You can
specify that Autonomous Database uses a private
endpoint inside your Virtual Cloud Network (VCN) in your tenancy. You can configure a
private endpoint during provisioning or cloning your Autonomous Database, or you can switch to using a private endpoint in an existing
database that uses a public endpoint. This allows you to keep all traffic to and from your
database off of the public internet.
Specifying the virtual cloud network configuration allows traffic only from
the virtual cloud network you specify and blocks access to the database from all public
IPs or VCNs. This allows you to define security rules with Security Lists or at the
Network Security Group (NSG) level to specify ingress/egress for your Autonomous Database instance. Using a private
endpoint and defining Security Lists or NSGs allows you to control traffic to and from
your Autonomous Database instance.
Note
If you configure your Autonomous Database instance to use a private
endpoint and you also want to allow connections from specific public IP addresses or
from specific VCNs if those VCNs are configured to privately connect to Autonomous Database using a Service Gateway,
select the Allow public access option. This adds a public
endpoint for a database that is configured with a private endpoint. See Use a Private Endpoint with Public Access Allowed for more information.
The Allow public access
option is available only when the database uses the ECPU compute
model.
Topics
Configure Private Endpoints You can specify that Autonomous Database uses a private endpoint and configure a Virtual Cloud Network (VCN) in your tenancy to use with the private endpoint.
Enhanced Security for Outbound Connections with Private Endpoints When you use a private endpoint with your Autonomous Database instance you can provide enhanced security by setting the ROUTE_OUTBOUND_CONNECTIONS database property to the value PRIVATE_ENDPOINT.
Private Endpoints Notes Describes restrictions and notes for private endpoints on Autonomous Database.
You can
specify that Autonomous Database uses a private
endpoint and configure a Virtual Cloud Network (VCN) in your tenancy to use with the private
endpoint.
Configure Private Endpoint Advanced Options The private endpoint access advanced options allow you to enter a user specified private IP address and host name, select one or more network security groups, or specify details to allow public access to a private endpoint database.
Use a Private Endpoint with Public Access Allowed Select the Allow public access option when you want to configure an Autonomous Database to use a private endpoint and you also want to allow connections from specific public IP addresses or from specific VCNs (if the VCNs are configured to privately connect to Autonomous Database using a Service Gateway).
Create a VCN within the region that will contain your Autonomous Database. See VCNs and Subnets for more
information.
Configure a subnet within your VCN configured with default DHCP options.
See DNS in Your Virtual Cloud Network for more
information.
(Optional) Perform the following optional step before configuring a
private endpoint:
Specify a Network Security Group (NSG) within your VCN. The NSG specifies
rules for connections to your Autonomous Database. See Network Security Groups for more
information.
IAM Policies Required to Manage Private
Endpoints 🔗
In
addition to the policies required to provision and manage an Autonomous Database, some network policies are needed to use private endpoints.
The following table lists the IAM policies required for a cloud user to add
a private endpoint. The listed policies are the minimum requirements to add a private
endpoint. You can also use a policy rule that is broader. For example, if you set the
policy rule:
Allow group MyGroupName to manage virtual-network-family in tenancy
This rule also works because it is a superset that contains all the required
policies.
Operation
Required IAM Policies
Configure a private endpoint
use vcns for the compartment which the VCN is in
use subnets for the compartment which
the VCN is in
use network-security-groups for the
compartment which the network security group is in
manage private-ips for the compartment
which the VCN is in
manage vnics for the compartment which
the VCN is in
manage vnics for the compartment which
the database is provisioned or is to be
provisioned in
Autonomous Database relies on the IAM (Identity
and Access Management) service to authenticate and authorize cloud users to perform
operations that use any of the Oracle Cloud
Infrastructure interfaces (the Console, REST API, CLI, SDK, or others).
The IAM service uses groups, compartments and policies
to control which cloud users can access which resources. In particular, a policy defines
what kind of access a group of users has to a particular kind of resource in a
particular compartment. For more information, see Getting Started with
Policies.
Configure Private Endpoints When
You Provision or Clone an Instance 🔗
You can configure a private endpoint when you provision or clone an Autonomous Database instance.
