X

Best Practices from Oracle Development's A‑Team

Connecting securely from Oracle Integration to Autonomous database using network access list

Shreenidhi Raghuram
Consulting Solutions Architect

Introduction

Many integration use cases require the use of Autonomous database (ADB) as the parking lot datastore with Oracle Integration.

Oracle Integration provides various options to connect to ADB. The Oracle integration documentation table below summarizes these options.
* Cloud Database Connectivity Support

Options

In summary,  

  • Connecting to ADB dedicated instances (ADB-D) and ADB shared private endpoint DB requires an OIC connectivity agent.
  • Connecting to ADB Shared infrastructure (ADB-S) database uses JDBC over SSL and provides direct connectivity using wallet.

Note that this mode does not require connectivity agent to be deployed. Oracle integration connects using JDBC over SSL directly to the ADB-S public endpoint in this case.

OIC to Autonomous database connectivity options
 

Direct Connectivity

JDBC over SSL

Using Connectivity Agent 

ADB shared infrastructure (ADB-S)

ADB-S private endpoint

ADB Dedicated    (ADB-D)

DBCS

Use case

Certain organizations' security requirements or use cases may mandate that the database network traffic should only traverse through a private endpoint within a VCN. These use cases undoubtedly will need to use the ADB dedicated or ADB shared private endpoint databases. Oracle integration requires the connectivity agent to be deployed in the ADB VCN for these modes.

However, when Autonomous database is used as a parking lot datastore or as an internal application database, there may not be a need for private endpoint or dedicated infrastructure. Here, performance of the direct connectivity may be very desirable and also the need to eliminate an additional touchpoint of connectivity agent and the associated agent infrastructure.

This is when the ADB Network Access Control list (ACL) feature comes in handy to be used with the Autonomous database shared infrastructure !

ADB Network access control list provides an additional layer of security to ADB-S by allowing to filter inbound traffic to ADB based on the source IP address, CIDR range, VCN name or VCN OCID.

Figure below shows the network access options available for configuration for ADB

For the parking lot datastore use case mentioned above, network access list can be used to retrict requests originating only from Oracle integration.

When ADB and OIC reside within the same OCI region, the network traffic goes over the OCI backbone and does not traverse the public internet.

In this case it is ideal to configure the network access list using the VCN OCID of Oracle Integration instance.

Figure below shows the ADB-S network ACL in action. Once configured the database rejects connections from sources from other than the allowed ACL list.

 

Additionally, if ADB and OIC reside in different OCI regions, then use the OIC NAT Gateway IP address (Egress IP address) configured on network access list to 
accept only requests from cross region Oracle Integration

 

Autonomous Network Access list options for OIC
  ADB Network Access
ADB-S and OIC in same OCI region Oracle Integration VCN OCID*
ADB-S and OIC in different OCI regions Oracle Integration Egress IP Address*

*Create a Service Request on Oracle Integration cloud to obtain the values of OIC VCN OCID or NAT Gateway IP Address (Egress IP Address) for your Integration Cloud instance

Conclusion:

In this blog, we learnt about restricting requests to Autonomous database using network access list. Specifically, we also saw how this is useful when connecting between Oracle Integration to Autonomous Database which serves a variety of use cases.

References: 

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content