Best Practices from Oracle Development's A‑Team

Connecting to Private Data Sources using Oracle Analytics Cloud Private Access Channel

Validated January 29, 2020 with OAC 5.9


Oracle Analytics Cloud (OAC) instances may now be enabled with a private access channel (PAC) to reach private data sources.

Private Access Channel compliments and provides an alternative to Remote Data Gateway (RDG) for the private data sources it supports. Both PAC and RDG may be used within the same instance of OAC.

This post is a step-by-step guide for connecting to a private single-instance Oracle database using PAC from a public or private OAC instance. 

A future post will describe connecting to multi-instance databases.

This is one of the post listed in the OAC Private Access Series.


January 29, 2020 with OAC 5.9


Before You Begin

Updating PAC with the Data Source Domain

Connecting OAC to the Data Source using PAC

 Before You Begin and Assumptions

Ensure the data source is supported using PAC. All names and addresses used in this post are for examples only.


User accounts in OCI tenancies for managing Analytics and Networking components.

A user account in a PAC-enabled OAC instance with the necessary roles for creating connections, uploading wallets, replacing data models, etc.


PAC is enabled in the OAC instance. Refer to Enabling Oracle Analytics Cloud Private Access Channel if necessary.

Private OAC Enabled State

Public OAC Enabled State


If your data source resides in the same VCN as the OAC PAC, jump to the section on Access Control below.

Domain Name System

PAC requires the use of the Domain Name System (DNS). DNS provides a worldwide, distributed directory service for translating a fully qualified domain name (FQDN) to its associated numerical IP address.

Note: PAC Connections created in OAC must use a FQDN and not an IP address.

Refer here for a post describing various DNS scenarios and the components necessary to resolve your data source's FQDN.

Networking Gateways

A networking gateway is required to connect to a source residing outside of the Virtual Cloud Network (VCN) hosting OAC PAC.

Refer here for a post describing various gateway scenarios and the components necessary to resolve your data source's FQDN and to reach the translated IP addresses.

Access Control

The DNS section above provides the access control requirements for DNS if required. The Networking Gateways section above provides guidance for routing rules to both the DNS resolver and the data source if required.

What remains are the access control rules for OAC and the data source. In the examples below the access rules are moderately restrictive and applied at the subnet level. The DB is assumed to be listening on port 1521.

Create an OAC egress rule in a new or existing security list for access to the data source. Ensure the security list is attached to the OAC subnet.

Create an DB ingress rule in a new or existing security list for access from OAC. Ensure the security list is attached to the DB subnet.

VCN1-OAC-SL VCN1 DESTINATION: TCP 1521 VCN1-OAC-SN Egress to Data Source Subnet
VCN1-DB-SL VCN1 SOURCE: TCP 1521 VCN1-DB-SN Ingress from OAC Subnet


The diagram below depicts the simplest scenario where OAC and the data source reside in the same VCN.

 Updating PAC with the Data Source Domain

Note: Updating PAC renders OAC inaccessible for a short period of time. Plan the update accordingly.

In the OCI Console, navigate to Analytics > Analytics Cloud. 

Select the Compartment containing a PAC-enabled OAC.
Click the Instance Name to be updated.
Under Resources click Private Access Channel
Click the Private Access Channel Name
Click Edit Private Sources
Click + Add DNS Zone

Complete the DNS Zone dialog

Note: The DNS zone may either be the data source's FQDN or a parent domain of the FQDN. e.g. a domain such as < your subnet >.< your VCN >.com is the parent of < your DB host>.< your subnet >.< your VCN >.com

Entering a parent domain enables all DBs in the domain to be accessed by PAC. The example screen below shows both.

Enter the DNS Zone
Optionally enter a Description
Click Save Changes

 Connecting OAC PAC to the Data Source

Connect to OAC using your browser:
      https://< your-prefix >.analytics.ocp.oraclecloud.com/ui 

Data Visualization Connections

Create a connection in OAC as you would for a public DB. Ensure to use the DB's FQDN and not it's IP address.

Click Create in the upper right of the home page and click Connection.
Click the Connection Type

Complete the dialog:
        Ensure to leave Remote Data Connectivity unchecked
        Click Save

Below is an example using a private database.

Semantic Model (RPD) Connections

Create a connection pool in the RPD as you would for a public DB. Ensure to use the DB's FQDN and not it's IP address. As with a public ADW, upload the ADW wallet and publish / replace the data model.

Below is an example of a connection pool for a private Autonomous Data Warehouse.



This post provided a step-by-step guide for connecting to a private data source using PAC within a public or private OAC instance.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha