Private Endpoint

Oracle Cloud Infrastructure (OCI) Private Endpoint enables customers to access a single OCI service privately from within an OCI virtual cloud network (VCN) or on-premises network. Private Endpoint is enabled within a service's workflow, allowing secure access via a fully qualified domain name or private IP address allocated from your private VCN subnet. Many OCI services, such as Oracle Autonomous Database, OCI GoldenGate, and OCI Cache with Redis, offer private access through Private Endpoint.

Private Endpoint benefits

Extended, secure, private connectivity

On-premises connectivity model

Many Oracle customers seek a familiar, on-premises private access connectivity model where they can access an Oracle-hosted service over private IP addresses instead of public ones. Private Endpoint extends private connectivity. Customers can access supported OCI services over FastConnect or VPN using a private IP address allocated by their VCN without exposing network traffic to the public internet.

Regulatory compliance

If your organization’s security requires restricting access to public endpoints, Private Endpoint provide a secure way to connect to many OCI-managed services. With network security groups (NSGs), you can establish granular access controls for traffic destined to Oracle services, using private IP address space as source and destination targets.

Seamless service integration

OCI-managed private endpoint lifecycle

OCI services manage the entire customer experience for Private Endpoint—your only concern is provisioning the individual service you want that supports Private Endpoint. When you interact with the service console or API, your service provider will give you the option to use Private Endpoint within your subnet and NSG. You’re not responsible for managing the lifecycle of Private Endpoint.

Reduced operational overhead

Private Endpoint removes the need to deploy and manage NAT and service gateways or modify any route tables for connectivity to a service. Since Private Endpoint is managed by the target service, it requires much less lifecycle management from end users. Additionally, Private Endpoint is highly performant, scalable, and resilient.

Available features

Service-initiated connections

Through reverse connections, Oracle services can privately launch connections to instances within the customer’s VCN or on-premises network. With this capability, Oracle Analytics Cloud and similar services can connect to customer database endpoints within a VCN or on-premises for data ingestion via traditional IP and SCAN protocols. Data is sent from the service through the customer subnet VCN, subject to the customer’s network routing and security rules.

SCAN protocol

Oracle Single Client Access Name (SCAN) is a proprietary protocol owned and used by Oracle databases. SCAN protocol and its listeners act as an application-level load balancer for Oracle Real Application Clusters (RAC). Private endpoints with reverse connection endpoints allow Oracle RAC-enabled database services to support SCAN protocol when connecting to customer database instances.

Easily resolved FQDNs

Customers often access Oracle services using fully qualified domain names (FQDNs), relying on OCI’s private domain name system (DNS) service to resolve them to an IP address. Private endpoints can resolve these FQDNs automatically from within the customer’s VCN. With this feature, customer instances can use the DNS name to access the service, avoiding TLS/SSL certificate mismatch errors. Private Endpoint can also resolve customer FQDNs automatically from within the service provider’s VCN when initiating connections to customer instances for reverse connections.

 

Private Endpoint use cases

  • Assign a private IP address and private hostname to your Autonomous Database on shared Exadata infrastructure

    With Private Endpoint, Autonomous Database customers can assign a private IP address and a private hostname to their database in their VCN. This disables the public endpoint for the database, ensuring that clients can’t access the database from the public internet.

    Learn more about using Private Endpoint for Autonomous Database with shared Exadata Infrastructure

  • Establish secure connectivity via Private Endpoint to set up and use OCI External KMS

    OCI Vault stores and manages encryption keys used to protect your data in OCI. With OCI External Key Management Service (KMS), you can encrypt data in OCI using encryption keys that are managed in a third-party key management system. Customers with regulatory requirements to store encryption keys on-premises or outside OCI can now do so while migrating their applications to OCI.

    Learn more about using Private Endpoint for OCI External KMS

Need private connectivity to multiple OCI services?

Oracle also offers private connectivity to multiple OCI services, simultaneously, from customers’ OCI VCN or on-premises network with Oracle Service Gateway.

Resources

Get started with OCI Private Endpoint


Oracle Cloud Free Tier

Build, test, and deploy applications on Oracle Cloud—for free. Sign up once, get access to two free offers.


Cloud Training—Oracle Cloud Infrastructure

Explore cloud training resources with Oracle Cloud Infrastructure training videos, self-paced learning labs, and certifications.


Explore Oracle Cloud Infrastructure

Oracle Cloud Infrastructure combines the elasticity and utility of the public cloud with the control, security, performance, and predictability of on-premises computing environments.