These steps assume you are provisioning or cloning an instance and you have completed the
prerequisite steps, and you are at the Choose network access step of
the provisioning or cloning steps:
Select Private endpoint access only.
This expands the Virtual cloud network private access configuration
area.
If you select Private endpoint access only, this only allows
connections from the specified private network (VCN), from peered VCNs, and from on-prem
networks connected to your VCN. You can configure an Autonomous Database instance on a private
endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.
If you want to allow connections from public IP addresses or from allowed
IPs and VCNs, you have the following options:
Select Secure access from everywhere.
Select Secure access from allowed IPs and VCNs only.
If you select Private endpoint access only,
expand Show advanced options and select Allow
public access. See Configure Private Endpoint Advanced Options for more information.
Select a Virtual cloud network in your compartment or if the VCN
is in a different compartment click Change Compartment and select
the compartment that contains the VCN and then select a virtual cloud network.
Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a
different compartment click Change Compartment and select the
compartment that contains the Subnet and then select a subnet.
Change from Public to Private
Endpoints with Autonomous Database 🔗
If your Autonomous Database instance is configured to use a
public endpoint you can change the configuration to a private endpoint.
On the Details page, from the More actions drop-down list, select Update
network access.
To change an instance from a public to a private endpoint, the Autonomous Database instance must be in the
Available state (Lifecycle state:
Available).
In the Update network access dialog, select Private
endpoint access only.
This expands the Virtual cloud network private access configuration area.
If you select Private endpoint access only, this
only allows connections from the specified private network (VCN), from peered VCNs, and
from on-prem networks connected to your VCN. You can configure an Autonomous Database instance on a private
endpoint to allow connections from on-prem networks. See Example: Connecting from Your Data Center to Autonomous Database for an example.
If you want to allow connections from public IP addresses or from allowed
IPs and VCNs, you have the following options:
Select Secure access from everywhere.
Select Secure access from allowed IPs and VCNs
only.
If you select Private endpoint access only,
expand Show advanced options and select Allow
public access. See Configure Private Endpoint Advanced Options for more information.
Select a Virtual cloud network in your compartment or if the VCN
is in a different compartment click Change Compartment and select
the compartment that contains the VCN and then select a virtual cloud network.
Select the Subnet in your compartment to attach the Autonomous Database to or if the Subnet is in a
different compartment click Change Compartment and select the
compartment that contains the Subnet and then select a subnet.
In the Confirm dialog, type the Autonomous Database name to confirm the
change.
In the Confirm dialog, click
Update.
The Lifecycle state changes to Updating until the
operation completes.
Notes for changing from public to private network access:
After updating the network access type all database users must obtain a new wallet and
use the new wallet to access the database. See Download Client Credentials (Wallets) for more information.
If you had ACLs defined for the public endpoint, the ACLs do not apply for the private
endpoint.
After you update the network access to use a private endpoint, the URL for
the Database Tools is different compared to using a public endpoint. You can find the
updated URLs on the console, after changing from a public endpoint to a private
endpoint.
You can
change some options in the configuration of a private endpoint on an existing Autonomous Database instance.
On the Details page, from the More actions drop-down list, select Update
network access.
This shows the Update network access
panel.
Select Private endpoint access only.
If you want to allow connections from public IP addresses or from allowed
IPs and VCNs, you have the following options:
Select Secure access from everywhere.
Select Secure access from allowed IPs and VCNs only.
When you select Private endpoint access only
show advanced options and select Allow public access. This
defines a private endpoint database that includes both a private endpoint and a
public endpoint.
Optionally add Network security groups (NSGs).
Optionally, to allow connections to the Autonomous Database instance define security
rules in an NSG; this creates a virtual firewall for your Autonomous Database.
Select a Network Security Group in your compartment to attach the
Autonomous Database to, or if the Network Security Group is in a different
compartment, click Change Compartment and select a
different compartment and then select a Network Security Group in that
compartment.
Click + Another Network Security Group to add
another Network Security Group.
Click x to remove a Network Security Group
entry.
