Configure Network Access with Private Endpoints
You can specify that Autonomous Database uses a private endpoint inside your Virtual Cloud Network (VCN) in your tenancy. You can configure a private endpoint during provisioning or cloning your Autonomous Database, or you can switch to using a private endpoint in an existing database that uses a public endpoint. This allows you to keep all traffic to and from your database off of the public internet.
Specifying the virtual cloud network configuration allows traffic only from the virtual cloud network you specify and blocks access to the database from all public IPs or VCNs. This allows you to define security rules with Security Lists or at the Network Security Group (NSG) level to specify ingress/egress for your Autonomous Database instance. Using a private endpoint and defining Security Lists or NSGs allows you to control traffic to and from your Autonomous Database instance.
If you configure your Autonomous Database instance to use a private endpoint and you also want to allow connections from specific public IP addresses or from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway, select the Allow public access option. This adds a public endpoint for a database that is configured with a private endpoint. See Use a Private Endpoint with Public Access Allowed for more information.
The Allow public access option is available only when the database uses the ECPU compute model.
Topics
- Configure Private Endpoints
You can specify that Autonomous Database uses a private endpoint and configure a Virtual Cloud Network (VCN) in your tenancy to use with the private endpoint. - Enhanced Security for Outbound Connections with Private Endpoints
When you use a private endpoint with your Autonomous Database instance you can provide enhanced security by setting theROUTE_OUTBOUND_CONNECTIONS
database property to the valuePRIVATE_ENDPOINT
. - Private Endpoints Notes
Describes restrictions and notes for private endpoints on Autonomous Database. - Private Endpoints Configuration Examples on Autonomous Database
Shows several Private Endpoint (VCN) configuration samples for Autonomous Database.
Configure Private Endpoints
You can specify that Autonomous Database uses a private endpoint and configure a Virtual Cloud Network (VCN) in your tenancy to use with the private endpoint.
- Prerequisite Steps to Configure Private Endpoints
Describes the prerequisite steps you need to perform before you configure a private endpoint for an Autonomous Database instance. - IAM Policies Required to Manage Private Endpoints
In addition to the policies required to provision and manage an Autonomous Database, some network policies are needed to use private endpoints. - Configure Private Endpoints When You Provision or Clone an Instance
You can configure a private endpoint when you provision or clone an Autonomous Database instance. - Change from Public to Private Endpoints with Autonomous Database
If your Autonomous Database instance is configured to use a public endpoint you can change the configuration to a private endpoint. - Update the Configuration for a Private Endpoint
You can change some options in the configuration of a private endpoint on an existing Autonomous Database instance. - Configure Private Endpoint Advanced Options
The private endpoint access advanced options allow you to enter a user specified private IP address and host name, select one or more network security groups, or specify details to allow public access to a private endpoint database. - Use a Private Endpoint with Public Access Allowed
Select the Allow public access option when you want to configure an Autonomous Database to use a private endpoint and you also want to allow connections from specific public IP addresses or from specific VCNs (if the VCNs are configured to privately connect to Autonomous Database using a Service Gateway).
Parent topic: Configure Network Access with Private Endpoints
Prerequisite Steps to Configure Private Endpoints
Describes the prerequisite steps you need to perform before you configure a private endpoint for an Autonomous Database instance.
Perform the following prerequisite steps before configuring a private endpoint:
-
Set required policies for the resources you are working with. See IAM Policies Required to Manage Private Endpoints for more information.
-
Create a VCN within the region that will contain your Autonomous Database. See VCNs and Subnets for more information.
-
Configure a subnet within your VCN configured with default DHCP options. See DNS in Your Virtual Cloud Network for more information.
-
(Optional) Perform the following optional step before configuring a private endpoint:
Specify a Network Security Group (NSG) within your VCN. The NSG specifies rules for connections to your Autonomous Database. See Network Security Groups for more information.
Parent topic: Configure Private Endpoints
IAM Policies Required to Manage Private Endpoints
In addition to the policies required to provision and manage an Autonomous Database, some network policies are needed to use private endpoints.
