Many integration use cases require the use of Autonomous database (ADB) as the parking lot datastore with Oracle Integration.
Oracle Integration provides various options to connect to ADB. The Oracle integration documentation table below summarizes these options.
* Cloud Database Connectivity Support
Note that this mode does not require connectivity agent to be deployed. Oracle integration connects using JDBC over SSL directly to the ADB-S public endpoint in this case.
JDBC over SSL
ADB shared infrastructure (ADB-S)
|ADB-S private endpoint|
ADB Dedicated (ADB-D)
Certain organizations' security requirements or use cases may mandate that the database network traffic should only traverse through a private endpoint within a VCN. These use cases undoubtedly will need to use the ADB dedicated or ADB shared private endpoint databases. Oracle integration requires the connectivity agent to be deployed in the ADB VCN for these modes.
However, when Autonomous database is used as a parking lot datastore or as an internal application database, there may not be a need for private endpoint or dedicated infrastructure. Here, performance of the direct connectivity may be very desirable and also the need to eliminate an additional touchpoint of connectivity agent and the associated agent infrastructure.
This is when the ADB Network Access Control list (ACL) feature comes in handy to be used with the Autonomous database shared infrastructure !
ADB Network access control list provides an additional layer of security to ADB-S by allowing to filter inbound traffic to ADB based on the source IP address, CIDR range, VCN name or VCN OCID.
Figure below shows the network access options available for configuration for ADB
For the parking lot datastore use case mentioned above, network access list can be used to retrict requests originating only from Oracle integration.
When ADB and OIC reside within the same OCI region, the network traffic goes over the OCI backbone and does not traverse the public internet.
In this case it is ideal to configure the network access list using the VCN OCID of Oracle Integration instance.
Figure below shows the ADB-S network ACL in action. Once configured the database rejects connections from sources from other than the allowed ACL list.
Additionally, if ADB and OIC reside in different OCI regions, then use the OIC NAT Gateway IP address (Egress IP address) configured on network access list to
accept only requests from cross region Oracle Integration
|ADB Network Access|
|ADB-S and OIC in same OCI region||Oracle Integration VCN OCID*|
|ADB-S and OIC in different OCI regions||Oracle Integration Egress IP Address*|
*Create a Service Request on Oracle Integration cloud to obtain the values of OIC VCN OCID or NAT Gateway IP Address (Egress IP Address) for your Integration Cloud instance
In this blog, we learnt about restricting requests to Autonomous database using network access list. Specifically, we also saw how this is useful when connecting between Oracle Integration to Autonomous Database which serves a variety of use cases.