Announcing private IP address support for OCI Object Storage using private endpoints

September 10, 2024 | 6 minute read
Rajiv Garg
Senior Principal Product Manager
Text Size 100%:

Today, we’re announcing the general availability of private endpoints for Oracle Cloud Infrastructure (OCI) Object Storage in all commercial regions. Private endpoints help enable secure, private connectivity using a private IP address to access OCI Object Storage from your virtual cloud network (VCN) or on-premises network. The traffic doesn’t go over a public IP address (a public endpoint) or the internet.  

OCI Object Storage already supports service gateways to enable private access to multiple OCI services. However, service gateways rely on public endpoints, and some customers don’t want to use them even if the traffic is encrypted for the following reasons:

  • Address regulatory compliance: Prevent sensitive data from going over the public endpoints or internet to support compliance with regulations, such as Health Insurance Portability and Accountability Act (HIPAA) and EU-US Privacy Shield.  
  • Data privacy: Seek a familiar, on-premises private access connectivity model where you can access an Oracle-hosted service over private IP addresses.  

You might need this extra level of privacy when storing employee information, customer data, health records, or corporate confidential information. Now, with private endpoints, you can use a private IP address to access OCI Object Storage from your virtual cloud network (VCN) or on-premises network through a fully qualified domain name (FQDN). Private endpoints also enable you to create access targets to restrict which object storage buckets the private endpoint can access. Additionally, private endpoint access is limited to OCI Object Storage, providing traffic isolation. 

At the end of this blog post, we cover some practical steps for the implementation of private endpoints. 

Private endpoints for cloud applications

Imagine that your cloud application needs to save customer data, and the company data privacy policy restricts the use of public endpoints. Now, you can create a private endpoint in your VCN and map it to the bucket used in OCI Object Storage.  

A basic architecture of a cloud deployment with private endpoints.
Figure 1: Private endpoints for cloud applications

Private endpoints for on-premises applications

If you’re using an on-premises application that needs to write data privately to OCI, you can use FastConnect private peering or site-to-site VPN with a dynamic routing gateway (DRG) to reach your VCN. For example, a hospital wants to save health records to OCI Object Storage without using a public endpoint to support regulatory compliance. You can create a private endpoint in your VCN and route traffic from on-premises network using the FQDN. Creating a private endpoint results in a unique DNS record in your VCN so that the FQDN is fully resolvable.  

An architecture diagram of an on-premises deployment with private endpoints.
Figure 2: Private endpoints for on-premises applications

Configuring multiple private endpoints 

You can restrict a private endpoint to only allow access to a specific set of buckets, compartments, or tenancies within OCI Object Storage. Also, each private endpoint allows a throughput of up to 25 Gbps. If you need more than 25 Gbps for a given workload, you can create multiple private endpoints in a VCN and load balance between them.

In this example, we show multiple private endpoints from multiple networks with varying bucket access in OCI Object Storage. 

An architecture diagram multiple private endpoints.
Figure 3: Configuring multiple private endpoints

While private endpoints provide a private IP address path to specified buckets, identity and access management (IAM) polices are still required to enable user access. You can also define rules using IAM polices for object buckets so that requests are only authorized if they originate from a specific VCN or an IP range within that VCN. All other network access, including over the internet, are blocked to these buckets, further protecting the data.  

For more information on private endpoints, see the OCI Private Endpoint overview.  

Configuring private endpoints in OCI Object Storage

OCI Object Storage allows you to set up a Private Endpoint in a subnet of your choice within the VCN. When connected to your VCN, private endpoints allow private connectivity to data.    

Administrators can now set up private endpoints using the Oracle Cloud Console, API, CLI, or Terraform.  

Create a private endpoint

To create a private endpoint, use the following steps:

  1. In the navigation menu of the Console, select Storage. Under Object Storage & Archive Storage, select Private Endpoints.
  2. Select the compartment from the list under List Scope
  3. Select Create Private Endpoint. The Create Private Endpoint dialog box appears.
Creating a private endpoint.
Figure 4: Creating a private endpoint
  1. Enter a name and DNS prefix for the private endpoint.
  2. Select the VCN for your private endpoint from the Select VCN in <compartment> list. 
  3. Select a subnet under the VCN from the list.
  4. Add an access target to the private endpoint to limit access to a bucket, compartment, or namespace.
    • Namespace: Enter the namespace for the access target. 
    • Compartment OCID: Enter the OCID of the compartment for the access target.
    • Bucket name: Enter the name of the bucket for the target.

           Select Access target to add another access target (up to 10).  

  1. Select the Advanced Options tab to add the following optional settings:
    • Preferred IP address: Enter or select the IP address you prefer to be used with the private endpoint.
    • NSG: Add a network security group (NSG) to the private endpoint. Enter the name of the NSG from the list. 
    • Other DNS prefix: Add any additional DNS prefixes to the private endpoint from the list.
  2. Select the Tags tab to apply tags to the private endpoint.  
  3. Select Create.

List private endpoints

List your private endpoints using the following steps:

  1. In the navigation menu, select Storage. Under Object Storage & Archive Storage, select Private Endpoints.
  2. Select the compartment from the list under List Scope.  All the private endpoints in that compartment are listed in tabular form.
A list of example private endpoints.
Figure 5: List private endpoints

 

Edit a private endpoint

To edit a private endpoint, use the following steps:

  1. In the navigation menu, select Storage.
  2. Under Object Storage & Archive Storage, select Private Endpoints.
  3. Select the compartment from the list under List Scope. All the private endpoints in that compartment are listed in tabular form.
  4. Select the private endpoint that you want to edit. The private endpoint’s Details page appears.
  5. Select Edit. The Edit Private Endpoint dialog box appears.
  6. Make your edits to access targets or tags.  
  7. Select Save Changes.
Editing a private endpoint’s access target.
Figure 6: Edit a private endpoint

 

In addition to creating, listing, and editing a private endpoint, you can also delete it.    

 

Conclusion

You can now help improve your security posture with private endpoints for OCI Object Storage by using a private IP address inside your VCN to access data. You can also restrict which object storage buckets can be accessed through the private endpoint. You can start using this feature by creating and configuring a private endpoint within your VCN. 

If you’re not yet using Oracle Cloud Infrastructure, you can sign up for a free trial

For more information, see the following resources:

 

Rajiv Garg

Senior Principal Product Manager


Previous Post

First Principles: Robust data breach protection with Zero Trust Packet Routing

Pradeep Vincent | 13 min read

Next Post


Zero Data Loss Autonomous Recovery Service is now available for Oracle Database@Azure

Kelly Smith | 4 min read
Oracle Chatbot
Disconnected