Accessing Oracle Machine Learning Notebooks Securely with Private Endpoints

Oracle Machine Learning (OML) Notebooks is a collaborative environment for using Python, R, SQL, and PL/SQL to explore and prepare data, and build, evaluate, and deploy machine learning solutions. Both the broader OML functionality and OML Notebooks are automatically provisioned and managed as part of Oracle Autonomous AI Database, which runs on Oracle Cloud Infrastructure (OCI). OCI supports configuring your database with a private endpoint inside your virtual cloud network (VCN), keeping database and notebook traffic private and within OCI. Configuring OML Notebooks behind a private endpoint offers several benefits:

• Data privacy and security: With a private endpoint, your notebook session traffic doesn’t travel over the public internet, keeping your analytical workloads within a secure network environment.
• Controlled access: A private endpoint restricts access to OML Notebooks to authorized users within your VCN, giving you full control over who can connect.
• Time-limited, audited access: OCI Bastion sessions expire automatically and provide a controlled, audited ingress path into your VCN.

Connecting to OML Notebooks with a Private Endpoint

Because OML Notebooks is accessed via a browser over HTTPS, reaching a private endpoint from your local machine requires forwarding traffic securely into the VCN. OCI Bastion provides this capability as a fully managed, Oracle-operated service that establishes a time-limited SSH tunnel into your VCN without requiring a public IP or a separately managed jump host. OCI Bastion sessions expire automatically, limiting the duration of access compared with persistent jump hosts, and avoid the operational overhead of provisioning and patching a jump host VM.

Your local machine connects to an OCI Bastion session, which forwards traffic inside the VCN to the Autonomous AI Database private endpoint on port 443. OML Notebooks are accessed through the local forwarded port, with all traffic encrypted end-to-end.

OML Notebooks Private Endpoint Architecture

In the figure below, we show how the private endpoint architecture for OML Notebooks keeps all notebook traffic within your VCN while enabling secure browser access through OCI Bastion.

You can achieve this secure environment by:

• Configuring your Autonomous AI Database instance behind a private endpoint
• Creating an OCI Bastion service in the same VCN as your private endpoint
• Establishing a time-limited SSH tunnel from your local machine through Bastion and a compute instance in your VCN
• Accessing OML Notebooks in your browser over the forwarded local port

How to Get Started

To get started, refer to this technical guide that walks through the complete setup, from configuring network security rules and creating the OCI Bastion service and session, to establishing the SSH tunnel from your local machine and opening OML Notebooks in your browser.

For more information:

• Oracle Machine Learning on Autonomous AI Database
• Private Endpoint for Autonomous AI Database
• Oracle Cloud Infrastructure Bastion