Display name column.

    2. On the Autonomous Database Details page, under Network in the Network Security Groups field, click Edit.

  • You can connect your Oracle Analytics Cloud instance to your Autonomous Database that has a private endpoint using the Data Gateway like you do for an on-premises database. See Configure and Register Data Gateway for Data Visualization for more information.

  • The following Autonomous Database tools are supported in databases configured with a private endpoint:

    • Database Actions
    • Oracle APEX
    • Oracle Graph Studio
    • Oracle Machine Learning Notebooks
    • Oracle REST Data Services
    • Oracle Database API for MongoDB

    Additional configuration is required to access these Autonomous Database tools from on-premises environments. See Example: Connecting from Your Data Center to Autonomous Database to learn more.

    Accessing Oracle APEX, Database Actions, Oracle Graph Studio, or Oracle REST Data Services using a private endpoint from on-premises environments without completing the additional private endpoint configuration shows the error:

    404 Not Found
  • After you update the network access to use a private endpoint, the URL for the Database Tools is different compared to using a public endpoint. You can find the updated URLs on the console, after changing from a public endpoint to a private endpoint.

  • In addition to the default Oracle REST Data Services (ORDS) preconfigured with Autonomous Database, you can configure an alternative ORDS deployment that provides more configuration options and that can be used with private endpoints. See About Customer Managed Oracle REST Data Services on Autonomous Database to learn about an alternative ORDS deployment that can be used with private endpoints.

  • Modifying a private IP address is not allowed after you provision or clone an instance, whether the IP address is automatically assigned when you enter a value in the Private IP address field.

Private Endpoints Configuration Examples on Autonomous Database

Shows several Private Endpoint (VCN) configuration samples for Autonomous Database.

Example: Connecting from Inside Oracle Cloud Infrastructure VCN

Demonstrates an application running inside Oracle Cloud Infrastructure on a virtual machine (VM) in the same VCN which is configured with your Autonomous Database.

Description of adb_private_endpoint1.png follows

There is an Autonomous Database instance which has a private endpoint in the VCN named "Your VCN". The VCN includes two subnets: "SUBNET B" (CIDR 10.0.1.0/24) and "SUBNET A" (CIDR 10.0.2.0/24).

The Network Security Group (NSG) associated with the Autonomous Database instance is shown as "NSG 1 - Security Rules". This Network Security Group defines security rules that allow incoming and outgoing traffic to and from the Autonomous Database instance. Define a rule for the Autonomous Database instance as follows:

  • For Mutual TLS authentication, add a stateful ingress rule to allow connections from the source to the Autonomous Database instance; the source is set to the address range you want to allow to connect to your database, IP Protocol is set to TCP, and the Destination Port Range is set to 1522.

  • For TLS authentication, add a stateful ingress rule to allow connections from the source to the Autonomous Database instance; the source is set to the address range you want to allow to connect to your database, IP Protocol is set to TCP, and the Destination Port Range is set to 1521.

  • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

The following figure shows a sample stateful security rule to control traffic for the Autonomous Database instance:

Description of adb_private_vcn_nsg_stateful1.png follows

The application connecting to the Autonomous Database is running on a VM in SUBNET B. You also add a security rule to allow traffic to and from the VM (as shown, with label "NSG 2 Security Rules"). You can use a stateful security rule for the VM, so simply add a rule for egress to NSG 2 Security Rules (this allows access to the destination subnet A).

The following figure shows sample security rules that control traffic for the VM:

Description of adb_private_vcn_rules2.png follows

After you configure the security rules, your application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.

See Network Security Groups for information on configuring Network Security Groups.

Example: Connecting from Your Data Center to Autonomous Database

Demonstrates how to connect privately to an Autonomous Database from your on-premise data center. In this scenario, traffic never goes over the public internet.

Description of adb_private_endpoint2.png follows

To connect from your data center, you connect the on-premise network to the VCN with FastConnect and then set up a Dynamic Routing Gateway (DRG). To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name (FQDN), requires that you add an entry in your on-premise client's hosts file. For example, /etc/hosts file for Linux machines. For example:

/etc/hosts entry -> 10.0.2.7 example.adb.ca-toronto-1.oraclecloud.com

To use Oracle APEX, Database Actions, and Oracle REST Data Services, add another entry with the same IP. For example:

/etc/hosts entry -> 10.0.2.7 example.adb.ca-toronto-1.oraclecloudapps.com

You find the private endpoint IP and the FQDN as follows:

  • The Private IP is shown on the Oracle Cloud Infrastructure console Autonomous Database details page for the instance.

  • The FQDN is shown in the tnsnames.ora file in the Autonomous Database client credential wallet.

Alternatively you can use Oracle Cloud Infrastructure private DNS to provide DNS name resolution. See Private DNS for more information.

In this example there is a Dynamic Routing Gateway (DRG) between the on-premise data center and "Your VCN". The VCN contains the Autonomous Database. This also shows a route table for the VCN associated with the Autonomous Database, for outgoing traffic to CIDR 172.16.0.0/16 through the DRG.

In addition to setting up the DRG, define a Network Security Group (NSG) rule to allow traffic to and from the Autonomous Database, by adding a rule for the data center CIDR range (172.16.0.0/16). In this example, define a security rule in "NSG 1" as follows:

  • For Mutual TLS authentication, create a stateful rule to allow ingress traffic from the data center. This is a stateful ingress rule with the source set to the address range you want to allow to connect to your database, protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination port set to 1522.

  • For TLS authentication, create a stateful rule to allow ingress traffic from the data center. This is a stateful ingress rule with the source set to the address range you want to allow to connect to your database, protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination port set to 1521.

  • To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.

The following figure shows the security rule that controls traffic for the Autonomous Database instance:

Description of adb_private_vcn_nsg_stateful2.png follows

After you configure the security rule, your on-premise database application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.