The following table lists the IAM policies required for a cloud user to add a private endpoint. The listed policies are the minimum requirements to add a private endpoint. You can also use a policy rule that is broader. For example, if you set the policy rule:
Allow group MyGroupName to manage virtual-network-family in tenancy
This rule also works because it is a superset that contains all the required policies.
Operation | Required IAM Policies |
---|---|
Configure a private endpoint |
|
Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the Console, REST API, CLI, SDK, or others).
The IAM service uses groups, compartments and policies to control which cloud users can access which resources. In particular, a policy defines what kind of access a group of users has to a particular kind of resource in a particular compartment. For more information, see Getting Started with Policies.
Parent topic: Configure Private Endpoints
Configure Private Endpoints When You Provision or Clone an Instance
You can configure a private endpoint when you provision or clone an Autonomous Database instance.
These steps assume you are provisioning or cloning an instance and you have completed the prerequisite steps, and you are at the Choose network access step of the provisioning or cloning steps:
See Private Endpoints Notes for more information.
Parent topic: Configure Private Endpoints
Change from Public to Private Endpoints with Autonomous Database
If your Autonomous Database instance is configured to use a public endpoint you can change the configuration to a private endpoint.
The Lifecycle State changes to Updating until the operation completes.
Notes for changing from public to private network access:
-
After updating the network access type all database users must obtain a new wallet and use the new wallet to access the database. See Download Client Credentials (Wallets) for more information.
-
If you had ACLs defined for the public endpoint, the ACLs do not apply for the private endpoint.
-
After you update the network access to use a private endpoint, the URL for the Database Tools is different compared to using a public endpoint. You can find the updated URLs on the console, after changing from a public endpoint to a private endpoint.
Parent topic: Configure Private Endpoints
Update the Configuration for a Private Endpoint
You can change some options in the configuration of a private endpoint on an existing Autonomous Database instance.
If the Lifecycle State is Available when you click Update, the Lifecycle State changes to Updating until the changes are applied. The database is still up and accessible, there is no downtime. When the update is complete the Lifecycle State returns to Available.
See Private Endpoints Notes for more information.
Parent topic: Configure Private Endpoints
Configure Private Endpoint Advanced Options
The private endpoint access advanced options allow you to enter a user specified private IP address and host name, select one or more network security groups, or specify details to allow public access to a private endpoint database.
These steps assume you are provisioning or cloning an Autonomous Database instance or changing from public access to private access for an existing Autonomous Database instance and you are at the Choose network access step.
Parent topic: Configure Private Endpoints
Use a Private Endpoint with Public Access Allowed
Select the Allow public access option when you want to configure an Autonomous Database to use a private endpoint and you also want to allow connections from specific public IP addresses or from specific VCNs (if the VCNs are configured to privately connect to Autonomous Database using a Service Gateway).
This option adds a public endpoint for a database that is configured on a private endpoint. You configure a private endpoint for your Autonomous Database instance when you provision or clone the instance, or when you update the network configuration for an existing Autonomous Database. See the following for details on the steps to configure an Autonomous Database instance with a private endpoint:
-
Configure Private Endpoints When You Provision or Clone an Instance
-
Change from Public to Private Endpoints with Autonomous Database
When public access is enabled with Allow public access on a private endpoint database, the instance has both a private endpoint and a public endpoint:
-
The private hostname, endpoint URL, and private IP address allow you to connect to the database from the VCN where the database resides.
-
The public hostname allows you to connect to the database from specific public IP addresses or from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway.
Autonomous Database Connection String Additions for a Private Endpoint Database with Allow Public Access Enabled
When Allow public access is enabled for a private endpoint database, there are additional connection strings that allow you to connect to the database from the public endpoint:
-
The connection strings in
tnsnames.ora
in the Autonomous Database wallet zip include the public connection strings to use with connections coming from the public internet. The connection strings for the public endpoint use the following naming convention:dbname_public_consumerGroup
For example:
adbfinance_public_low
See Download Client Credentials (Wallets) for more information.