For the NSG you select for the private endpoint define a security rule
as follows:
For mutual TLS (mTLS) authentication, add a stateful ingress rule
with the source set to the address range you want to allow to connect to your
database, the IP Protocol set to TCP, and the Destination Port Range set to
1522. See About Mutual TLS (mTLS) Authentication for more information.
For TLS authentication, add a stateful ingress rule with the source
set to the address range you want to allow to connect to your database, the IP
Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.
To use Oracle APEX, Database Actions, and Oracle REST Data Services, add
port 443 to the NSG rule.
Note
Incoming and outgoing connections
are limited by the combination of ingress and egress rules defined in NSGs and the
Security Lists defined with the VCN. When there are no NSGs, ingress and egress
rules defined in the Security Lists for the VCN still apply. See Security Lists for more
information on working with Security Lists.
Optionally, select Allow public access or if this is already
selected, you can configure access control rules to the public endpoint that is
configured with the private endpoint database.
The Allow public access option is available only
when the database uses the ECPU compute model.
When you select Allow public access, this shows
the Configure access control options to enter the allowed IP addresses, CIDR blocks,
or Virtual cloud networks that can connect to the database.
Select one of:
IP address:
In
Values field enter values for the IP
address. An IP address specified in a network ACL entry is the
public IP address of the client that is visible on the public internet that you
want to grant access. For example, for an Oracle Cloud
Infrastructure VM, this is the IP address shown in the Public IP
field on the Oracle Cloud
Infrastructure console for that VM.
Optionally select Add my IP
address to add your current IP address to the ACL entry.
CIDR block:
In
Values field enter values for the CIDR
block. The CIDR block specified is the public CIDR block of the
clients that are visible on the public internet that you want to grant
access.
Virtual cloud network:
Use
this option when the network route from the client to the database is going
through an Oracle Cloud
Infrastructure Service Gateway. See Access to Oracle Services: Service
Gateway for more information.
Use this option to
specify the VCN for use with an Oracle Cloud
Infrastructure Service Gateway:
In Virtual cloud network field select
the VCN that you want to grant access from. If you do not have the privileges
to see the VCNs in your tenancy this list is empty. In this case use the
selection Virtual cloud network (OCID) to specify the
OCID of the VCN.
Optionally, in the IP addresses or CIDRs
field enter private IP addresses or private CIDR blocks as a comma separated
list to allow specific clients in the VCN.
Virtual cloud network (OCID):
Use this option when the network route from the client to the database is going
through an Oracle Cloud
Infrastructure Service Gateway. See Access to Oracle Services: Service
Gateway for more information.
In the Values field enter the OCID of
the VCN you want to grant access from.
Optionally, in the IP addresses or CIDRs
field enter private IP addresses or private CIDR blocks as a comma separated
list to allow specific clients in the VCN.
If you want to specify multiple IP addresses or CIDR ranges within the
same VCN, do not create multiple ACL entries. Use one ACL entry with the values for
the multiple IP addresses or CIDR ranges separated by commas.
Click Update.
If the Lifecycle state is Available when you click
Update, the Lifecycle state changes to
Updating until the changes are applied. The database is still up
and accessible, there is no downtime. When the update is complete the Lifecycle state
returns to Available.
The private
endpoint access advanced options allow you to enter a user specified private IP address and host
name, select one or more network security groups, or specify details to allow public access to a
private endpoint database.
These steps assume you are provisioning or cloning an Autonomous Database instance or changing from public
access to private access for an existing Autonomous Database instance and you are at the Choose network access
step.
Select Private endpoint access only.
This shows the Virtual cloud network private access configuration
area.
(Optional) Click Show advanced options to show additional
private endpoint options.
This displays the advanced options.
Optionally enter a Private IP address.
Use this field to enter a custom private IP address. The private IP
address you enter must be within the selected subnet's CIDR range.
If you do not provide a custom private IP address the IP address is
automatically assigned.
Optionally enter a Hostname prefix.
