Today, we’re announcing the general availability of private endpoints for Oracle Cloud Infrastructure (OCI) Object Storage in all commercial regions. Private endpoints help enable secure, private connectivity using a private IP address to access OCI Object Storage from your virtual cloud network (VCN) or on-premises network. The traffic doesn’t go over a public IP address (a public endpoint) or the internet.
OCI Object Storage already supports service gateways to enable private access to multiple OCI services. However, service gateways rely on public endpoints, and some customers don’t want to use them even if the traffic is encrypted for the following reasons:
You might need this extra level of privacy when storing employee information, customer data, health records, or corporate confidential information. Now, with private endpoints, you can use a private IP address to access OCI Object Storage from your virtual cloud network (VCN) or on-premises network through a fully qualified domain name (FQDN). Private endpoints also enable you to create access targets to restrict which object storage buckets the private endpoint can access. Additionally, private endpoint access is limited to OCI Object Storage, providing traffic isolation.
At the end of this blog post, we cover some practical steps for the implementation of private endpoints.
Imagine that your cloud application needs to save customer data, and the company data privacy policy restricts the use of public endpoints. Now, you can create a private endpoint in your VCN and map it to the bucket used in OCI Object Storage.
If you’re using an on-premises application that needs to write data privately to OCI, you can use FastConnect private peering or site-to-site VPN with a dynamic routing gateway (DRG) to reach your VCN. For example, a hospital wants to save health records to OCI Object Storage without using a public endpoint to support regulatory compliance. You can create a private endpoint in your VCN and route traffic from on-premises network using the FQDN. Creating a private endpoint results in a unique DNS record in your VCN so that the FQDN is fully resolvable.
You can restrict a private endpoint to only allow access to a specific set of buckets, compartments, or tenancies within OCI Object Storage. Also, each private endpoint allows a throughput of up to 25 Gbps. If you need more than 25 Gbps for a given workload, you can create multiple private endpoints in a VCN and load balance between them.
In this example, we show multiple private endpoints from multiple networks with varying bucket access in OCI Object Storage.
While private endpoints provide a private IP address path to specified buckets, identity and access management (IAM) polices are still required to enable user access. You can also define rules using IAM polices for object buckets so that requests are only authorized if they originate from a specific VCN or an IP range within that VCN. All other network access, including over the internet, are blocked to these buckets, further protecting the data.
For more information on private endpoints, see the OCI Private Endpoint overview.
OCI Object Storage allows you to set up a Private Endpoint in a subnet of your choice within the VCN. When connected to your VCN, private endpoints allow private connectivity to data.
Administrators can now set up private endpoints using the Oracle Cloud Console, API, CLI, or Terraform.
To create a private endpoint, use the following steps:
Select Access target to add another access target (up to 10).
List your private endpoints using the following steps:
To edit a private endpoint, use the following steps:
In addition to creating, listing, and editing a private endpoint, you can also delete it.
You can now help improve your security posture with private endpoints for OCI Object Storage by using a private IP address inside your VCN to access data. You can also restrict which object storage buckets can be accessed through the private endpoint. You can start using this feature by creating and configuring a private endpoint within your VCN.
If you’re not yet using Oracle Cloud Infrastructure, you can sign up for a free trial.
For more information, see the following resources:
Previous Post
Next Post