Oracle AI Data Platform (AIDP) is Oracle’s managed platform for building and operating end-to-end data and AI workloads on Oracle Cloud Infrastructure (OCI). It brings together the core capabilities teams typically stitch together themselves—data access, transformation/ETL, governance/metadata, and scalable compute for analytics and machine learning—into a single, enterprise-ready environment.  

In many cases, customers need to keep data movement off the public internet, control how platform services reach internal systems, and integrate with existing network and identity controls. 

AIDP can be leveraged to accelerate delivery of data engineering and AI outcomes by using AIDP private endpoint networking to run Spark and notebook workloads while keeping data access private, policy-controlled, and off the public internet—securely bridging AIDP to enterprise data across OCI VCNs, on‑prem (e.g., EBS/Exadata), and other clouds (e.g., Azure) to meet strict security/compliance requirements and reduce integration friction, enabling faster time-to-value from AIDP. 

This post explain the high level considerations to set up private endpoint networking for Oracle AI Data Platform (AIDP). Step-by-step instructions to set up a private connectivity to Oracle Databases (ADB, Exadata, DBaaS, On-prem DB) can be found in this blog : AIDP Private Workspace connectivity to Oracle Databases

Why Private Connectivity?

Companies with strict security policies might want to avoid any traffic on the public internet. Setting up a private connectivity ensures the data stays within the boundaries of the company subnets.

Networking Setup

  • Two main options:
    • FastConnect: better bandwidth, more reliable.
    • VPN: good for testing, secure, but slower and less stable.
  • To check connectivity, place a VM in the OCI subnet where AIDP private endpoint will be configured.
  • Test access to your enterprise data (e.g. Azure Blob Storage or on-prem EBS).
  • Always run simple network tests (IP reachability), then check DNS before setting up AIDP.

Private Endpoint (PE) Details

  • AIDP uses a “reverse” private endpoint model. PE allows AIDP to reach into your private network.
  • PE creates a VNIC in a dedicated subnet you provide.
  • Reserve at least eight IP addresses in this subnet (three used by AIDP PE).
  • The subnet is the entry point for AIDP to access private resources.
  • This is different from services like Autonomous Database, where private endpoint provides access to Oracle services.
  • You will not see the exact private IPs for the AIDP PE. For firewall rules, allow the full subnet CIDR block.
  • If using NAT Gateway for outbound internet access (needed for Azure services sometimes), routing can go through the NAT gateway.

DNS Requirements

  • Make sure your DNS resolver in the subnet can resolve all required names (Azure, on-prem).

Firewall and Routing

  • Set up egress firewall rules:
    • Source: subnet (CIDR block) you gave AIDP.
    • Destination: target resource port (for example, port 443 for Azure Blob).
    • Use “any” source port.
    • Allow return traffic using stateful rules.
  • Check firewall and routing settings on both OCI and Azure/on-prem sides.
  • Always test routes using a VM in the target subnet before enabling AIDP.
  • If you use a DRG (Dynamic Routing Gateway), set up correct transit and routing rules.

Exadata/EBS On-Prem Connectivity

  • Confirm Exadata scan listener where EBS data is hosted.
  • Access direction is always OCI (AIDP) to on-prem, and never the reverse.
  • Use the External Catalog for direct connections.

AIDP Access Limitations

  • Right now, all access to AIDP is public. There is no private endpoint to connect to AIDP notebooks.
  • You can restrict user access by creating network source policies in your tenancy.
  • Users must reach AIDP over the public internet, even if data connections are private.

Testing Steps

  1. Set up VPN or FastConnect between OCI and Azure/on-prem.
  2. Create a dedicated OCI subnet for the AIDP private endpoint, reserve at least eight IPs.
  3. Place a simple VM in the subnet.
    • Test direct IP connectivity to Azure and on-prem.
    • Test DNS lookups from the VM.
    • Validate firewall and routing rules.
  4. After all checks succeed, provision the AIDP private workspace and run AIDP tests.
  5. Note: PE supports up to 8 Gbps per connection. If you hit a bandwidth wall, contact Oracle Networking.

Key Reminders

  • Prefer FastConnect for production. Use VPN for testing or fallback.
  • Test network, DNS, and firewall setup with a VM before enabling AIDP.
  • Prepare subnet and firewall settings before you start.
  • For Exadata/EBS, check protocol and scan listener mode.
  • All AIDP access is outbound to customer resources, never inbound from customers.
  • At least eight IPs needed for the private endpoint subnet.
  • For higher bandwidth, talk to your Oracle contact.
  • Always review and complete the network and DNS checklist first.

If you have questions or hit problems, ask the networking team. Fixing these issues early can prevent delays.