Connect your on-premises databases to Data Safe in a few simple steps
Oracle Data Safe now supports on-premises databases. Our blog post Keeping Data Safe – on-premises! focused on the key reasons to use Data Safe to secure your on-premises databases. In this blog post, I will explain how you can connect and register your on-premises database in Data Safe.
The main step involves creating a network connectivity path for Data Safe to talk to your on-premises database. Once this step is complete, there should be no connection differences between your databases whether on Oracle Cloud or on-premises.
Before I describe how to connect, it’s important to understand what a Virtual Cloud Network (VCN) is. A VCN is a private network in Oracle Cloud Infrastructure. Just like a traditional data center network, the VCN provides you with complete control over your network environment. A VCN typically connects your Oracle Cloud Infrastructure resources including compute, storage, or databases. You can also create an empty VCN with no resources if you are not using the Oracle Cloud Infrastructure for any other service.
The current Data Safe service requires a FastConnect or VPN connection from your data center to the Oracle Cloud Infrastructure that basically extends your VCN to your on-premises network as shown. More information on FastConnect and VPN Connect is linked at the end of the blog post.
Figure 1 - Extending a VCN to your on-premises network via FastConnect or VPN
If you don’t have a FastConnect or VPN connection, or would prefer not to link up the networks, we offer another connectivity option as part of a limited availability program. Please scroll to the end of the blog post for more information.
Connecting your on-premises database to Data Safe
Once you have a connection to Oracle Cloud Infrastructure using FastConnect or VPN Connect, connecting your database to Data Safe is done in three simple steps:
If you are already using Data Safe for your Oracle cloud databases running in a private VCN, then you’ll find that these steps are very similar. (You can read my previous blog post for more details.)
Step 1 – Create a representation of Data Safe in your VCN
For this step, all you need to know is the name of your VCN that is connected to your on-premises network. In my environment, I have a FastConnect connection to the VCN called CorpDev1-iad.vcn. The VCN has one subnet called CorpDev1-iad.
Figure 2 – Example VCN and Subnet
To create a representation of Data Safe in your VCN and to ultimately allow communication between Data Safe and your on-premises databases, you need to create a Data Safe private endpoint.
To create the private endpoint, navigate to the Data Safe console in Oracle Cloud Infrastructure by selecting Data Safe in the menu on the left under Database related services and then clicking on Private Endpoints.
Figure 3 – Data Safe console
Select Create Private Endpoint in the console, enter the name of the new private endpoint you want to create and select the VCN and subnet that are connected to your on-premises databases.
Figure 4 - Creating the Data Safe Private Endpoint
Once the private endpoint is created, click on the private endpoint name to find the private IP address assigned to the private endpoint. Please note that this private endpoint is a virtual representation of Data Safe in your network.
Figure 5 - Private Endpoint Details
By the way, you only need to create one Data Safe private endpoint for your Virtual Cloud Network, no matter how many on-premises databases you want to register in Data Safe.
Step 2 – Allow communication from the Data Safe private endpoint to your database
Now we need to allow communication from the Data Safe private endpoint to your database. You can either allow communication to all your on-premises databases that are accessible from the Virtual Cloud Network or you can limit it to one or more databases specifically. To allow outgoing communication from the Data Safe private endpoint, you need to define an egress rule.
For my example, I want to allow communication from the Data Safe private endpoint to just one on-premises database accessible in the VCN by defining the security rules of my VCN, but you could also use Network Security Groups (NSGs). You can see a simple example for an egress rule, allowing communication from my Data Safe private endpoint to my database (10.89.69.237, port 1527):
Figure 6 - Example Egress Rule
Please note: If your database has multiple database nodes, you need to include them all in the egress rules of your security list (or NSG).
Step 3 – Register your on-premises database in Data Safe
The only step left is to register your on-premises database in Data Safe.
To register your database, go back to the Data Safe console in Oracle Cloud Infrastructure and click on the Service Console button. In the Data Safe UI select Targets in the top menu and click the + Register button.
In the registration dialog, enter a name for your database and select Oracle On-Premises Database in the drop-down menu under Target Type. This will change some of the input options. You see that Private Endpoint is automatically selected under Connectivity Option. In the next entry field, select the Data Safe private endpoint you created in step 1. Now enter the connection details for your database including IP address, port number and the database service name. If your database has more than one database node, please enter all nodes under IP Address.
The last entry is for the credentials Data Safe will use to connect to your database. We suggest creating a dedicated database user for Data Safe in your database. To help grant the necessary privileges to this database user, you can download a privilege script from the registration dialog and run it in your database before you complete the registration. Now click on Test Connection to ensure that everything was set up correctly. Then click on Register Target.
Figure 7 - Database Registration
To find more detailed step-by-step instructions, please read our Data Safe User Guide.
And that’s it! Your on-premises database is now all set up to be secured by Data Safe. I recommend running a Security Assessment and User Assessment first. Just go to Security Assessment on the Data Safe home page, select your database and click the Assess button. And then repeat the same for User Assessment. You will receive comprehensive assessment reports in minutes showing you potential risks that you can then address. More information on how to get started and explore Data Safe can be found here.
Figure 8 - Data Safe Home Page and Dashboards
Alternative Connectivity Option
If you don’t have a FastConnect or VPN Connect, or would prefer not to link up the networks, we are offering a Data Safe on-premises connector as part of a limited availability program. You can configure and download the lightweight connector and deploy on a node in your network. The connector is easy to install, doesn’t require deep network knowledge, and can be used to connect to all your on-premises databases.
For more information and how to participate in the limited availability program, please click here.