About Public Endpoints and Access Control Rules

When you set up an Oracle Analytics Cloud instance you have the option to deploy Oracle Analytics Cloud with a public internet accessible endpoint.

For security reasons, you might want to restrict incoming traffic (ingress) through one or more access control rules. Similarly, if you use a private access channel to connect to private data sources, you might want to restrict outgoing traffic (egress) through one or more network security group rules.

Ingress Access Control Rules

You can add and edit incoming access control rules whenever you want, and manage access in several ways. You can manage access from:
  • A specific set of IP addresses
  • CIDR block ranges (Classless Inter-Domain Routing)
  • One or more Oracle Cloud Infrastructure VCNs (Virtual Cloud Network)
  • Oracle services in the same region through a service gateway
  • Any combination of the above, that is, IP addresses, CIDR ranges, VCNs, Oracle services.

For example:

  • Scenario 1 - Allow access to Oracle Analytics Cloud over the public internet. Restrict access to a fixed set of IP addresses.
  • Scenario 2 - Allow access to Oracle Analytics Cloud over the public internet. Restrict access to hosts within a fixed CIDR block range.

  • Scenario 3 - Allow access to Oracle Analytics Cloud from an Oracle Cloud Infrastructure VCN that's deployed in the same region as Oracle Analytics Cloud, without going over the public internet. At the same time, allow other third-party cloud services or users to access Oracle Analytics Cloud over the public internet.

  • Scenario 4 - Allow access to Oracle Analytics Cloud from your on-premise network without going through the public internet. At the same time, allow other third-party cloud services or users to access Oracle Analytics Cloud over the public internet.
  • Scenario 6 - Allow access to Oracle Analytics Cloud from your on-premise network without going through the public internet. At the same time, allow Oracle Services in the same region to access Oracle Analytics Cloud.

Description of oac_public_ep.jpg follows

The sample diagram shows Oracle Analytics Cloud deployed with a public endpoint and two access control rules. The first rule allows access from the IP address 204.204.100.100 and the second rule allows access from the Oracle Cloud Infrastructure VCN customer-oci-vcn. The VCN is peered to an on-premise network, and access to Oracle Analytics Cloud is routed through the VCN's service gateway.

While Oracle Analytics Cloud is accessible from the public internet, you can implement your own access control rules to provide any additional security that you need. In this example, only the third-party service with the egress gateway IP address 204.204.100.100 accesses Oracle Analytics Cloud over the public internet. Traffic from the on-premise network never uses the public internet, instead it uses the service gateway configured inside the VCN.

Egress Network Security Group Rules

if your Oracle Analytics Cloud instance uses a private access channel to connect to private data sources, you can restrict outgoing traffic (egress) through one or more network security group rules. You can specify up to five network security group rules for the private channel and edit them whenever you want.