The Oracle Cloud Infrastructure (OCI) Object Storage service is launching dedicated endpoints, which provide secure access to Object Storage buckets with customer tenancy-specific endpoints. Now, you can have tenant isolation with unique and immutable system-generated namespace prefixed dedicated endpoints. With this feature, you have the following capabilities:
-
Replace Object Storage endpoints that are common to all customers with dedicated customer specific endpoints
-
Minimize the broad impact of domain name system (DNS)-based blocking of Object Storage endpoints by some security software
-
Enable distributed denial of service (DDoS) protection and blocking on a per-tenancy level
-
Completely isolate Object Storage tenancies from each other
Object Storage dedicated endpoints feature is available immediately.
What’s changing?
The domain URLs that Object Storage users currently use is changing. To introduce dedicated namespace-prefixed URLs, Object Storage now registers DNS records with wild-card prefix on the new OCI customer zone second-level domain (SLD), oci.customer-oci.com.
For example, a customer has the namespace, “axjght87hk98j.” Instead of accessing previous shared endpoints, such as “https://objectstorage.us-ashburn-1.oraclecloud.com,” they can now use a namespace with a prefixed dedicated endpoint, such as “https://axjght87hk98j.objectstorage.us-ashburn-1.oci.customeroci.com.” A few exceptional operations like GetNamespace are allowed on the shared endpoint “https://objectstorage.us-ashburn-1.oci.customer-oci.com.”
The following table shows what’s changing on the API endpoints with this new feature. Changes are shown in bold.
| API Type | Current URL | New URL |
|---|---|---|
| Native | objectstorage.$region.oraclecloud.com objectstorage.$region.oci.oraclecloud.com |
objectstorage.$region.oci.customer-oci.com (Only used in cases where the namespace is not known, such as GetNamespace and WorkRequests) $namespace.objectstorage.$region.oci.customer-oci.com (For all other operations) |
| S3-compatible | $namespace.compat.objectstorage.$region.oraclecloud.com $namespace.compat.objectstorage.$region.oci.oraclecloud.com |
$namespace.compat.objectstorage.$region.oci.customer-oci.com |
| Swift | swiftobjectstorage.$region.oraclecloud.com swiftobjectstorage.$region.oci.oraclecloud.com |
swiftobjectstorage.$region.oci.customer-oci.com $namespace.swiftobjectstorage.$region.oci.customer-oci.com |
| PARs | objectstorage.$region.$RealmSpecificTLD/p/<>/n/<>/b/<>/o/ | $namespace.objectstorage.$region.oci.customer-oci.com/p/<>/n/<>/b/<>/o/ |
At general availability, the new URLs with customer-oci.com are only available for the OC1 realm. Other realms continue with the existing top level domains (TLD).
What’s the impact?
Current Object Storage endpoint URLs continue to function, and use of the new endpoints is optional for all existing tenancies. The Oracle Cloud Console, software developer kits (SDKs), CLI, and Terraform are transparently switching over to using the new endpoints. Developers can optionally use the new realm-specific endpoint templates (RSETs) as a more secure option when using the SDKs by setting a flag. Tenants using custom clients can point their requests to any of these new domain URLs for better security posture and aren’t forced to use a particular domain, although we highly encourage moving to using the dedicated endpoints with namespace prefix on the customer-oci.com domain.
The Oracle Cloud GUI Console now uses the dedicated endpoints with a fallback to using old endpoints if any issues arise. When creating preauthenticated requests (PARs), the “fullpath” attribute in the response now provides a universal resource identifier (URI) with a dedicated endpoint. Dedicated Endpoints feature is backward compatible, so the old PARs still work. But for new PARs created after general availability of the dedicated endpoints feature, the new PAR format with the namespace prefix on oci.customer-oci.com domain is used.
Any code that expects the PAR URL to be in the current format must accept both the old and the new PAR URLs. You must disable or change any PAR URL format validation logic in your code. Update any code that depends on current PAR URL format to support both the old and new PAR URLs.
The OCI CLI has a new flag option, –realm-specific-endpoint, to use the dedicated endpoint instead of the existing common endpoint, as shown in the following example:
> oci os ns get
# This uses the default endpoint
> oci os ns get --realm-specific-endpoint
# This uses the realm-specific endpoint (if possible)
> oci os ns get
# This is back to using the default endpointTo allow network access to dedicated endpoints, network administrators must add the URL, *.customer-oci.com, to the allow list of their firewall or proxy server.
Dedicated endpoints are currently only available for customers with only alphanumeric characters in their namespace. A few old namespaces have special characters like underscore, dash, and period and must continue using the old endpoints.
OCI Object Storage announces and sends customer notifications at least one year in advance of an enforcement date, which is regionally configurable, to deprecate the old SLD oraclecloud.com.
Conclusion
Oracle remains committed to security-first design principles and improving the security posture for our OCI services for all customers. This feature is a step to provide dedicated endpoints under a new domain to prevent cross site scripting attacks from affecting the OCI Object Storage service and its users. We encourage you to start using the new dedicated endpoints for better security and tenant isolation.
For more information, refer to the documentation.