-
You can view the connection strings for both the public endpoint and the private endpoint from the Oracle Cloud Infrastructure Console (or using the API).
See View TNS Names and Connection Strings for an Autonomous Database Instance for more information.
Autonomous Database Tools Additions for a Private Endpoint Database with Allow Public Access Enabled
When Allow public access is enabled for a private endpoint database, the database tools allow you to connect from specific public IP addresses or from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway:
-
Each tool has a private access URL and a public access URL displayed in the Tool configuration table. Use the public access URL to access the tool from specific public IP addresses or from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway.
For example:
See View Autonomous Database Built-in Tools Status for more information.
-
The
README
file in the wallet zip file provides both an Access Link for the private endpoint for each database tool and a Public Access Link.See Wallet README File for more information.
Parent topic: Configure Private Endpoints
Enhanced Security for Outbound Connections with Private Endpoints
When you
use a private endpoint with your Autonomous Database instance you can provide enhanced security by setting the
ROUTE_OUTBOUND_CONNECTIONS
database property to the value
PRIVATE_ENDPOINT
.
Setting the ROUTE_OUTBOUND_CONNECTIONS
database property
to the value PRIVATE_ENDPOINT
enforces that all
outgoing connections to a target host are subject to and limited by
the private endpoint's egress rules. You define egress rules in the
Virtual Cloud Network (VCN) security list or in the Network Security
Group (NSG) associated with the Autonomous Database instance private endpoint.
Before you set the
ROUTE_OUTBOUND_CONNECTIONS
database
property, configure your Autonomous Database instance to use a private
endpoint. See Configure Private Endpoints for more information.
Set the ROUTE_OUTBOUND_CONNECTIONS
database
property to PRIVATE_ENDPOINT
to specify that all
outgoing connections are subject to the Autonomous Database
instance private endpoint VCN's egress rules. With the value
PRIVATE_ENDPOINT
the database restricts
outgoing connections to locations specified by the private
endpoint's egress rules and also changes DNS resolution such that
hostnames are resolved using your VCN's DNS resolver (not using a
public DNS resolver).
With
ROUTE_OUTBOUND_CONNECTIONS
not set to
PRIVATE_ENDPOINT
, all outgoing connections
to the public internet pass through the Network Address Translation
(NAT) Gateway of the service VCN. In this case, if the target host
is on a public endpoint the outgoing connections are not subject to
the Autonomous Database
instance private endpoint VCN or NSG egress rules.
When you configure a private endpoint for your Autonomous Database
instance and set ROUTE_OUTBOUND_CONNECTIONS
to
PRIVATE_ENDPOINT
, this setting changes the
handling of outbound connections and DNS resolution for the
following:
-
Database links
-
APEX_LDAP, APEX_MAIL, and APEX_WEB_SERVICE
-
UTL_HTTP, UTL_SMTP, and UTL_TCP
-
DBMS_LDAP
-
CMU with Microsoft Active Directory
See Use Microsoft Active Directory with Autonomous Database for more information.
To set ROUTE_OUTBOUND_CONNECTIONS
:
Notes for setting
ROUTE_OUTBOUND_CONNECTIONS
:
-
Use the following command to restore the default parameter value:
ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = '';
-
Use the following command to query the current parameter value:
SELECT * FROM DATABASE_PROPERTIES WHERE PROPERTY_NAME = 'ROUTE_OUTBOUND_CONNECTIONS';
If the property is not set the query does not return results.
-
This property only applies for database links that you create after you set the property to the value
PRIVATE_ENDPOINT
. Thus, database links that you created prior to setting the property continue to use the NAT Gateway of the service VCN and are not subject to the Autonomous Database instance private endpoint's egress rules. -
Only set
ROUTE_OUTBOUND_CONNECTIONS
to the valuePRIVATE_ENDPOINT
when you are using Autonomous Database with a private endpoint. -
When your database is on a private endpoint and you want your outbound connections to be resolved by your VCN, you need to set the
ROUTE_OUTBOUND_CONNECTIONS
parameter toPRIVATE_ENDPOINT
.
See NAT Gateway for more information on Network Address Translation (NAT) gateway.
