Connect to Private Resources
To connect to private resources that are in your virtual cloud network (VCN), use a private endpoint.
Overview
Outbound traffic, also called egress traffic, originates in your Oracle Integration instance and goes to your organization's network or a private cloud. All outbound traffic is routed through an adapter. When you use a private endpoint, the outbound traffic is routed on a private channel that is set up within Oracle Cloud Infrastructure. The traffic never goes through the public internet.
A private endpoint doesn't secure inbound traffic, also called ingress traffic, which originates outside Oracle Integration and goes to Oracle Integration. You restrict inbound traffic using access control lists (ACLs), also known as allowlists.
You can secure the following outbound traffic using a private endpoint:
- Outbound traffic that connects to a private resource in your VCN.
- Outbound traffic that connects to a public-facing endpoint with an access control list (ACL) that accepts requests from specific IP addresses.
In such cases, you typically create a private NAT gateway, and the ACL accepts requests only from the IP address of the NAT gateway.
- Because network topologies can vary greatly Oracle Integration supports and documents only the first scenario. However, other scenarios, such as using a NAT gateway, are possible.
- You cannot use a private endpoint to connect to resources deployed on a non-Oracle Cloud Infrastructure cloud (for example, Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP)). Instead, use the connectivity agent for this type of connection (discussed below).
Another option for connecting to resources on your on-premises network is the connectivity agent. Keep reading to learn when to use each option.
Differences between private endpoints and the connectivity agent
Area | Private endpoint | Connectivity agent |
---|---|---|
Usage |
Use a private endpoint to:
|
Use the connectivity agent to connect to resources on your on-premises network. |
Security |
Oracle Integration routes traffic and packages through the private endpoint. All traffic stays on your private network without going over the public internet. |
Oracle Integration routes traffic over the public internet. |
Setup and maintenance |
Before you can create a private endpoint, complete the prerequisite tasks. These tasks can take some time and require your organization's networking team. However, most of this work might already be complete. For example, if you have resources in your private Oracle Cloud Infrastructure tenancy, you already have a VCN and subnet, which are required. After completing all prerequisite tasks, configure the private endpoint. Configure only one private endpoint per Oracle Integration instance. |
Setup of the connectivity agent is fast. Create a virtual machine (VM) on your private network to host the connectivity agent, and then install the connectivity agent on the VM. The connectivity agent requires ongoing maintenance and management. For example, you must manage the VM and the upgrade cycles of the connectivity agent. See About the Connectivity Agent in Using Integrations in Oracle Integration 3. |
Adapter support |
All outbound traffic from Oracle Integration goes through a connection that is based on an adapter. Therefore, while you create a private endpoint for an instance, securing outbound traffic with the private endpoint is available on an adapter-by-adapter basis. See Adapters that Support Connecting to Private Endpoints in Using Integrations in Oracle Integration 3. |
Similarly, outbound traffic for the connectivity agent goes through a connection that is based on an adapter. The connectivity agent works with a number of adapters. |
How to use the private endpoint in a connection
To use the private endpoint to connect to a private resource, create a connection based on an adapter that supports private endpoints, and select Private endpoint as the Access type.
Within an integration, use different connection types as needed. For example, one connection can use the connectivity agent for a resource that's on your on-premises network, while another connection can use a private endpoint for a resource that's in your VCN.
See Create a Connection in Using Integrations in Oracle Integration 3.
Architecture diagram of private endpoints
The following diagram illustrates how you can connect to private resources using a private endpoint.