Oracle Cloud Infrastructure Documentation

Managing Private Endpoints

Create, edit, and delete private endpoints in Resource Manager.

With private endpoints, you can access nonpublic cloud resources in your tenancy from Resource Manager. For example, configure a private compute instance using Terraform's remote exec functionality and access Terraform configurations in a private GitHub server.

Required IAM Policy

To manage private endpoints, you must have permission to manage private endpoints in the tenancy, and to use virtual network resources, such as VCNs and subnets. For more information, see Manage Private Templates.

If you're new to policies, see IAM Policies Overview.

Scenarios

Review common scenarios for using private endpoints with Resource Manager.

Other scenarios also exist. You can reach any private resource with a private IP, using a private endpoint in Resource Manager. For example, connect to a Kubernetes cluster.

Private Git Server

Give Resource Manager access to a Git server that isn't accessible over the internet. User these instructions for a private server that you host at Oracle Cloud Infrastructure or on-premises.

  1. If the private server is on-premises, then set up site-to-site VPN or FastConnect.
    For more information, see Site-to-Site VPN and FastConnect.
  2. Import the private Git server's associated SSL certificate into the Certificates service.

    For more information, see the relevant page:

  3. Create a private endpoint.
  4. Get the reachable IP address for the private endpoint.
  5. Create a configuration source provider that references this private endpoint (and the associated SSL certificate that you imported into the Certificates service).
  6. Create a stack that references this configuration source provider.

Private Remote Exec

Access private instances with Remote Exec.

Note

When accessing a private instance with Remote Exec, you must use a reachable IP address.

See also Getting the Reachable IP Address for a Private Endpoint.

  1. Write a Terraform configuration that creates a private instance.
  2. In the Terraform configuration, either create or reference a private endpoint:

    For example Terraform configurations that use Resource Manager private endpoints, see Private endpoint Terraform configuration examples.

  3. Add code to your Terraform configuration to convert the private IP address to a reachable IP address.

    The reachable IP address is in the range 240.0.0.0 to 255.255.255.255 (Class E; see RFC 1112, Section 4).

    To get the reachable IP address, see Getting the Reachable IP Address for a Private Endpoint.

    Example code
    resource "null_resource" "remote-exec" {
  depends_on = [oci_core_instance.private_endpoint_instance]

  provisioner "remote-exec" {
    connection {
      agent = false
      timeout = "30m"
      host = data.oci_resourcemanager_private_endpoint_reachable_ip.test_private_endpoint_reachable_ips.ip_address
      user = "opc"
      private_key = tls_private_key.public_private_key_pair.private_key_pem
    }

    inline = [
      "echo 'remote exec showcase' > ~/remoteExecTest.txt"
    ]
  }
}

    For example Terraform configurations that use Resource Manager private endpoints, see Private endpoint Terraform configuration examples.

  4. Store the Terraform configuration in a supported location.
  5. Create a stack that references this Terraform configuration.
  6. Run an apply job on the stack.
    The private instance and private endpoint are created. You can now use Remote Exec to access your private instance.

Managing Security Attributes

You can use Zero Trust Packet Routing (ZPR) along with or in place of network security groups to manage network access to OCI resources . To do this, define ZPR policies that govern how resources communicate with each other, and then add security attributes to those resources. For more information, see Zero Trust Packet Routing.

Caution

If an endpoint has a Zero Trust Packet Routing (ZPR) security attribute, traffic to the endpoint must satisfy ZPR policies and also all NSG and security list rules. For example, if you're already using NSGs and you add a security attribute to an endpoint, all traffic to the endpoint is blocked. From then onward, a ZPR policy must explicitly allow traffic to the endpoint.

Applying Tags

Apply tags to resources to help organize them according to your business needs. You can apply tags when you create a resource, and you can update a resource later to add, revise, or remove tags. For general information about applying tags, see Resource Tags.