Oracle Cloud Infrastructure Documentation

Create an Instance as a Private Endpoint

When creating a Visual Builder instance, you can specify that Visual Builder uses a private endpoint inside your Virtual Cloud Network (VCN) in your tenancy. If you want to use a private endpoint, you need to specify this as part of the provisioning process.

Configuring your instance to use a private endpoint instead of a public endpoint allows you to keep all traffic to and from your instance off of the public internet. Specifying the VCN configuration allows traffic only from the virtual cloud network you specify, and blocks access to the instance from all public IPs or VCNs.

This diagram shows an example of a network setup for a Visual Builder instance on Oracle Cloud Infrastructure when the instance has a private endpoint enabled.


Description of pe-diagram.png follows
Description of the illustration pe-diagram.png

If you wish, you can allow access to a private endpoint from outside the VCN by using a load balancer in front of the endpoint. This way you can allow public access to the instance, while the instance is within a private VCN where it can access your ATP database.

Prerequisite Steps for Configuring a Private Endpoint

You need to perform some steps before you can configure a private endpoint for a Visual Builder instance.

Note

You can use the Oracle Cloud Infrastructure Resource Manager to help you create the VCN, private subnet and load balancer. See Create Visual Builder Resources Using Oracle Cloud Infrastructure Resource Manager.

Perform the following prerequisite steps before configuring a private endpoint:

  • Set required policies for the resources you are working with. See IAM Policies Required to Manage Private Endpoints for more information.

  • Create a VCN within the region that will contain your private endpoint instance. See VCNs and Subnets for more information. The VCN and the IDCS of the customer's Identity Domain must be in the same region.

  • Configure a private subnet within your VCN configured with default DHCP options. See DNS in Your Virtual Cloud Network for more information.

  • Configure your subnet to add a NAT Gateway to allow access from the subnet to the public internet. The minimum requirement is to allow access to the content delivery network (CDN) at static.oracle.com on the public internet. The CDN provides resources that are required by the Visual Builder runtime when you stage, publish or use your apps.

  • Configure your subnet with a "Service Gateway" to allow connections from the subnet to your Oracle Services (IDCS) instance. For example, you might want to add a Service Gateway to the subnet route table, and set the "Destination" value of the Service Gateway to "All SJC Services In Oracle Services Network". In this case, the subnet security list rules should also allow egress to IDCS using "All SJC Services In Oracle Services Network".

  • (Optional) Specify a Network Security Group (NSG) within your VCN. The NSG specifies rules for connections to your instance. See Network Security Groups for more information.

IAM Policies Required to Manage Private Endpoints

In addition to the policies required to provision and manage your instance, some network policies are needed to use private endpoints.

The following table lists the IAM policies required for a cloud user to add a private endpoint. The listed policies are the minimum requirements to add a private endpoint. You can also use a policy rule that is broader. For example, you could set the policy rule like this:

Allow group MyGroupName to manage virtual-network-family in compartment <compartmentName1>
Allow group MyGroupName to manage virtual-network-family in compartment <compartmentName2>

In this policy, <compartmentName1> is the compartment where the VCN and subnet exist, and <compartmentName2> is the compartment where the Visual Builder instance will be created.

This rule also works because it is a superset that contains all the required policies.

Operation Required IAM Policies

Configure a private endpoint

use vcns for the compartment which the VCN is in

use subnets for the compartment which the VCN is in

use network-security-groups for the compartment which the network security group is in

manage private-ips for the compartment which the VCN is in

manage vnics for the compartment which the VCN is in

manage vnics for the compartment in which the visual builder instance is provisioned or is to be provisioned in

Visual Builder relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the Console, REST API, CLI, SDK, or others).

The IAM service uses groups, compartments and policies to control which cloud users can access which resources. In particular, a policy defines what kind of access a group of users has to a particular kind of resource in a particular compartment. For more information, see Getting Started with Policies.

Create Visual Builder Resources Using Oracle Cloud Infrastructure Resource Manager

You can use the Visual Builder Private Endpoint Quick Start on GitHub and the Oracle Cloud Infrastructure (OCI) Resource Manager to help you create the VCN, private subnet, and load balancer.

The Quick Start on GitHub hosts the zip archive used by the OCI Resource Manager to create the prerequisite infrastructure for a private endpoint-enabled Visual Builder instance. With a single click you can create and deploy the infrastructure for your Visual Builder private endpoint that includes a VCN, private subnet, and load balancer.

To create the infrastructure using OCI Resource Manager:

  1. Click this button to open the OCI Resource Manager:
    Deploy to Oracle Cloud

    If the button doesn't work, click this link: Deploy to Oracle Cloud.

    When you click the button, a zip archive for creating the infrastructure is retrieved from the Visual Builder Private Endpoint Quick Start on GitHub, and the OCI Resource Manager opens in your browser.

  2. If you aren't already signed in, enter the tenancy and user credentials.
  3. Review and accept the terms and conditions.
  4. Select the region where you want to deploy the stack.
  5. Follow the on-screen prompts and instructions to create the stack.
  6. After creating the stack, click Terraform Actions, and select Plan.
  7. Wait for the job to be completed, and review the plan.

    To make any changes, return to the Stack Details page, click Edit Stack, and make the required changes. Then, run the Plan action again.

  8. If no further changes are necessary, return to the Stack Details page, click Terraform Actions, and select Apply.

Provision an Instance as a Private Endpoint

When you provision a Visual Builder instance, you can choose to have the instance configured as a private endpoint.

