Connect Oracle Cloud Databases with Private IP Addresses to Data Safe in Just Three Simple Steps
As your cloud databases have a lot of sensitive data, you run them in your own private network inside the Oracle Cloud Infrastructure. Oracle Cloud Infrastructure provides some security features to help you meet your objectives for infrastructure, networking, compute, and database, but you are also responsible for the security of your data configuration, users, monitoring user activity, data security, etc. And this takes time, effort, and expertise in both databases as well as security, but that was until now. If you are running an Oracle Cloud Database in a private Virtual Cloud Network (VCN) on Oracle Cloud Infrastructure, you can now very easily monitor and control your security posture with Oracle Data Safe.
The latest Data Safe update adds support for cloud databases using private IP addresses, including Exadata Cloud Service, Database Cloud Service on Virtual Machine as well as on Bare Metal. This expands upon Data Safe’s existing support for Oracle Cloud Databases with public IP addresses like Oracle Autonomous Transaction Processing Databases and Oracle Autonomous Data Warehouses.
Oracle Data Safe
First, a word about Oracle Data Safe before we dive into the new feature and how to set up the connection to your database. Data Safe is Oracle’s unified control center for managing database security in the Oracle Cloud. Data Safe helps you to evaluate security controls, assess user security, monitor user activity, and address data security compliance requirements by evaluating the sensitivity of your data and masking sensitive data for non-production databases. If you aren’t familiar with Data Safe yet, you can read more about it in our blog A Guided Tour of Oracle Data Safe.
And the best part: all Data Safe features are included with your Oracle Cloud Database subscription, along with an audit collection of up to 1 million audit records per database per month in Data Safe.
Connecting Data Safe to Your Database
There are basically three steps in connecting Data Safe to your cloud databases running in your private VCN:
First Step – Create the Private Endpoint
As your cloud database with a private IP address is running in a Virtual Cloud Network (VCN), Data Safe needs a network point of presence in your VCN. For this, we have introduced a new feature in Data Safe called Private Endpoint. Setting up a private endpoint in Data Safe is pretty simple; all you need is the name of the VCN in which your database is running and the subnet in which you want to create the private endpoint. This could be the same subnet in which your database is running or a different subnet in the same VCN. To find the name of your VCN and subnet, go to the database console in Oracle Cloud Infrastructure. My example shows the database console of a Database Cloud Service on Virtual Machine:
Figure 1 - Database Console on OCI
In my case, the database is running in the VCN DataSafe_VCN_PE and the subnet DataSafe_Subnet.
We also need the Port and the OCID of your database later in the second and third step respectively. So you might want to copy them now for later reference.
Now I go to the Data Safe console in Oracle Cloud Infrastructure. You can find Data Safe in the Oracle Cloud Infrastructure menu on the left listed under Database. If Data Safe is not yet enabled in your tenancy, just click the Enable Data Safe button.
Select Private Endpoint in the menu and click on Create Private Endpoint:
Figure 2 - Data Safe Console
Here you simply enter the name for your private endpoint, the VCN of the database you just looked up and the subnet in which you want to create the private endpoint. Again, this can be in the same subnet as your database or in a different subnet of the VCN.
Figure 3 - Creating a Private Endpoint
Now let’s check the details of the new private endpoint by clicking on the private endpoint name. In the details, you can find the private IP address assigned to the private endpoint. We need this IP address when configuring the network security rules in the next step.
Figure 4 - Private Endpoint Details
Please note: You only need to create one Data Safe private endpoint for your VCN. If you want to connect more than one database in the same VCN, you just need to allow communication from the Data Safe private endpoint to all the databases in the VCN you want to connect to.
Second Step – Allow Communication between Data Safe and Your Database
To allow communication between the Data Safe private endpoint and your database port, we can either set up the security rules of your VCN, or alternatively, you could use Network Security Groups (NSGs). For my setup, I am using security rules and you can see a simple example for an ingress/egress rule, allowing communication from my Data Safe private endpoint (10.0.0.6) to my database (10.0.0.2, port 1521):
Figure 5 - Example Security Rules
Please note: If you have more than one database node, you need to include them in your ingress/egress rules. Also, if you want to connect more than one database in the same VCN to Data Safe, you need to update the ingress/egress rules accordingly.
Third Step – Register Your Database in Data Safe
Now that we have the network connectivity set up, we need to register the database with Data Safe.
On the Data Safe console in Oracle Cloud Infrastructure, click the Service Console button. In the Data Safe UI, select Targets from the top menu and click the + Register button.
In the registration dialog, you select the private endpoint you just created and enter the connection details and credentials for your database. We suggest creating a dedicated database user for Data Safe in your database. To help grant the necessary privileges to this database user, you can download the privilege script from the registration dialog and run it in your database before you complete the registration. You can click on Test Connection to ensure that everything was set up correctly. Then click on Register Target.
Figure 6 - Database Registration in Data Safe
To find more detailed step-by-step instructions as well as how to identify your database service name, please check our Data Safe User Guide.
And that’s it! Your database is now all set up to be secured by Data Safe. I recommend running a Security Assessment and User Assessment first. Just go to Security Assessment on the Data Safe home page, select your database and click the Assess button. And then repeat the same for User Assessment. You will get comprehensive assessment reports in minutes showing you any potential risks you can then start mitigating. More information on how to get started and explore Data Safe can be found here.
Figure 7 - Data Safe Home Page and Dashboards
Figure 8 - Example Security Assessment Report
Although I used Database Cloud Service as an example, the steps outlined here are the same for Exadata Cloud Service.
For more updates on Data Safe and the expansion of supported databases, please continue to read this blog series. More information on how to get started and explore Data Safe can be found here.