This specifies a hostname prefix for the Autonomous Database and associates a DNS
name with the database instance, in the following form:
hostname_prefix.adb.region.oraclecloud.com
If you do not specify a hostname prefix, a system generated hostname
prefix is supplied.
Optionally add Network security groups (NSGs).
Optionally, to allow connections to the Autonomous Database instance define security
rules in an NSG; this creates a virtual firewall for your Autonomous Database.
Select a Network Security Group in your compartment to attach the
Autonomous Database to, or if the Network Security Group is in a different
compartment, click Change Compartment and select a
different compartment and then select a Network Security Group in that
compartment.
Click + Another Network Security Group to add
another Network Security Group.
Click x to remove a Network Security Group
entry.
For the NSG you select for the private endpoint define a security rule
as follows:
For mutual TLS (mTLS) authentication, add a stateful ingress rule
with the source set to the address range you want to allow to connect to your
database, the IP Protocol set to TCP, and the Destination Port Range set to
1522. See About Mutual TLS (mTLS) Authentication for more information.
For TLS authentication, add a stateful ingress rule with the source
set to the address range you want to allow to connect to your database, the IP
Protocol set to TCP, and the Destination Port Range set to 1521. See About TLS Authentication for more information.
To use Oracle APEX, Database Actions, and Oracle REST Data Services, add
port 443 to the NSG rule.
Note
Incoming and outgoing connections
are limited by the combination of ingress and egress rules defined in NSGs and the
Security Lists defined with the VCN. When there are no NSGs, ingress and egress
rules defined in the Security Lists for the VCN still apply. See Security Lists for more
information on working with Security Lists.
Optionally, select Allow public access and configure access
control rules to add a public endpoint for the private endpoint database.
The Allow public access option is available only
when the database uses the ECPU compute model.
When you select Allow public access, this shows
the Configure access control options to enter the allowed IP addresses, CIDR blocks,
or Virtual cloud networks that can connect to the database.
Select one of:
IP address:
In
Values field enter values for the IP
address. An IP address specified in a network ACL entry is the
public IP address of the client that is visible on the public internet that you
want to grant access. For example, for an Oracle Cloud
Infrastructure VM, this is the IP address shown in the Public IP
field on the Oracle Cloud
Infrastructure console for that VM.
Optionally select Add my IP
address to add your current IP address to the ACL entry.
Optionally select Add my IP address to add
your current IP address to the ACL entry.
CIDR block:
In
Values field enter values for the CIDR
block. The CIDR block specified is the public CIDR block of the
clients that are visible on the public internet that you want to grant
access.
Virtual cloud network:
Use
this option when the network route from the client to the database is going
through an Oracle Cloud
Infrastructure Service Gateway. See Access to Oracle Services: Service
Gateway for more information.
Use this option to
specify the VCN for use with an Oracle Cloud
Infrastructure Service Gateway:
In Virtual cloud network field select
the VCN that you want to grant access from. If you do not have the privileges
to see the VCNs in your tenancy this list is empty. In this case use the
selection Virtual cloud network (OCID) to specify the
OCID of the VCN.
Optionally, in the IP addresses or CIDRs
field enter private IP addresses or private CIDR blocks as a comma separated
list to allow specific clients in the VCN.
Virtual cloud network (OCID):
Use this option when the network route from the client to the database is going
through an Oracle Cloud
Infrastructure Service Gateway. See Access to Oracle Services: Service
Gateway for more information.
In the Values field enter the OCID of
the VCN you want to grant access from.
Optionally, in the IP addresses or CIDRs
field enter private IP addresses or private CIDR blocks as a comma separated
list to allow specific clients in the VCN.
If you want to specify multiple IP addresses or CIDR ranges within the
same VCN, do not create multiple ACL entries. Use one ACL entry with the values for
the multiple IP addresses or CIDR ranges separated by commas.
Complete the remaining private endpoint configuration steps.
Use a Private Endpoint with Public
Access Allowed 🔗
Select the
Allow public access option when you want to configure an Autonomous Database to use a private endpoint and
you also want to allow connections from specific public IP addresses or from specific VCNs
(if the VCNs are configured to privately connect to Autonomous Database using a Service Gateway).