Parent topic: Configure Network Access with Private Endpoints
Private Endpoints Notes
Describes restrictions and notes for private endpoints on Autonomous Database.
-
After you update the network access to use a private endpoint, or after the provisioning or cloning completes where you configure a private endpoint, you can view the network configuration on the Autonomous Database Details page under the Network section.
The Network section shows the following information for a private endpoint:
- Access type: Specifies the access type for the Autonomous Database configuration. Private endpoint configurations show the access type: Virtual cloud network.
- Availability domain: Specifies the availability domain of your Autonomous Database instance.
- Virtual cloud network: This includes a link for the VCN associated with the private endpoint.
- Subnet: This includes a link for the subnet associated with the private endpoint.
- Private endpoint IP: Shows the private endpoint IP for the private endpoint configuration.
- Private endpoint URL: Shows the private endpoint URL for the private endpoint configuration.
- Network security groups: This field includes links to the NSG(s) configured with the private endpoint.
- Public access: This field indicates whether public
access is enabled for the private endpoint. Click the
Edit
link to view or change the allowed ACLs or VCNs. - Public endpoint URL: This shows when Allow public access is enabled on the private endpoint. This is the public endpoint URL that you can use to connect from allowed IPs or VCNs on the public internet.
For more details on the network information on the Oracle Cloud Infrastructure Console, see View Network Information on the OCI Console.
-
After provisioning or cloning completes, you can change the Autonomous Database configuration to use a public endpoint.
See Change from Private to Public Endpoints with Autonomous Database for information on changing to a public endpoint.
-
You can specify up to five NSGs to control access to your Autonomous Database.
-
You can change the private endpoint Network Security Group (NSG) for the Autonomous Database.
To change the NSG for a private endpoint, do the following:
-
On the Autonomous Databases page select an Autonomous Database from the links under the Display name column.
-
On the Autonomous Database Details page, under Network in the Network Security Groups field, click Edit.
-
-
You can connect your Oracle Analytics Cloud instance to your Autonomous Database that has a private endpoint using the Data Gateway like you do for an on-premises database. See Configure and Register Data Gateway for Data Visualization for more information.
-
The following Autonomous Database tools are supported in databases configured with a private endpoint:
- Database Actions
- Oracle APEX
- Oracle Graph Studio
- Oracle Machine Learning Notebooks
- Oracle REST Data Services
- Oracle Database API for MongoDB
Additional configuration is required to access these Autonomous Database tools from on-premises environments. See Example: Connecting from Your Data Center to Autonomous Database to learn more.
Accessing Oracle APEX, Database Actions, Oracle Graph Studio, or Oracle REST Data Services using a private endpoint from on-premises environments without completing the additional private endpoint configuration shows the error:
404 Not Found
-
After you update the network access to use a private endpoint, the URL for the Database Tools is different compared to using a public endpoint. You can find the updated URLs on the console, after changing from a public endpoint to a private endpoint.
-
In addition to the default Oracle REST Data Services (ORDS) preconfigured with Autonomous Database, you can configure an alternative ORDS deployment that provides more configuration options and that can be used with private endpoints. See About Customer Managed Oracle REST Data Services on Autonomous Database to learn about an alternative ORDS deployment that can be used with private endpoints.
-
Modifying a private IP address is not allowed after you provision or clone an instance, whether the IP address is automatically assigned when you enter a value in the Private IP address field.
Parent topic: Configure Network Access with Private Endpoints
Private Endpoints Configuration Examples on Autonomous Database
Shows several Private Endpoint (VCN) configuration samples for Autonomous Database.
- Example: Connecting from Inside Oracle Cloud Infrastructure VCN
Demonstrates an application running inside Oracle Cloud Infrastructure on a virtual machine (VM) in the same VCN which is configured with your Autonomous Database. - Example: Connecting from Your Data Center to Autonomous Database
Demonstrates how to connect privately to an Autonomous Database from your on-premise data center. In this scenario, traffic never goes over the public internet.
