Enable Oracle Autonomous Database Data Share provider Private Endpoint for Multi-cloud

Introduction

Introducing Data Studio (Mike Matthews) “Data Studio is a new built-in application that unites the Data Tools of the Autonomous Database into a single, integrated user interface,” Let’s focus on the Data Share Tool capabilities of Data Studio. This publication builds upon the concepts discussed in Unlimited data-driven collaboration with Data Sharing of Oracle Autonomous Database (Alexey Filanovskiy)

At a high-level we will show you how using your Cloud Provider of choice you will be able to access Oracle Cloud Infrastructure’s (OCI) Autonomous Database (ADB-S) Private Endpoint (PE) Data Share provider. A secure data exchange is essential for sectors such as Healthcare, Government, and other highly regulated industries, where data security is a top priority.

Business Value

Oracle Autonomous Database Data Sharing enables secure data sharing directly from a single point of truth, eliminating the need for multiple copies of data that can quickly become inconsistent. By streamlining collaboration and ensuring consistent, accurate information, businesses can reduce operational overhead, uncover new opportunities, and make faster, data-driven decisions. This seamless data exchange not only enhances innovation but also provides a competitive edge while maintaining data integrity and cutting costs in today’s fast-paced market.

Challenges and Considerations

Connecting your Cloud Provider to the Oracle REST Data Services (ORDS) port of your OCI ADB-S PE Data Share Provider may have its challenges. It is our hope that after you go over some of the key areas covered in this post, you’ll be well on your way to a secure cross-cloud private connection to your Data Share provider. 

You should have a bidirectional connection setup between your private clouds, have a running ADB-S PE and understand how to manage network security.

Delta Share requires certificate authentication to access the OCI ADB-S PE Data Share. In other words, Data Share provider will not be reachable without the Delta Sharing Protocol validating the authenticity of the certificate for the redirected endpoint URL. Rest assured that all data access is private. 

Solution Diagram

This diagram represents a generic network diagram to illustrate what your network engineers may be looking at for a solution. Yours will be a variation of this.

Solution

You will need to setup your Private Endpoint ORDS connection in such a way that allows the Data Share Consumer to trust the Data Share Provider. 

Oracle OCI ADB-S-PE

• Create an Object Store Bucket so you can access objects to be used with your Data Share Provider
• Setup your Virtual Cloud Network (VCN), open ORDS port 443, then whitelist INGRESS addresses, which is your client and Unity Catalog IPs. Please check out Databricks documentation for a list of Control Plane IP addresses.
• Setup a OCI Bastion OR Jump Host to allow connections to the Private Subnet of your VCN
• Create an Autonomous Database (ADB-S) Private Endpoint (PE) in the private subnet of your VCN.
• Please follow example in OCI Script to Jumpstart Credential Creation (Jameson White) to setup your OCI Native Credential. Since your ADB-S is a Private Endpoint you will want to copy the contents of the generated SQL script to be used later in your ADB-S before you define your tables then initiate a Share.
  • Alternatively you could use a pre-authenticated URL from the OCI Object Store following Secure and easy access to Oracle Autonomous Database Data via Pre-Authenticated URLs (Alexey Filanovskiy).

Configure Load Balancer

• Setup a Load Balancer (LB) in the Public Subnet of your VCN and define a hostname. This will create a public IPv4 address. See Load Balancer Management for more information and ensure your Backend uses SSL.
• To further secure your connection you could setup a Web Application Firewall (WAF) with Access Rules to manage access to your Load Balancer.
• Accessing the domain provider page map the hostname to the Public IP address defined above.
• Return to your Load Balancer and manage Backend Set (BS) for ORDS port 443. You will also define a Listener for ORDS port 443. You will add the contents of fullchain.pem and privkey.pem to your LB defined CA Bundle and Certificate to be used by the Listeners and Backend Sets. You can obtain this from whatever certificate authority you’re using.

Generate JSON File from your ADB-S-PE Data Share Provider

• Connect securely (via Jump Host or Bastion) to Data Studio using the public hostname.domain URL you defined. Keep in mind, your access is managed securely via the LB and WAF (if used). If you’re unable to connect it’s likely that the client you’re connecting from isn’t whitelisted on the Oracle VCN. Network Security is as restrictive as you make it.
• Create the Share table then run through the exercise of setting up a Data Share Provider. Collect the JSON and other bits.
• In your Data Share Consumer of choice, use the provided JSON file to connect and consume the Data Share served by Private Endpoint.

Gotchas

• If you use a certificate provider please ensure the certificates in full chain are in the correct order. Assuming you do not have fullchain.pem provided by your certificate authority.
• To tighten things up ensure only jump hosts and specific IP addresses (Unity Catalog IPs) should be added to ingress, egress, waf and nsg. Work with your Cloud Network Administrator to get this right.
• Ensure Internet Gateway is added to default route table rules.