This option adds a public endpoint for a database that is configured on a
private endpoint. You configure a private endpoint for your Autonomous Database instance when you
provision or clone the instance, or when you update the network configuration for an
existing Autonomous Database. See the
following for details on the steps to configure an Autonomous Database instance with a private endpoint:
When public access is enabled with Allow public
access on a private endpoint database, the instance has both a private
endpoint and a public endpoint:
The private hostname, endpoint URL, and private IP address allow you
to connect to the database from the VCN where the database resides.
The public hostname allows you to connect to the database from
specific public IP addresses or from specific VCNs if those VCNs are configured
to privately connect to Autonomous Database using a Service Gateway.
Autonomous Database Connection
String Additions for a Private Endpoint Database with Allow Public Access
Enabled
When Allow public access is enabled for a private
endpoint database, there are additional connection strings that allow you to connect
to the database from the public endpoint:
The connection strings in tnsnames.ora in
the Autonomous Database wallet zip
include the public connection strings to use with connections coming from
the public internet. The connection strings for the public endpoint use the
following naming convention:
You can view the connection strings for both the public endpoint
and the private endpoint from the Oracle Cloud
Infrastructure Console (or using the API).
Autonomous Database Tools
Additions for a Private Endpoint Database with Allow Public Access Enabled
When Allow public access is enabled for a private
endpoint database, the database tools allow you to connect from specific public IP
addresses or from specific VCNs if those VCNs are configured to privately connect to
Autonomous Database using a Service
Gateway:
Each tool has a private access URL and a public access URL displayed in the Tool
configuration table. Use the public access URL to access the tool from
specific public IP addresses or from specific VCNs if those VCNs are
configured to privately connect to Autonomous Database using a Service Gateway.
Enhanced Security for Outbound
Connections with Private Endpoints 🔗
When you
use a private endpoint with your Autonomous Database instance you can provide enhanced security by setting the
ROUTE_OUTBOUND_CONNECTIONS database property to the value
PRIVATE_ENDPOINT.
Setting the ROUTE_OUTBOUND_CONNECTIONS database property
to the value PRIVATE_ENDPOINT enforces that all
outgoing connections to a target host are subject to and limited by
the private endpoint's egress rules. You define egress rules in the
Virtual Cloud Network (VCN) security list or in the Network Security
Group (NSG) associated with the Autonomous Database instance private endpoint.
Before you set the
ROUTE_OUTBOUND_CONNECTIONS database
property, configure your Autonomous Database instance to use a private
endpoint. See Configure Private Endpoints for more information.
Set the ROUTE_OUTBOUND_CONNECTIONS database
property to PRIVATE_ENDPOINT to specify that all
outgoing connections are subject to the Autonomous Database
instance private endpoint VCN's egress rules. With the value
PRIVATE_ENDPOINT the database restricts
outgoing connections to locations specified by the private
endpoint's egress rules and also changes DNS resolution such that
hostnames are resolved using your VCN's DNS resolver (not using a
public DNS resolver).
Note
With
ROUTE_OUTBOUND_CONNECTIONS not set to
PRIVATE_ENDPOINT, all outgoing connections
to the public internet pass through the Network Address Translation
(NAT) Gateway of the service VCN. In this case, if the target host
is on a public endpoint the outgoing connections are not subject to
the Autonomous Database
instance private endpoint VCN or NSG egress rules.
When you configure a private endpoint for your Autonomous Database
instance and set ROUTE_OUTBOUND_CONNECTIONS to
PRIVATE_ENDPOINT, this setting changes the
handling of outbound connections and DNS resolution for the
following:
When you configure a private endpoint for your Autonomous Database
instance and set ROUTE_OUTBOUND_CONNECTIONS to
PRIVATE_ENDPOINT, this setting does not
change the handling of outbound connections and DNS resolution for
the following:
Oracle REST Data Services
(ORDS)
Database Actions
To set ROUTE_OUTBOUND_CONNECTIONS:
Connect to your database.
Set the database property
ROUTE_OUTBOUND_CONNECTIONS.
For example:
ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = 'PRIVATE_ENDPOINT';
Notes for setting
ROUTE_OUTBOUND_CONNECTIONS:
Use the following command to restore the default
parameter value:
ALTER DATABASE PROPERTY SET ROUTE_OUTBOUND_CONNECTIONS = '';
Use the following command to query the current parameter
value:
SELECT * FROM DATABASE_PROPERTIES
WHERE PROPERTY_NAME = 'ROUTE_OUTBOUND_CONNECTIONS';
If the property is not set the query does
not return results.
This property only applies for database
links that you create after you set the property to
the value PRIVATE_ENDPOINT. Thus,
database links that you created prior to setting the
property continue to use the NAT Gateway of the
service VCN and are not subject to the Autonomous Database instance private endpoint's egress
rules.
Only set ROUTE_OUTBOUND_CONNECTIONS to
the value PRIVATE_ENDPOINT when you
are using Autonomous Database with a private
endpoint.
When your database is on a private endpoint
and you want your outbound connections to be
resolved by your VCN, you need to set the
ROUTE_OUTBOUND_CONNECTIONS
parameter to PRIVATE_ENDPOINT.
See NAT Gateway for more
information on Network Address Translation (NAT) gateway.
Describes restrictions and notes for private endpoints on Autonomous Database.
After you update the network access to use a private endpoint, or
after the provisioning or cloning completes where you configure a private
endpoint, you can view the network configuration on the Autonomous Database
Details page under the Network section.
The Network section shows the following
information for a private endpoint:
Access type: Specifies the access type
for the Autonomous Database
configuration. Private endpoint configurations show the access type:
Virtual cloud network.
Availability domain: Specifies the availability domain of your Autonomous Database instance.
Virtual cloud network: This includes a
link for the VCN associated with the private endpoint.
Subnet: This includes a link for the
subnet associated with the private endpoint.
Private endpoint IP: Shows the private
endpoint IP for the private endpoint configuration.
Private endpoint URL: Shows the private
endpoint URL for the private endpoint configuration.
Network security groups: This field
includes links to the NSG(s) configured with the private endpoint.
Public access: This field indicates whether public
access is enabled for the private endpoint. Click the Edit
link to view or change the allowed ACLs or VCNs.
Public endpoint URL: This shows when
Allow public access is enabled on the private
endpoint. This is the public endpoint URL that you can use to connect from
allowed IPs or VCNs on the public internet.
You can specify up to five NSGs to control access to your Autonomous Database.
You can change the private endpoint Network Security Group (NSG) for
the Autonomous Database.
To change the NSG for a private endpoint, do the following:
On the Autonomous Databases page
select an Autonomous Database from the links under the Display
name column.
On the Autonomous Database Details
page, under Network in the Network
Security Groups field, click
Edit.
You can connect your Oracle
Analytics Cloud instance to your Autonomous Database that has a private endpoint using the Data Gateway
like you do for an on-premises database. See Configure and Register Data Gateway for Data
Visualization for more information.
The following Autonomous Database tools are supported in databases configured with a private
endpoint:
Accessing Oracle APEX, Database Actions, Oracle Graph Studio, or Oracle REST Data Services using a private endpoint from on-premises environments without
completing the additional private endpoint configuration shows the error:
404 Not Found
After you update the network access to use a private endpoint, the
URL for the Database Tools is different compared to using a public endpoint. You
can find the updated URLs on the console, after changing from a public endpoint
to a private endpoint.
In addition to the default Oracle REST Data Services (ORDS) preconfigured with
Autonomous Database, you can
configure an alternative ORDS deployment that provides more configuration
options and that can be used with private endpoints. See About Customer Managed Oracle REST Data Services on Autonomous Database to learn about an alternative ORDS deployment that can be
used with private endpoints.
Modifying a private IP address is not allowed after you provision or clone an
instance, whether the IP address is automatically assigned when you enter a
value in the Private IP address field.
Example: Connecting from Inside
Oracle Cloud
Infrastructure VCN
🔗
Demonstrates an application running inside Oracle Cloud
Infrastructure on a virtual machine (VM) in the same VCN which is configured with your Autonomous Database.
