The latest cloud infrastructure announcements, technical solutions, and enterprise cloud insights.

Access Oracle Services Privately with a Service Gateway

Vijay Kannan
Principal Product Manager


Oracle provides a wide selection of flexible and powerful services (such as Monitoring, Streaming, Autonomous Data Warehouse, and scalable Object Storage) built on Oracle Cloud Infrastructure. As an Oracle customer, you might have resources in your virtual cloud network (VCN) that need to access these Oracle IaaS and PaaS services that have publicly addressable endpoints.

We are excited to announce the availability of the Oracle Cloud Infrastructure service gateway, which enables private access to multiple Oracle services in the Oracle Services Network. The Oracle Services Network is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services, composed of a list of regional CIDR blocks. Every service in the Oracle Services Network exposes a service endpoint that uses public IP addresses from the network (see the complete list). More services will be added to this network as they are deployed on Oracle Cloud Infrastructure. 

The service gateway offers the following benefits:

  • Private access to multiple Oracle Services: The service gateway now offers a private access model, in which your VCN instances with a private IP address can access the business-critical Oracle services in the Oracle Services Network. Your traffic via the service gateway to Oracle services does not traverse the internet path but remains within Oracle Cloud Infrastructure, thereby offering increased network security benefits.
  • Ease of configuration: The service gateway uses the concept of a service CIDR label, which is a string that represents all the regional public IP address ranges for the service or a group of services. For example, "OCI IAD Services in Oracle Services Network" is the label that maps to the regional CIDR blocks in the Oracle Services Network in the us-ashburn-1 region. You use the service CIDR label when you configure the service gateway, route rules, and security rules. You no longer need to know the specific CIDR blocks for the service's public endpoints, which could change over time. Your configuration will continue to be relevant and operational in the future as Oracle adds new services to the Oracle Services Network.
  • Scalable connectivity: Much like the internet gateway or NAT gateway, the service gateway is a virtual device that is highly available and dynamically scales to support the network bandwidth requirements of your VCN.


Example: Accessing Autonomous Data Warehouse Service by Using Service Gateway

This section walks through a scenario in which you enable private access from your private instance to the Autonomous Data Warehouse service by using the service gateway.

VCN, Subnets, and NAT Gateway

Consider a typical scenario in which private instances in your VCN access all publicly accessible endpoints, including those of Oracle services, by using an Oracle Cloud Infrastructure NAT gateway.

Your VCN has one public subnet and private subnet with their associated route tables, security lists, and DHCP options as described here.

You currently do not have any Autonomous Data Warehouses in your tenancy.

Service Gateway

Now you create a service gateway in the VCN and enable private access between the private subnet and the Oracle Services Network.

  1. Create a service gateway as a resource in the VCN just like you do with an internet gateway or NAT gateway. You use the service CIDR label when you configure the service gateway.

  2. For traffic to be routed from the private subnet in your VCN to the service gateway, add a route rule in the private subnet's route table. Choose Service Gateway as the target type and the service CIDR label All <region> Services in Oracle Services Network as the destination service.  The service gateway allows access to Oracle services within the region to protect your data from the internet. Your workloads may require access to public endpoints or services not supported by the service gateway (for example, for updates or patches). Ensure you have a NAT gateway or other access to the internet if necessary

Now that you have configured to route traffic to Oracle Services Network via service gateway, you can use the Oracle Cloud Infrastructure Command Line Interface to access the Autonomous Data Warehouse service via a service gateway and create an instance. 

You have now used a service gateway to enable access between your private instance and an Autonomous Data Warehouse service endpoint to create an Autonomous Data Warehouse instance.

You can also privately access the Autonomous Data Warehouse service via the service gateway to download a wallet for the specified Autonomous Data Warehouse instance.

You can also update the storage properties of a specified data warehouse instance by accessing the Autonomous Data Warehouse service privately via a service gateway.

You can now connect to your ADW from this private instance by following the connectivity chapter in the ADW doc.

As you can see from this example, a service gateway lets resources in your VCN privately and securely access Oracle services such as Autonomous Data Warehouse in the Oracle Services Network, without exposing your data on the internet. Traffic between an instance in the VCN and a supported Oracle service uses the instance's private IP address for routing, travels over the Oracle Cloud Infrastructure fabric, and never traverses the internet.

We recommend that you use the service gateway for accessing all Oracle services in the Oracle Services Network. You can find more information about the service gateway in the Networking documentation. We'd love to hear any feedback that you have.

Join the discussion

Comments ( 4 )
  • Pragnesh Sunday, March 17, 2019
    Can these service endpoints be accessible from on-prem via FastConnect.
  • Kishore Tuesday, July 16, 2019
    Is this restricted from Private subnet to Service Gateway only ?
    If so, why Public subnet cannot use service gateway to access oracle network services.
    Let's say we have application servers which are on Public subnet and need to access Object storage for invoice retrieval and archival. How do we do that?

    Thank You.
  • Paul Cainkar Friday, October 4, 2019
    Hi Pragnesh,

    Now they can be accessed on-prem with FastConnect private peering. Please check out our latest blog post detailing how to enable this functionality for your network:

  • Paul Thursday, November 14, 2019
    Hi Pragnesh,

    Yes you can, transit routing to the Oracle services Network is now supported.

    Please see my blog post here for details:

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha