Create a Private Endpoint

A private endpoint is a private IP address within your Virtual Cloud Network (VCN) that you can use to access a given service within Oracle Cloud Infrastructure.

Ops Insights communicates with Oracle Cloud Databases via private endpoints defined within a Virtual Cloud Network (VCN). For more information about private access and endpoints to OCI services, see Private Endpoints .

Private endpoints must be created in each service, private endpoints created in other services will not appear in the Ops Insights private endpoint list page. However Database Management endpoints can be converted to Ops Insights endpoints.

Note

Before you create a private endpoint in Ops Insights, you must have the following details:
  • The name of the VCN used to access your database.
  • The name of the subnet in the VCN.
  • The name of the network security group (optional).

The private endpoint is a representation of Ops Insights in the VCN in which the Oracle Cloud Database can be accessed, and acts as a Virtual Network Interface Card (VNIC) with private IP addresses in a subnet of your choice. The private endpoint does not have to be on the same subnet as the Oracle Cloud Database, but it must be on a subnet that can communicate with the Oracle Cloud Database.

Ops Insights lets you create a private endpoint for Oracle Cloud Databases. You can create a maximum of five Ops Insights private endpoints in your tenancy (per region) to connect to Oracle Base Databases, Exadata Database Service on Dedicated Infrastructure, and Autonomous AI Databases. There is no set limit or restriction on the number of databases for which you can enable Ops Insights using a single private endpoint. The private endpoint requires one private IP in the subnet.
Note

In the past a private endpoint for Cloud Oracle Base Databases was available and required for RAC Oracle Cloud Database and Exadata Database Service on Dedicated Infrastructure. Starting December 2023 these are no longer required for Ops Insights to connect to these types of Oracle Cloud Databases.

If you have set up private endpoint for RAC Oracle Cloud Databases, prior to December 2023 these will continue to function.

Dedicated Autonomous AI Databases still require a special DNS proxy enabled private endpoint.

Creating a Private Endpoint

To create a private endpoint:

  1. Open the navigation menu, click Observability & Management, and then click Ops Insights.
  2. In the left pane, click Administration, and then click Private endpoints.

    The Private Endpoints page displays. If endpoints for the compartment were previously defined, they will appear in the table where you can perform administrative functions.

  3. Click Create private endpoint. The Create private endpoint panel displays.
  4. Enter the required parameters to define the endpoint:
    • Name: An easily identifiable name for the endpoint.
    • Description: Optional
    • Compartment: Select a compartment in which to create the private endpoint from the drop-down list. By default, the compartment that was selected prior to clicking Create private endpoint is selected. Note that this does not have to match the database compartment.

    Configuration

    The private endpoint will be created in the VCN and subnet selected here. Select a subnet that has connectivity to the subnet that contains the database that will be added to Ops Insights.
    Note

    Dedicated Autonomous AI Databases require a special DNS proxy enabled private data endpoint. To enable, select Use this private endpoint for Dedicated Autonomous AI Databases. Select this when connecting to Dedicated Autonomous AI Databases. Select this option if at least one Dedicated Autonomous AI Database will be connected to the private endpoint.
    • Virtual Cloud Network in <compartment>: Select the VCN within the current compartment that will be used to access the Cloud database. If desired, use the drop-down list to choose another VCN in that compartment.
    • Subnet in <compartment>: Select a subnet within the chosen VCN. By default, the first subnet in the drop-down list is selected.

    Network Security Groups (optional)

    A network security group provides additional, fine-grained security access for resources that use the private endpoint. A network security group acts as a virtual firewall and lets you separate your VCN's subnet architecture from your security requirements.

    To add a network security group to the private endpoint:

    1. Turn on Use network security groups to control traffic.
    2. Select the compartment and network security group.
    3. To add another network security group, click + Another network security group.

    Tags

    Optionally, add free-form or defined tags to the private endpoint. If you have the permissions required to create a private endpoint, then you also have permissions to add free-form tags. To add a defined tag, you must have permissions to use the tag namespace.

    For information on:

    Security attributes

    Optionally, add security attributes to the private endpoint. Click Add security attribute, and then specify the security attribute namespace, key, and value. For more information, see Manage Security Attributes for Private Endpoints.

  5. Click Create. The Private endpoint details page displays where you can view private endpoint information including direct links to the details pages for the endpoint’s VCN, subnet, and network security groups.

For more information about security groups, see Network Security Groups.

From the Private endpoint details page, you can perform the following operations:

  • Edit the private endpoint (name, description, add/delete network security groups)
  • Move the private endpoint to a different compartment
  • Delete the private endpoint
  • View existing or define new resource tags
  • View the associated databases.
  • View work requests associated with the private endpoint. For more information about work requests, see Work Resources.

Some of these operations can also be performed from the Private Endpoints page by clicking the Actions menu for a private endpoint.

Deleting a Private Endpoint

You can delete a private endpoint from the Private Endpoints page. Important: All databases accessing the private endpoint must first be disabled.

Manage Security Attributes for Private Endpoints

You can optionally add Zero Trust Packet Routing (ZPR) security attributes to private endpoints to control access through ZPR policies. ZPR evaluates these attributes together with existing network controls.

For more information on security attributes and ZPR, see Security Attributes and Overview of Zero Trust Packet Routing.

Note

If you add security attributes to a private endpoint, verify that the required ZPR policies are in place, otherwise, intended traffic can be blocked.

Setup

Before you add security attributes to a private endpoint, complete the required ZPR setup and verify that the network configuration allows the intended traffic.

  1. Ensure that the required IAM permissions, security attribute namespaces, security attributes, and ZPR policies are already configured. For more information, see Zero Trust Packet Routing IAM Policies, Security Attributes, and Zero Trust Packet Routing Policy.
  2. Decide which security attributes to add to the private endpoint so that the applicable ZPR policies allow the intended traffic.

Important Considerations

  • Administrators must set up security attribute namespaces and security attributes in the tenancy before users can apply security attributes to private endpoints.
  • When security attributes are used, access to the private endpoint is governed by ZPR policies together with existing network controls, such as security lists and NSGs.
  • A security attribute is effective only when appropriate ZPR policies are defined. If you add a security attribute without corresponding policies, access to the private endpoint is denied by default, even if NSGs or security lists would otherwise allow the traffic.
  • You can add up to three security attributes to a private endpoint. If you aren't sure which attributes to use, contact your network administrator.

Add Security Attributes

You can add security attributes when you create a private endpoint or from the Private endpoint details page after the private endpoint is created.

To add security attributes from the Private endpoint details page:

  1. Go to the Private endpoint details page for the private endpoint.
  2. On the Security tab, in the Security attributes section, click Add.
  3. Specify the security attribute namespace, key, and value.
  4. Click Add security attributes.

List Security Attributes

To view the security attributes added to a private endpoint, go to the Private endpoint details page for the private endpoint, and then click the Security tab. The Security attributes section lists the security attributes added to the private endpoint.