In the beginning i would like to take the time and say "Thank you!" to my colleague Ionut N for helping me during the tests (We spent a long Friday late night together).
This article will focus on connecting to an ADW database hosted on a VCN (Private Endpoint) from the networking perspective. It will explain some ways of solving the networking challenges around the private ADW, but for sure will not cover all the scenarios.
The end-result would be to have access to the Database from on-premises via a private connections and access to APEX from the Internet.
Once the ADW is provisioned, it will have only a private IP address and a Private Endpoint URL:
By default, you need to be in the same VCN in order to be able to access the ADW. The VM will use the VCN resolver to resolve the hostname of the private URL.
In order to replicate the private connection from on-premises to OCI, I created a Linux VM in OCI, installed libreswan, configure it to be a remote access VPN (you can follow this blog) and i connected to the VPN from my Windows laptop (you can configure this by following this blog).
The IP address on the VPN interface of the Libreswan is 192.168.11.1.
The IP address of the client is 192.168.11.24.
On the Customer, there is a route for the 192.168.33.0/24 pointing to the 192.168.11.1.
In the routing table from the VCN, there should be an entry for the 192.168.11.0/24 pointing to the private IP address of the Libreswan.
There are two possible configurations to resolve this challenge: configure an entry in the hosts file of the client or configure hybrid-DNS in the VCN.
On every clients that needs to access the ADW, edit the hosts file.
This method is very easy to implement, but if the records change, it is difficult to update all the customers with the new IP addresses.
The VCN resolver responsible with the name resolution of the oraclecloud.com addresses is a link local IPv4 ip address (169.254.169.254) and it will not be forwarded beyond the VCN segment. To overcome this, a VM in OCI will be configured and on it, a dns server needs to be setup.
For this article, the dns server will reside also on the Libreswan VM.
A small DNS-server that can be used, is DNSMASQ. This server will respond for the entries in it's host file and for the rest will forwards the query to the DNS servers configured in the /etc/resolv.conf. In order to prove the functionality of the server, an entry will be added to his host file and the client will try to query it.
Follow the official documentation to setup SQL Developer.
Do a test on the connection and if you receive "Success", the connectivity to the DB works.
By Default on a private ADW, APEX is only accessible from the VCN.
If we access the APEX link from the Internet, we will receive the following error.
To access it from the Internet, a Public LoadBalancer will be used.
The LB has a TCP listener on port 443, as a backend-server we will configure the ADW IP address and as health-checks we will use TCP-443.
We need to create an entry in the hosts file for the APEX host-name that points to the Public IP address of the LB.
Now we can access APEX.
In this post I showed the configuration needed for connecting to a private ADW from on-premises and connectivity to the APEX from Internet.