Latest Updates

Post Top Ad

12 July, 2025

Hybrid Access Model for Oracle ATP: Private Endpoint with ACL-Based Public Access


The best practice is to create a private endpoint for the ATP database. Typically, most clients prefer using a private endpoint. When there is a requirement to connect VBCS or perform third-party integrations with the ATP database, we traditionally use a public load balancer and keep the ATP database’s private IP as the backend. I have been following this approach for years.

 


Use Case: Why Use Both Private Endpoint and Public Access?

By default, ATP databases with a private endpoint are accessible only from resources inside the VCN. While this ensures security, it can create operational constraints for:


• VBCS application

• CI/CD tools that run outside OCI.
• Integration tools like Oracle Data Integration (ODI), Oracle Integration Cloud (OIC), or external monitoring systems.
• SQL Developer or SQLcl usage for occasional ad-hoc queries from public IPs.

 

To address this, Oracle allows public access even when the ATP database is deployed with a private endpoint provided access is governed by Access Control Lists (ACLs) and Wallet-based Authentication.

 

How Secure Is This Setup?

When public access is enabled in a private endpoint ATP database, Oracle ensures that the security model remains intact through:

Access Control List (ACL): You define which IP addresses or CIDR ranges can access the service.
Mutual TLS (mTLS): Requires clients to authenticate using the wallet file (which includes client credentials).
Database Vault / Data Safe Integration: Further enhances control over who can access what data.
No direct SQL*Net access from public internet: Access is via secure tools like SQL Developer, REST API, APEX, or DB Tools.

 

Steps to enable Public Access in Private Endpoint ATP Database

 Click Here for detailed information about ATP database provisioning:

A screenshot of a computer

AI-generated content may be incorrect.

 

a.   Choose the Private Endpoint > VCN > Private Subnet

A screenshot of a computer

AI-generated content may be incorrect.

b.   Enable the mutual TLS (mTLS)

A screenshot of a computer

AI-generated content may be incorrect.

 

c.   By default, public access is disabled when the ATP is provisioned.

A screenshot of a computer

AI-generated content may be incorrect.

 

d.   Click on More Action > Update network access

A screenshot of a computer

AI-generated content may be incorrect.

 

e.   To enable public access, toggle the switch

A screenshot of a computer

AI-generated content may be incorrect.

 

f.    Specify the IP address, VCN CIDR range, or OCID from which the database will be accessed and click on update.

A screenshot of a computer

AI-generated content may be incorrect.

 

 

g. Public access to the ATP database is enabled, and the public endpoint URL becomes available.

 

A screenshot of a computer

AI-generated content may be incorrect.

 

 

h.  Download the new wallet file, which will contain entries for both the private and public endpoints.

A screenshot of a computer

AI-generated content may be incorrect.

 

A screenshot of a computer

AI-generated content may be incorrect.

 

Accessing the Database

 Access the database from the public IP address. In this example, I have whitelisted my local IP address, which allows me to successfully connect to the database from my local machine.

A screenshot of a computer

AI-generated content may be incorrect.

 

You can also access Database SQL, REST, and ORDS from the Database Actions tab.

A screenshot of a computer

AI-generated content may be incorrect.

 

A screenshot of a computer

AI-generated content may be incorrect.

 

Additionally, the following services can be accessed through the public endpoint of the ATP database.

A screenshot of a computer

AI-generated content may be incorrect.

 

APEX Workspace:

A screenshot of a computer

AI-generated content may be incorrect.

 

Data Studio:

A screenshot of a computer

AI-generated content may be incorrect.

 

Performance HUB:

A screenshot of a computer

AI-generated content may be incorrect.

Database Dashboard:

A screenshot of a computer

AI-generated content may be incorrect.

 

Final Thoughts

Using ATP with Private Endpoint and Controlled Public Access gives you the best of both :
• Isolation and network-level security using the VCN.
• Flexibility through tool-specific public access governed by ACL and mTLS.

This approach supports modern, hybrid cloud architectures where agility, security, and compliance must go hand in hand.


Read More:


No comments:

Post Top Ad

Your Ad Spot