There is an Autonomous Database
instance which has a private endpoint in the VCN named "Your VCN". The VCN includes two
subnets: "SUBNET B" (CIDR 10.0.1.0/24) and "SUBNET A" (CIDR 10.0.2.0/24).
The Network Security Group (NSG) associated with the Autonomous Database instance is shown as "NSG
1 - Security Rules". This Network Security Group defines security rules that allow
incoming and outgoing traffic to and from the Autonomous Database instance. Define a rule for the Autonomous Database instance as follows:
For Mutual TLS authentication, add a stateful ingress rule to allow connections
from the source to the Autonomous Database instance; the source is set to the address range you want to
allow to connect to your database, IP Protocol is set to TCP, and the
Destination Port Range is set to 1522.
For TLS authentication, add a stateful ingress rule to allow connections from the
source to the Autonomous Database
instance; the source is set to the address range you want to allow to connect to
your database, IP Protocol is set to TCP, and the Destination Port Range is set
to 1521.
To use Oracle APEX, Database Actions, and Oracle REST Data Services, add
port 443 to the NSG rule.
The following figure shows a sample stateful security rule to control
traffic for the Autonomous Database
instance:
The application connecting to the Autonomous Database is running on a VM in SUBNET B. You also add a security
rule to allow traffic to and from the VM (as shown, with label "NSG 2 Security Rules").
You can use a stateful security rule for the VM, so simply add a rule for egress to NSG
2 Security Rules (this allows access to the destination subnet A).
The following figure shows sample security rules that control traffic for
the VM:
After you configure the security rules, your application can connect to the
Autonomous Database instance using the
client credentials wallet. See Download Client Credentials (Wallets) for more information.
Example: Connecting from Your Data
Center to Autonomous Database 🔗
Demonstrates how to connect privately to an Autonomous Database from your on-premise data center. In this scenario, traffic never goes
over the public internet.
To connect from your data center, you connect the on-premise network to the
VCN with FastConnect and then set up a
Dynamic Routing Gateway (DRG). To resolve the Autonomous Database private endpoint, a Fully Qualified Domain Name (FQDN),
requires that you add an entry in your on-premise client's hosts file. For example,
/etc/hosts file for Linux machines. For example:
You find the private endpoint IP and the FQDN as follows:
The Private IP is shown on the Oracle Cloud
Infrastructure console Autonomous Database details
page for the instance.
The FQDN is shown in the tnsnames.ora file in
the Autonomous Database client
credential wallet.
Alternatively you can use Oracle Cloud
Infrastructure private DNS to provide DNS name resolution. See Private DNS for more
information.
In this example there is a Dynamic Routing Gateway (DRG) between the
on-premise data center and "Your VCN". The VCN contains the Autonomous Database. This also shows a route
table for the VCN associated with the Autonomous Database, for outgoing traffic to CIDR 172.16.0.0/16 through the DRG.
In addition to setting up the DRG, define a Network Security Group (NSG) rule
to allow traffic to and from the Autonomous Database, by adding a rule for the data center CIDR range (172.16.0.0/16). In
this example, define a security rule in "NSG 1" as follows:
For Mutual TLS authentication, create a stateful rule to allow
ingress traffic from the data center. This is a stateful ingress rule with the
source set to the address range you want to allow to connect to your database,
protocol set to TCP, source port range set to CIDR range (172.16.0.0/16), and
destination port set to 1522.
For TLS authentication, create a stateful rule to allow ingress
traffic from the data center. This is a stateful ingress rule with the source
set to the address range you want to allow to connect to your database, protocol
set to TCP, source port range set to CIDR range (172.16.0.0/16), and destination
port set to 1521.
To use Oracle APEX, Database Actions, and Oracle REST Data Services, add
port 443 to the NSG rule.
The following figure shows the security rule that controls traffic for the
Autonomous Database instance:
After you configure the security rule, your on-premise database application
can connect to the Autonomous Database
instance using the client credentials wallet. See Download Client Credentials (Wallets) for more information.