Validated January 29, 2020 with OAC 5.9
Oracle Analytics Cloud (OAC) instances may now be enabled with a private access channel (PAC) to reach private data sources.
Private Access Channel compliments and provides an alternative to Remote Data Gateway (RDG) for the private data sources it supports. Both PAC and RDG may be used within the same instance of OAC.
This post is a step-by-step guide for connecting to a private single-instance Oracle database using PAC from a public or private OAC instance.
A future post will describe connecting to multi-instance databases.
This is one of the post listed in the OAC Private Access Series.
January 29, 2020 with OAC 5.9
Before You Begin
Updating PAC with the Data Source Domain
Connecting OAC to the Data Source using PAC
Ensure the data source is supported using PAC. All names and addresses used in this post are for examples only.
User accounts in OCI tenancies for managing Analytics and Networking components.
A user account in a PAC-enabled OAC instance with the necessary roles for creating connections, uploading wallets, replacing data models, etc.
PAC is enabled in the OAC instance. Refer to Enabling Oracle Analytics Cloud Private Access Channel if necessary.
If your data source resides in the same VCN as the OAC PAC, jump to the section on Access Control below.
PAC requires the use of the Domain Name System (DNS). DNS provides a worldwide, distributed directory service for translating a fully qualified domain name (FQDN) to its associated numerical IP address.
Note: PAC Connections created in OAC must use a FQDN and not an IP address.
Refer here for a post describing various DNS scenarios and the components necessary to resolve your data source's FQDN.
A networking gateway is required to connect to a source residing outside of the Virtual Cloud Network (VCN) hosting OAC PAC.
Refer here for a post describing various gateway scenarios and the components necessary to resolve your data source's FQDN and to reach the translated IP addresses.
The DNS section above provides the access control requirements for DNS if required. The Networking Gateways section above provides guidance for routing rules to both the DNS resolver and the data source if required.
What remains are the access control rules for OAC and the data source. In the examples below the access rules are moderately restrictive and applied at the subnet level. The DB is assumed to be listening on port 1521.
Create an OAC egress rule in a new or existing security list for access to the data source. Ensure the security list is attached to the OAC subnet.
Create an DB ingress rule in a new or existing security list for access from OAC. Ensure the security list is attached to the DB subnet.
SECURITY LIST | VCN | CIDR | PROTOCOL | PORT | ATTACHED TO | NOTE |
---|---|---|---|---|---|---|
VCN1-OAC-SL | VCN1 | DESTINATION: 10.10.10.32/27 | TCP | 1521 | VCN1-OAC-SN | Egress to Data Source Subnet |
VCN1-DB-SL | VCN1 | SOURCE: 10.10.10.0/27 | TCP | 1521 | VCN1-DB-SN | Ingress from OAC Subnet |
The diagram below depicts the simplest scenario where OAC and the data source reside in the same VCN.
Note: Updating PAC renders OAC inaccessible for a short period of time. Plan the update accordingly.
In the OCI Console, navigate to Analytics > Analytics Cloud.
Select the Compartment containing a PAC-enabled OAC.
Click the Instance Name to be updated.
Under Resources click Private Access Channel
Click the Private Access Channel Name
Click Edit Private Sources
Click + Add DNS Zone
Complete the DNS Zone dialog
Note: The DNS zone may either be the data source's FQDN or a parent domain of the FQDN. e.g. a domain such as < your subnet >.< your VCN >.com is the parent of < your DB host>.< your subnet >.< your VCN >.com
Entering a parent domain enables all DBs in the domain to be accessed by PAC. The example screen below shows both.
Enter the DNS Zone
Optionally enter a Description
Click Save Changes
Connect to OAC using your browser:
https://< your-prefix >.analytics.ocp.oraclecloud.com/ui
Create a connection in OAC as you would for a public DB. Ensure to use the DB's FQDN and not it's IP address.
Click Create in the upper right of the home page and click Connection.
Click the Connection Type
Complete the dialog:
Ensure to leave Remote Data Connectivity unchecked
Click Save
Below is an example using a private database.
Create a connection pool in the RPD as you would for a public DB. Ensure to use the DB's FQDN and not it's IP address. As with a public ADW, upload the ADW wallet and publish / replace the data model.
Below is an example of a connection pool for a private Autonomous Data Warehouse.
This post provided a step-by-step guide for connecting to a private data source using PAC within a public or private OAC instance.
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley