The best practice is to create a private endpoint for the ATP database. Typically, most clients prefer using a private endpoint. When there is a requirement to connect VBCS or perform third-party integrations with the ATP database, we traditionally use a public load balancer and keep the ATP database’s private IP as the backend. I have been following this approach for years.
Use Case: Why Use Both
Private Endpoint and Public Access?
By default, ATP databases with a private endpoint are
accessible only from resources inside the VCN. While this ensures security, it
can create operational constraints for:
• VBCS application
• CI/CD tools that run outside OCI.
• Integration tools like Oracle Data Integration (ODI), Oracle Integration
Cloud (OIC), or external monitoring systems.
• SQL Developer or SQLcl usage for occasional ad-hoc queries from public IPs.
To address
this, Oracle allows public access even when
the ATP database is deployed with a private endpoint provided access is
governed by Access Control Lists (ACLs) and Wallet-based Authentication.
How Secure Is This Setup?
When public access is enabled in a private endpoint ATP database, Oracle ensures that the security model remains intact through:
• Access
Control List (ACL): You define which IP addresses or CIDR ranges can access
the service.
• Mutual TLS (mTLS): Requires clients to authenticate using the wallet
file (which includes client credentials).
• Database Vault / Data Safe Integration: Further enhances control over
who can access what data.
• No direct SQL*Net access from public internet: Access is via secure
tools like SQL Developer, REST API, APEX, or DB Tools.
Steps to enable Public Access
in Private Endpoint ATP Database
a. Choose the Private Endpoint > VCN > Private Subnet
b. Enable the mutual TLS (mTLS)
c. By default, public access is disabled when the ATP is
provisioned.
d. Click on More Action > Update network access
e. To enable public access, toggle the switch
f. Specify the IP address, VCN CIDR range, or OCID from
which the database will be accessed and click on update.
g. Public access to the ATP database is enabled, and the
public endpoint URL becomes available.
h. Download the new wallet file, which will contain entries
for both the private and public endpoints.
Accessing the Database
You can also
access Database SQL, REST, and ORDS from the Database Actions tab.
Additionally,
the following services can be accessed through the public endpoint of the ATP
database.
APEX Workspace:
Data Studio:
Performance
HUB:
Database
Dashboard:
Final Thoughts
Using ATP with Private Endpoint and Controlled Public Access gives you the best
of both :
• Isolation and network-level security using the VCN.
• Flexibility through tool-specific public access governed by ACL and mTLS.
This approach supports modern, hybrid cloud architectures where agility,
security, and compliance must go hand in hand.
Read More:
No comments:
Post a Comment