These steps assume you are provisioning an instance and you have completed the prerequisite steps, and you are at the Choose network access step in the provisioning process:

  1. Select Private endpoint access only.

    This expands the Virtual cloud network private access configuration area.


    Description of pe-choose-network-access.png follows
    Description of the illustration pe-choose-network-access.png

    If you select Private endpoint access only, this only allows connections from the specified private network (VCN), from peered VCNs, and from on-prem networks connected to your VCN.

  2. Select a VCN compartment, and a VCN in your compartment.

    See VCNs and Subnets for more information.

  3. Select the Subnet compartment, and a private subnet in your compartment.

    See VCNs and Subnets for more information.

  4. (Optional) Click Show network advanced options to configure advanced options, including adding network security groups, and specifying a private IP address.
  5. (Optional) Click Show advanced options to show options for mapping a custom endpoint to the private endpoint.
  6. Click Create Visual Builder Instance.

Update the Private Endpoint Details

After an instance is provisioned as a private endpoint, you can update the instances VCN and subnet details and add network security groups.

  1. On the Visual Builder Instance Details page, click Edit to open the Edit Visual Builder Instance dialog.

    Description of pe-edit-instance.png follows
    Description of the illustration pe-edit-instance.png

    The Private endpoint access only option is already selected, and it is not possible to select the other options. Once an instance is provisioned as a private endpoint, it is not possible to switch the instance's network access type.

  2. Make any changes to the instance's advanced network options.
    You can add the instance to network security groups (NSGs) in the advanced network options. See Configure Private Endpoint Advanced Network Options.
  3. (Optional) Make any changes to the VCN compartment and subnet compartment settings.
    Note

    If you change the subnet, the private endpoint needs to be recreated, and a new IP is assigned to the private endpoint.

    See VCNs and Subnets for more information.

  4. Click Save Changes.
Note

In some cases you might need to reconfigure your private endpoint. This will delete the private endpoint, and then re-create the endpoint using the same subnet and private endpoint IP from your current settings. To reconfigure a private endpoint:

  • Click More actions on the Visual Builder Instance Details page, and then select Reconfigure private endpoint in the dropdown list. Click Reconfigure when asked to confirm.

See Private Endpoints Notes for more information.

Configure Private Endpoint Advanced Network Options

The private endpoint access advanced options allow you to enter a user-specified private IP address and add one or more network security groups.

These steps assume you are provisioning or editing a Visual Builder instance and you are at the Choose network access step.

  1. Select Private endpoint access only, if not selected.
    Note

    When you are editing an instance that has already been provisioned as a private endpoint, Private endpoint access only is already selected, and it is not possible to change it.

  2. (Optional) Click Show network advanced options.

    The advanced network options enable you to provide a private IP address and specify a network security group (NSG).


    Description of pe-configure-nsg.png follows
    Description of the illustration pe-configure-nsg.png

    1. Optionally enter a Private IP address.

      Use this field to enter a custom private IP address. The private IP address you enter must be within the selected subnet's CIDR range.

      If you do not provide a custom private IP address, the IP address is automatically assigned.

    2. Optionally add Network security groups (NSGs).

      If you want more security over connections to the Visual Builder instance, you can define security rules in an NSG; this creates a virtual firewall for your instance.

      • Select a Network Security Group in your compartment to attach the Visual Builder to. If the Network Security Group is in a different compartment, select a different compartment and then select a Network Security Group in that compartment.
      • Click + Another Network Security Group to add another Network Security Group.
      • Click x to remove a Network Security Group entry.
      Note

      Incoming and outgoing connections are limited by the combination of ingress and egress rules defined in NSGs and the Security Lists defined with the VCN. When there are no NSGs, ingress and egress rules defined in the Security Lists for the VCN still apply. See Security Lists for more information on working with Security Lists.

      See Network Security Groups for more information.

Private Endpoints Notes

Describes restrictions and notes for private endpoints on Visual Builder.

  • After you update the network access to use a private endpoint, or after the provisioning completes where you configure a private endpoint, you can view the network configuration on the Visual Builder Details page under the Network section.

    The Network section shows the following information for a private endpoint:

    • Subnet: This includes a link for the subnet associated with the private endpoint.
    • Private endpoint IP: Shows the private endpoint IP for the private endpoint configuration.
    • Network security groups: This field includes links to the NSG(s) configured with the private endpoint.

  • You can map a custom endpoint to a private endpoint during the provision process, or after provisioning completes.

  • You can specify up to five NSGs to control access to your instance.

  • You can change the private endpoint Network Security Group (NSG) for the instance.

    To change the NSG for a private endpoint, do the following:

    1. On the Visual Builder page, select an instance from the links under the Name column.

    2. On the Visual Builder Details page, click Edit. In the Edit instance, click Show network advanced options.

  • You can connect your private endpoint to an ATP database in the same VCN and subnet. See Switch to Your Own Oracle DB Instance.

  • Modifying a private IP address is not allowed after you provision an instance, regardless of whether the IP address is automatically assigned or if you enter a value in the Private IP address field.

  • You cannot change the node count for private endpoint-enabled Visual Builder instances.

  • When using a load balancer in front of a private endpoint, use the private endpoint IP for the Load Balancer Backend, and forward traffic on port 443. You also need to share the IP address of the public load balancer with DevOps so they can update the DNS registration to make the instance URL publicly accessible.