In today’s fast-paced digital world, secure and personalized access to cloud services isn’t just a differentiator—it’s an expectation. That’s why Oracle Cloud Infrastructure (OCI) is raising the bar with Private Service Access (PSA).
Imagine being able to choose exactly which Oracle Cloud services your workloads can privately reach—each connection locked down, auditable, and invisible to the public internet. That’s the promise of Private Service Access (PSA), the latest evolution in how you connect, secure, and scale your cloud environment.
Introduction
With Private Service Access (PSA), you can now manage and secure connectivity to specific Oracle Cloud Infrastructure (OCI) Service APIs with improved precision, achieving robust security and zero-trust enforcement across your environment. This means your organization can gain surgical control by moving beyond broad access models and privately connecting only to the Oracle services you choose, directly over your private network.
This enhanced architecture addresses critical enterprise security pain points by offering stronger barriers against data leakage or exfiltration. PSA achieves this crucial security measure through improved identity integration mechanisms: it enforces the use of in-tenancy credentials, actively blocking cross-tenancy credentials and preventing the use of cross-tenancy Object Storage Pre-Authenticated Requests (PARs). Any attempt to access a bucket with a credential from another tenancy will be blocked by default.
Additionally, PSA allows you to integrate seamlessly with your existing security framework by applying Zero Trust Packet Routing (ZPR) security attributes or Network Security Groups (NSGs) for more precise, granular access rules, to help your security posture. ZPR, paired with PSA, helps minimize risk to sensitive data, like reports in Object Storage or database backups, from touching the public internet. Even if an attacker infiltrates your network, they can’t exfiltrate data to external tenancies, as ZPR and PSA enforce private, authorized paths only.
To make transition as simple as possible, Private DNS automatically maps the service’s existing Fully Qualified Domain Name (FQDN) to the PSA’s private IP, existing workloads in your private network start using this secure path immediately with no code changes required.
Private Service Access is now generally available in all OCI commercial regions, with government regions to follow soon.
Why Are We So Excited About PSA?
Enterprise cloud journeys are all about choice and control. With the introduction of Private Service Access (PSA), Oracle Cloud Infrastructure (OCI) is raising the bar on how you connect, secure, and scale your cloud environment. PSA puts you fully in control of your cloud connectivity: connect directly and privately to only the Oracle services you choose, over your own private network, with robust security, zero-trust enforcement, and complete operational transparency. This innovation makes private, per-service access possible.
PSA directly addresses key customer requirements:
- Fine-Grained Granularity: PSA is used to access a single OCI Service API in the region, providing granular connectivity (just the services they need, no more).
- Zero-Trust Security: You can attach Zero Trust Packet Routing (ZPR) security attributes or Network Security Groups (NSGs) for precise rules, allowing you to express granular per-service access policies.
- Data Exfiltration Protection: PSA enforces in-tenancy credentials, which blocks cross-tenancy credentials from being used, and blocks cross-tenancy Object Storage PAR access. IAM Deny policy can be layered on to ensure specific service access is only available through the PSA thus blocking public access (even with valid credentials). This provides stronger barriers against data leakage or exfiltration.
- Seamless Adoption: Existing application logic continues working with no code changes needed. PSAs can coexist with a Service Gateway, allowing you to gradually transition selected services to PSA over time without disrupting access to others.
- High Performance and Value: PSA offers excellent performance and built-in resiliency. Crucially, PSA is available at no extra cost.
- Enhanced visibility and troubleshooting: PSA includes detailed dynamic metrics providing enhanced network visibility and supports Network Path Analyzer to assist with troubleshooting.
If these resonate with your cloud goals, PSA is here to help.
What Is PSA?
Think of PSA as your own private door to each Oracle service. You open only the doors you want—no shared hallways, no unauthorized access to restricted areas. When you set up PSA, a private IP from your selected subnet is assigned to the target Oracle service. Private DNS does the wiring, so your existing app logic keeps working (no code changes needed!).
In the diagram above, a PSA has been created to act as the secure door to Object Storage. Now when instances call the Object Storage API, they are automatically resolved to the PSA’s private IP within your VCN. This PSA will enforce any included ZPR policy, NSG rules and ensure only valid tenancy credentials are allowed.
Your API traffic now travels a route tailored for privacy and visibility:
– Direct to the service
– Staying on your private network
– Never hitting public IPs (unless you allow it)
– Protected against data exfiltration and compliant with security governance standards
How PSA Looks in Real Life
Practical Example 1: Keep Core Services Private
Your workloads need to connect to core service OCI APIs, but you want that traffic invisible on the public internet. With PSA, creating a private path for “Core Services” is as simple as a few clicks in the console. Suddenly, when your apps call, iaas.us-ashburn-1.oci.oraclecloud.com, all communication stays on your private lanes—no risky detours.
Practical Example 2: Raising the Bar on Security – Integration with ZPR
Modern cloud security is all about “least privilege”—only letting the right workloads connect to the right things. PSA allows you to write Zero Trust Packet Routing policies or use Network Security Groups (NSGs) so, for example, only VMs tagged app:backend can talk to PSA endpoints tagged svc:dbs. It’s surgical control—without any operational clutter.
Practical Example 3: Seamless Hybrid Cloud
Do you require on-prem systems talking to OCI Services? PSA helps keep that channel private and clean. Point your on-prem DNS at the VCN resolver and only the PSA’s private IP returns, which is then used for connectivity to the service. It’s hybrid cloud security that’s simple, clean and keeps auditors happy.
Practical Example 4: Supercharging Security with IAM Deny
To maximize security, IAM Deny policies ensure OCI services can only be accessed through your designated PSA, locking out unauthorized attempts. For example, you can block access to a service if the request doesn’t come via PSA, or even restrict it to a specific PSA endpoint. This data-layer guardrail complements PSA’s network-level security and Zero Trust policies, preventing access through Service Gateway or other paths. It’s a powerful way to enforce least privilege, ensuring only approved connections reach your services while maintaining compliance and thwarting data exfiltration.
Example IAM Policy for Object Storage
Deny any-user to inspect object-family in tenancy where any {not request.gateway.id, request.gateway.type != 'privateserivceaccess'}
Final Thoughts
Private Service Access breaks open a new world of control for Oracle Cloud customers—one where privacy, security, and simplicity walk hand-in-hand. Whether you’re locking down APIs for compliance, shaping zero-trust networks, or building clean hybrid integrations, PSA is your go-to toolkit.
It’s time to unlock more secure, more flexible, and more auditable cloud connectivity with OCI PSA. Get started today—and watch your cloud boundaries move exactly where you want them.
For a full list of supported services and best practices, visit our Private Secure Access overview page and for technical details visit the OCI Documentation Portal.