About Public Endpoints and Access Control Rules
When you set up an Oracle Analytics Cloud instance you have the option to deploy Oracle Analytics Cloud with a public internet accessible endpoint.
For security reasons, you might want to restrict incoming traffic (ingress) through one or more access control rules. Similarly, if you use a private access channel to connect to private data sources, you might want to restrict outgoing traffic (egress) through one or more network security group rules.
Ingress Access Control Rules
- A specific set of IP addresses
- CIDR block ranges (Classless Inter-Domain Routing)
- One or more Oracle Cloud Infrastructure VCNs (Virtual Cloud Network)
- Oracle services in the same region through a service gateway
- Any combination of the above, that is, IP addresses, CIDR ranges, VCNs, Oracle services.
For example:
- Scenario 1 - Allow access to Oracle Analytics Cloud over the public internet. Restrict access to a fixed set of IP addresses.
-
Scenario 2 - Allow access to Oracle Analytics Cloud over the public internet. Restrict access to hosts within a fixed CIDR block range.
-
Scenario 3 - Allow access to Oracle Analytics Cloud from an Oracle Cloud Infrastructure VCN that's deployed in the same region as Oracle Analytics Cloud, without going over the public internet. At the same time, allow other third-party cloud services or users to access Oracle Analytics Cloud over the public internet.
- Scenario 4 - Allow access to Oracle Analytics Cloud from your on-premise network without going through the public internet. At the same time, allow other third-party cloud services or users to access Oracle Analytics Cloud over the public internet.
-
Scenario 6 - Allow access to Oracle Analytics Cloud from your on-premise network without going through the public internet. At the same time, allow Oracle Services in the same region to access Oracle Analytics Cloud.
The sample diagram shows Oracle
Analytics Cloud deployed with a public endpoint and two access control rules. The
first rule allows access from the IP address
204.204.100.100
and the second rule allows
access from the Oracle Cloud Infrastructure VCN
customer-oci-vcn
. The VCN is peered to an
on-premise network, and access to Oracle
Analytics Cloud is routed through the VCN's service gateway.
While Oracle
Analytics Cloud is accessible from the public internet, you can implement your
own access control rules to provide any additional security that you
need. In this example, only the third-party service with the egress
gateway IP address 204.204.100.100
accesses Oracle
Analytics Cloud over the public internet. Traffic from the on-premise network
never uses the public internet, instead it uses the service gateway
configured inside the VCN.
Egress Network Security Group Rules
if your Oracle Analytics Cloud instance uses a private access channel to connect to private data sources, you can restrict outgoing traffic (egress) through one or more network security group rules. You can specify up to five network security group rules for the private channel and edit them whenever you want.