Parent topic: Configure Network Access with Private Endpoints
Example: Connecting from Inside Oracle Cloud Infrastructure VCN
Demonstrates an application running inside Oracle Cloud Infrastructure on a virtual machine (VM) in the same VCN which is configured with your Autonomous Database.
There is an Autonomous Database instance which has a private endpoint in the VCN named "Your VCN". The VCN includes two subnets: "SUBNET B" (CIDR 10.0.1.0/24) and "SUBNET A" (CIDR 10.0.2.0/24).
The Network Security Group (NSG) associated with the Autonomous Database instance is shown as "NSG 1 - Security Rules". This Network Security Group defines security rules that allow incoming and outgoing traffic to and from the Autonomous Database instance. Define a rule for the Autonomous Database instance as follows:
-
For Mutual TLS authentication, add a stateful ingress rule to allow connections from the source to the Autonomous Database instance; the source is set to the address range you want to allow to connect to your database, IP Protocol is set to TCP, and the Destination Port Range is set to 1522.
-
For TLS authentication, add a stateful ingress rule to allow connections from the source to the Autonomous Database instance; the source is set to the address range you want to allow to connect to your database, IP Protocol is set to TCP, and the Destination Port Range is set to 1521.
-
To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.
The following figure shows a sample stateful security rule to control traffic for the Autonomous Database instance:
The application connecting to the Autonomous Database is running on a VM in SUBNET B. You also add a security rule to allow traffic to and from the VM (as shown, with label "NSG 2 Security Rules"). You can use a stateful security rule for the VM, so simply add a rule for egress to NSG 2 Security Rules (this allows access to the destination subnet A).
The following figure shows sample security rules that control traffic for the VM:
After you configure the security rules, your application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.
See Network Security Groups for information on configuring Network Security Groups.
Example: Connecting from Your Data Center to Autonomous Database
Demonstrates how to connect privately to an Autonomous Database from your on-premise data center. In this scenario, traffic never goes over the public internet.
To connect from your data center, you connect the on-premise network to the
VCN with FastConnect and then set up a
Dynamic Routing Gateway (DRG). To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name (FQDN),
requires that you add an entry in your on-premise client's hosts file. For example,
/etc/hosts
file for Linux machines. For example:
/etc/hosts entry -> 10.0.2.7 example.adb.ca-toronto-1.oraclecloud.com
To use Oracle APEX, Database Actions, and Oracle REST Data Services, add another entry with the same IP. For example:
/etc/hosts entry -> 10.0.2.7 example.adb.ca-toronto-1.oraclecloudapps.com
You find the private endpoint IP and the FQDN as follows:
-
The Private IP is shown on the Oracle Cloud Infrastructure console Autonomous Database details page for the instance.
-
The FQDN is shown in the
tnsnames.ora
file in the Autonomous Database client credential wallet.
Alternatively you can use Oracle Cloud Infrastructure private DNS to provide DNS name resolution. See Private DNS for more information.
In this example there is a Dynamic Routing Gateway (DRG) between the on-premise data center and "Your VCN". The VCN contains the Autonomous Database. This also shows a route table for the VCN associated with the Autonomous Database, for outgoing traffic to CIDR 172.16.0.0/16 through the DRG.
In addition to setting up the DRG, define a Network Security Group (NSG) rule to allow traffic to and from the Autonomous Database, by adding a rule for the data center CIDR range (172.16.0.0/16). In this example, define a security rule in "NSG 1" as follows:
-
For Mutual TLS authentication, create a stateful rule to allow ingress traffic from the data center. This is a stateful ingress rule with the source set to the address range you want to allow to connect to your database, protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination port set to 1522.
-
For TLS authentication, create a stateful rule to allow ingress traffic from the data center. This is a stateful ingress rule with the source set to the address range you want to allow to connect to your database, protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination port set to 1521.
-
To use Oracle APEX, Database Actions, and Oracle REST Data Services, add port 443 to the NSG rule.
The following figure shows the security rule that controls traffic for the Autonomous Database instance:
After you configure the security rule, your on-premise database application can connect to the Autonomous Database instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.