Enable Communication Between Database Management and Oracle Cloud Databases
You must enable communication between Database Management and the Oracle Cloud Database by adding the ingress and egress security rules to an NSG or a Security List in the VCN in which the Oracle Cloud Database can be accessed.
The information in this topic is only applicable for Oracle Cloud Databases in the Base Database Service and ExaDB-D and not for Oracle Cloud Databases in ExaDB-C@C.
Before you enable communication between Database Management and the Oracle Cloud Database, you must:
- Ensure that you're familiar with security rules. For information, see Security Rules.
- Depending on whether you want to use NSGs or Security Lists to add the
ingress and egress rules, you must have the required permissions and be familiar
with how to add security rules.
Note
- An NSG must be available to create a Database Management private endpoint. For more information, see Network Security Groups.
- A security list rule that allows access over the database port <number> is applied to the NSG for access within the VCN or subnet CIDR block. For more information, see Security Lists.
- Make a note of the Oracle Cloud Database private IP addresses and port
details and the Database Management private IP addresses.
These are details that you may have to enter when you add security rules, and here's
information on where you can find them:
- For Oracle Cloud Database port details, see the DB system information section on the Database System Details page for Oracle Cloud Databases in the Base Database Service. For Oracle Cloud Databases in ExaDB-D, see Network details on the Exadata VM Cluster Details page.
- For Oracle Cloud Database private IP addresses, see the Nodes section on the Database System Details page for single instance databases in the Base Database Service. For RAC databases, use the Scan IP address, which is available on the DB System Details page for Virtual Machine DB systems in the Base Database Service and on the Exadata VM Cluster Details page for ExaDB-D.
For information on how to obtain the Database Management private IP addresses, see Create a Database Management Private Endpoint for Oracle Cloud Databases. Note that a Database Management private endpoint for single instance Oracle Cloud Databases in the Base Database Service has only one private IP address and a Database Management private endpoint for RAC Oracle Cloud Databases in the Base Database Service and ExaDB-D has two private IP addresses.
For Database Management to communicate with the Oracle Cloud Database, you must add ingress and egress security rules using either NSGs or Security Lists. Here are a couple of examples that illustrate how to enable communication between a Database Management private endpoint and the Oracle Cloud Databases in a Virtual Machine DB system in the Base Database Service, using NSGs and Security Lists.
Create an NSG to enable communication between the Database Management private endpoint and a Virtual Machine DB system
In the following example, an NSG is created and added to:
- A Virtual Machine DB system
- A Database Management private endpoint for single instance Oracle Cloud Databases (which is already created)
On completing the tasks listed in this example, the Database Management private endpoint will have access to all the single instance databases in the Virtual Machine DB system's VCN without impacting the VCN's subnet architecture.
For information on how to create an NSG in the Virtual Machine DB system's VCN, see To create an NSG.
When creating the NSG, add the following stateful security rules. These security rules will then be added to the Virtual Machine DB system's VCN:
- Ingress rule for the Virtual Machine DB system's VCN: The Virtual Machine DB system's VCN (on port 1521) can receive incoming traffic from the Database Management private endpoint's subnet (10.0.0.0/24) from any port.
- Egress rule for the Database Management private endpoint: The Database Management private endpoint's subnet (from any port) can send requests to the Virtual Machine DB system's VCN (10.0.0.0/16) on port 1521.
After you create the NSG, you must add it to the Virtual Machine DB system and the Database Management private endpoint.
For information on how to add the NSG to the Virtual Machine DB system, see Manage Network Security Groups for a DB System.
To add the NSG to the Database Management private endpoint, go to the Database Management Private endpoints page and click the private endpoint. On the Private endpoint details page, click the link adjacent to Network security groups and add the newly created NSG. For information on how to go to the Database Management Private endpoints page, see Create a Database Management Private Endpoint for Oracle Cloud Databases.
Add security rules to a Security List to enable communication between a Database Management private endpoint and a Virtual Machine DB system
In the following example, stateful security rules are added to an existing Security List in the Virtual Machine DB system's VCN to enable communication between a Database Management private endpoint for single instance Oracle Cloud Databases and all the subnets in the VCN. This ensures that the Database Management private endpoint can access all the single instance databases in the VCN.
For information on how to update an existing Security List, see To update rules in an existing security list.
Add the following stateful security rules to the Security List:
- Ingress rule for the Virtual Machine DB system's VCN: The Virtual Machine DB system's VCN (on port 1521) can receive incoming traffic from the Database Management private IP address (10.0.0.6/32) from any port.
- Egress rule for the Database Management private endpoint: The Database Management private IP address (from any port) can send requests to the Virtual Machine DB system's VCN (10.0.0.0/16) on port 1521.