Oracle provides a wide selection of flexible and powerful services (such as Monitoring, Streaming, Autonomous Data Warehouse, and scalable Object Storage) built on Oracle Cloud Infrastructure. As an Oracle customer, you might have resources in your virtual cloud network (VCN) that need to access these Oracle IaaS and PaaS services that have publicly addressable endpoints.
We are excited to announce the availability of the Oracle Cloud Infrastructure service gateway, which enables private access to multiple Oracle services in the Oracle Services Network. The Oracle Services Network is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services, composed of a list of regional CIDR blocks. Every service in the Oracle Services Network exposes a service endpoint that uses public IP addresses from the network (see the complete list). More services will be added to this network as they are deployed on Oracle Cloud Infrastructure.
The service gateway offers the following benefits:
This section walks through a scenario in which you enable private access from your private instance to the Autonomous Data Warehouse service by using the service gateway.
Consider a typical scenario in which private instances in your VCN access all publicly accessible endpoints, including those of Oracle services, by using an Oracle Cloud Infrastructure NAT gateway.
Your VCN has one public subnet and private subnet with their associated route tables, security lists, and DHCP options as described here.
You currently do not have any Autonomous Data Warehouses in your tenancy.
Now you create a service gateway in the VCN and enable private access between the private subnet and the Oracle Services Network.
Create a service gateway as a resource in the VCN just like you do with an internet gateway or NAT gateway. You use the service CIDR label when you configure the service gateway.
For traffic to be routed from the private subnet in your VCN to the service gateway, add a route rule in the private subnet's route table. Choose Service Gateway as the target type and the service CIDR label All <region> Services in Oracle Services Network as the destination service. The service gateway allows access to Oracle services within the region to protect your data from the internet. Your workloads may require access to public endpoints or services not supported by the service gateway (for example, for updates or patches). Ensure you have a NAT gateway or other access to the internet if necessary
Now that you have configured to route traffic to Oracle Services Network via service gateway, you can use the Oracle Cloud Infrastructure Command Line Interface to access the Autonomous Data Warehouse service via a service gateway and create an instance.
You have now used a service gateway to enable access between your private instance and an Autonomous Data Warehouse service endpoint to create an Autonomous Data Warehouse instance.
You can also privately access the Autonomous Data Warehouse service via the service gateway to download a wallet for the specified Autonomous Data Warehouse instance.
You can also update the storage properties of a specified data warehouse instance by accessing the Autonomous Data Warehouse service privately via a service gateway.
You can now connect to your ADW from this private instance by following the connectivity chapter in the ADW doc.
As you can see from this example, a service gateway lets resources in your VCN privately and securely access Oracle services such as Autonomous Data Warehouse in the Oracle Services Network, without exposing your data on the internet. Traffic between an instance in the VCN and a supported Oracle service uses the instance's private IP address for routing, travels over the Oracle Cloud Infrastructure fabric, and never traverses the internet.
We recommend that you use the service gateway for accessing all Oracle services in the Oracle Services Network. You can find more information about the service gateway in the Networking documentation. We'd love to hear any feedback that you have.