Hybrid Access Model for Oracle ATP: Private Endpoint with ACL-Based Public Access

The best practice is to create a private endpoint for the ATP database. Typically, most clients prefer using a private endpoint. When there is a requirement to connect VBCS or perform third-party integrations with the ATP database, we traditionally use a public load balancer and keep the ATP database’s private IP as the backend. I have been following this approach for years.

 

Use Case: Why Use Both Private Endpoint and Public Access?

By default, ATP databases with a private endpoint are accessible only from resources inside the VCN. While this ensures security, it can create operational constraints for:

• VBCS application

• CI/CD tools that run outside OCI.
• Integration tools like Oracle Data Integration (ODI), Oracle Integration Cloud (OIC), or external monitoring systems.
• SQL Developer or SQLcl usage for occasional ad-hoc queries from public IPs.

 

To address this, Oracle allows public access even when the ATP database is deployed with a private endpoint provided access is governed by Access Control Lists (ACLs) and Wallet-based Authentication.

 

How Secure Is This Setup?

When public access is enabled in a private endpoint ATP database, Oracle ensures that the security model remains intact through:

• Access Control List (ACL): You define which IP addresses or CIDR ranges can access the service.
• Mutual TLS (mTLS): Requires clients to authenticate using the wallet file (which includes client credentials).
• Database Vault / Data Safe Integration: Further enhances control over who can access what data.
• No direct SQL*Net access from public internet: Access is via secure tools like SQL Developer, REST API, APEX, or DB Tools.

 

Steps to enable Public Access in Private Endpoint ATP Database

 Click Here for detailed information about ATP database provisioning:

 

a.   Choose the Private Endpoint > VCN > Private Subnet

b.   Enable the mutual TLS (mTLS)

 

c.   By default, public access is disabled when the ATP is provisioned.

 

d.   Click on More Action > Update network access

 

e.   To enable public access, toggle the switch

 

f.    Specify the IP address, VCN CIDR range, or OCID from which the database will be accessed and click on update.

 

 

g. Public access to the ATP database is enabled, and the public endpoint URL becomes available.

 

 

 

h.  Download the new wallet file, which will contain entries for both the private and public endpoints.

 

 

Accessing the Database

 Access the database from the public IP address. In this example, I have whitelisted my local IP address, which allows me to successfully connect to the database from my local machine.

 

You can also access Database SQL, REST, and ORDS from the Database Actions tab.

 

 

Additionally, the following services can be accessed through the public endpoint of the ATP database.

 

APEX Workspace:

 

Data Studio:

 

Performance HUB:

Database Dashboard:

 

Final Thoughts

Using ATP with Private Endpoint and Controlled Public Access gives you the best of both :
• Isolation and network-level security using the VCN.
• Flexibility through tool-specific public access governed by ACL and mTLS.

This approach supports modern, hybrid cloud architectures where agility, security, and compliance must go hand in hand.

Read More:

• Getting Started with Oracle ATP Database
• Best Practices for Securing ATP Database