Oracle AI Data Platform (AIDP) is Oracle’s managed platform for building and operating end-to-end data and AI workloads on Oracle Cloud Infrastructure (OCI). It brings together the core capabilities teams typically stitch together themselves—data access, transformation/ETL, governance/metadata, and scalable compute for analytics and machine learning—into a single, enterprise-ready environment.  

In many cases, customers need to keep data movement off the public internet, control how platform services reach internal systems, and integrate with existing network and identity controls. 

AIDP can be leveraged to accelerate delivery of data engineering and AI outcomes by using AIDP private endpoint networking to run Spark and notebook workloads while keeping data access private, policy-controlled, and off the public internet—securely bridging AIDP to enterprise data across OCI VCNs, on‑prem (e.g., EBS/Exadata), and other clouds (e.g., Azure) to meet strict security/compliance requirements and reduce integration friction, enabling faster time-to-value from AIDP. 

This post explains how to set up private endpoint networking for Oracle AI Data Platform (AIDP). It is for software developers and solution architects who need private, secure connections for data workloads. 

Why Private Connectivity?

A customer is moving ETL workloads from Informatica running on-premises and Oracle Cloud (OCI) to AIDP. They need to blend data across Oracle Fusion, on-prem EBS (Exadata), FDI, and Azure Databricks. The goal is to connect to the Azure Lakehouse and make data available using Spark and Python notebooks. Security is strict—the customer wants to avoid any internet traffic.

Networking Setup

  • The customer does not want data flowing over the public internet.
  • Two main options:
    • FastConnect: better bandwidth, more reliable.
    • VPN: good for testing, secure, but slower and less stable.
  • To check connectivity, place a VM in the OCI subnet where AIDP private endpoint will be configured. Test access to Azure Blob Storage and on-prem EBS.
  • Always run simple network tests (IP reachability), then check DNS before setting up AIDP.

Private Endpoint (PE) Details

  • AIDP uses a “reverse” private endpoint model. PE allows AIDP to reach into your private network.
  • PE creates a VNIC in a dedicated subnet you provide.
  • Reserve at least eight IP addresses in this subnet (three used by AIDP PE).
  • The subnet is the entry point for AIDP to access private resources.
  • This is different from services like Autonomous Database, where private endpoint provides access to Oracle services.
  • You will not see the exact private IPs for the AIDP PE. For firewall rules, allow the full subnet CIDR block.
  • If using NAT Gateway for outbound internet access (needed for Azure services sometimes), routing can go through the NAT gateway.

DNS Requirements

  • PE does not support direct IP addresses. You must use DNS hostnames.
  • Make sure your DNS resolver in the subnet can resolve all required names (Azure, on-prem).
  • Without DNS, PE will fail.

Firewall and Routing

  • Set up egress firewall rules:
    • Source: subnet (CIDR block) you gave AIDP.
    • Destination: target resource port (for example, port 443 for Azure Blob).
    • Use “any” source port.
    • Allow return traffic using stateful rules.
  • Check firewall and routing settings on both OCI and Azure/on-prem sides.
  • Always test routes using a VM in the target subnet before enabling AIDP.
  • If you use a DRG (Dynamic Routing Gateway), set up correct transit and routing rules.

Exadata/EBS On-Prem Connectivity

  • Confirm Exadata scan listener where EBS data is hosted.
  • If using TCPS (TLS/SSL):
    • PE only supports “DNS redirect” mode, NOT “IP redirect.”
    • Most Exadata installs default to IP redirect. If you hit problems, work with IT to change settings.
  • If using unencrypted TCP, PE can handle IP redirect.
  • Access direction is always OCI (AIDP) to on-prem, and never the reverse.
  • Use the External Catalog for direct connections.

AIDP Access Limitations

  • Right now, all access to AIDP is public. There is no private endpoint to connect to AIDP notebooks.
  • You can restrict user access by creating network source policies in your tenancy.
  • Users must reach AIDP over the public internet, even if data connections are private.

Testing Steps

  1. Set up VPN or FastConnect between OCI and Azure/on-prem.
  2. Create a dedicated OCI subnet for the AIDP private endpoint, reserve at least eight IPs.
  3. Place a simple VM in the subnet.
    • Test direct IP connectivity to Azure and on-prem.
    • Test DNS lookups from the VM.
    • Validate firewall and routing rules.
  4. After all checks succeed, provision the AIDP private workspace and run AIDP tests.
  5. Note: PE supports up to 8 Gbps per connection. If you hit a bandwidth wall, contact Oracle Networking.

Key Reminders

  • Prefer FastConnect for production. Use VPN for testing or fallback.
  • Test network, DNS, and firewall setup with a VM before enabling AIDP.
  • Prepare subnet and firewall settings before you start.
  • For Exadata/EBS, check protocol and scan listener mode.
  • All AIDP access is outbound to customer resources, never inbound from customers.
  • At least eight IPs needed for the private endpoint subnet.
  • For higher bandwidth, talk to your Oracle contact.
  • Always review and complete the network and DNS checklist first.

If you have questions or hit problems, ask the networking team. Fixing these issues early can prevent delays.