Oracle Autonomous Database: Setting up ACLs and Private Endpoints

This post is part of a series of blog posts on the Oracle Autonomous Database.

Securing Application Connections with Access Control Lists (ACLs)

  • No network Access Control List (ACL) is specified by default and the database is accessible from any IP address
  • Specifying an access control list blocks all IP addresses that are not in the list from accessing the database
  • Once an ACL is set, the database will only accept connections from addresses in the access control – all other client connections will be rejected
  • ACLs can be configured for an ADB at any time. While provisioning or added to an existing ADB
  • ACLs can be configured for individual IP addresses, CIDR block ranges, and VCNs – including simultaneously
  • A database restore does not overwrite existing ACLs
  • All services that are subsets of an ADB (e.g. SQL Developer Web, APEX, ML) are also blocked by ACLs
  • The Autonomous Transaction Processing Service console is not subject to ACLs.

Private Endpoints

Private endpoints provide the ability to NOT permit any public access to your ADB database.

It is a private IP address within your VCN that can be used to access a given service within OCI.

Think of it as just another VNIC (Virtual Network Interface Card) in your VCN

  • You can provision an ADB to use private endpoints and configure a Virtual Cloud Network (VCN) in your tenancy to use with the private endpoint.
  • Allow you to keep all traffic to and from your ADB off the public internet
  • Does require you to set up transit routing in your VCN and use a service gateway to connect
  • Can be configured when you provision a new database or when you clone an existing database only

To setup Private Endpoints with ADB:

  • There must be a VCN within the region for the ADB. This cannot be changed after provisioning
  • A private subnet with default DHCP options is required
  • At least one Network Security Group (NSG) within your VCN is required. This can be edited after provisioning

Network Security Group (NSG):

  • NSGs create a virtual firewall for your Autonomous Database using security rules
  • You can specify up to 5 NSGs to control access to your Autonomous Database
  • To use NSG with Private Endpoints set: Ingress / TCP / Port 1522

When you provision or clone an Autonomous Database, you can configure the network access so that the database uses a private endpoint. If your organization has strict security mandates that do not allow you to have a public endpoint for your database, this provides you with the necessary private endpoint. When you use private access, your database is only accessible through the IP address of the associated private endpoint. Additionally, this allows you to configure your access so that the traffic does not use public subnets and allows you to keep all traffic to and from your Autonomous Database off of the public internet within one of your tenancy’s virtual cloud networks (VCNs).

Change from Private to Public Endpoints with Autonomous Database

If your Autonomous Database instance is configured to use a private endpoint you can change the configuration to use a public endpoint.

Note: Changing an instance from a private to a public endpoint on Autonomous Database is only supported with Oracle Database 19c onwards.

After updating the network access type all database users must obtain a new wallet and use the new wallet to access the database.

After the update completes, you can define access control rules for the public endpoint by specifying ACLs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s