When you provision or clone Autonomous Database with the Secure access from allowed IPs and VCNs only option, you can restrict network access by defining Access Control Lists (ACLs).

1. In the Choose network access area, select Secure access from allowed IPs and VCNs only.

   With Secure access from allowed IPs and VCNs only selected, the console shows the fields and options to specify ACLs:

2. In the Choose network access area, specify access control rules by selecting an IP notation type and entering Values appropriate for the type you select:
   • IP address:

     In Values field enter values for the IP address. An IP address specified in a network ACL entry is the public IP address of the client that is visible on the public internet that you want to grant access. For example, for an Oracle Cloud Infrastructure VM, this is the IP address shown in the Public IP field on the Oracle Cloud Infrastructure console for that VM.

     Note
     
     Optionally select Add my IP address to add your current IP address to the ACL entry.
   • CIDR block:

     In Values field enter values for the CIDR block. The CIDR block specified is the public CIDR block of the clients that are visible on the public internet that you want to grant access.

   • Virtual cloud network:

     Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

     Use this option to specify the VCN for use with an Oracle Cloud Infrastructure Service Gateway:

     • In Virtual cloud network field select the VCN that you want to grant access from. If you do not have the privileges to see the VCNs in your tenancy this list is empty. In this case use the selection Virtual cloud network (OCID) to specify the OCID of the VCN.
     • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.
   • Virtual cloud network (OCID):

     Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

     • In the Values field enter the OCID of the VCN you want to grant access from.
     • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.

   If you want to specify multiple IP addresses or CIDR ranges within the same VCN, do not create multiple ACL entries. Use one ACL entry with the values for the multiple IP addresses or CIDR ranges separated by commas.

3. Click Add access control rule to add a new value to the access control list.
4. Click x to remove an entry.
   You can also clear the value in the IP addresses or CIDR blocks field to remove an entry.
5. Require mutual TLS (mTLS) authentication.

   After you enter an IP notation type and a value, you have the option to select this option. The options are:

   • When Require mutual TLS (mTLS) authentication is selected, only mTLS connections are allowed (TLS authentication is not allowed).

   • When Require mutual TLS (mTLS) authentication is deselected, TLS and mTLS connections are allowed. This is the default configuration.

   See Update Network Options to Allow TLS or Require Only Mutual TLS (mTLS) Authentication on Autonomous Database for more information.

6. Complete the remaining provisioning or cloning steps, as specified in Provision an Autonomous Database Instance, Clone an Autonomous Database Instance, or Clone an Autonomous Database from a Backup.

You can control and restrict access to your Autonomous Database by specifying network access control lists (ACLs). On an existing Autonomous Database instance with a public endpoint you can add, change, or remove ACLs.

1. On the Details page, in the Network area, next to the Access control list field, click Edit.

   This shows the Update network access pane.

   As an alternative you can click More actions and select select Update network access, and in the pane, under Access type, select Secure access from allowed IPs and VCNs only.

2. Specify the access control rules by selecting an IP notation type and values:

   Select one of:

   • IP address:

     In Values field enter values for the IP address. An IP address specified in a network ACL entry is the public IP address of the client that is visible on the public internet that you want to grant access. For example, for an Oracle Cloud Infrastructure VM, this is the IP address shown in the Public IP field on the Oracle Cloud Infrastructure console for that VM.

     Note
     
     Optionally select Add my IP address to add your current IP address to the ACL entry.
   • CIDR block:

     In Values field enter values for the CIDR block. The CIDR block specified is the public CIDR block of the clients that are visible on the public internet that you want to grant access.

   • Virtual cloud network:

     Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

     Use this option to specify the VCN for use with an Oracle Cloud Infrastructure Service Gateway:

     • In Virtual cloud network field select the VCN that you want to grant access from. If you do not have the privileges to see the VCNs in your tenancy this list is empty. In this case use the selection Virtual cloud network (OCID) to specify the OCID of the VCN.
     • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.
   • Virtual cloud network (OCID):

     Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

     • In the Values field enter the OCID of the VCN you want to grant access from.
     • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.

   If you want to specify multiple IP addresses or CIDR ranges within the same VCN, do not create multiple ACL entries. Use one ACL entry with the values for the multiple IP addresses or CIDR ranges separated by commas.

3. Click Add access control to add a new value to the access control list.
4. Click x to remove an entry.
   You can also clear the value in the IP addresses or CIDR blocks field to remove an entry.
5. Click Update.

If your Autonomous Database instance is configured to use a private endpoint you can change the configuration to use a public endpoint.

1. On the Details page, from the More actions drop-down list, select Update network access.
2. In the Update network access dialog, select one of Secure access from everywhere or Secure access from allowed IPs and VCNs only.

   For example, if you select Secure access from allowed IPs and VCNs only the dialog shows fields to configure access control rules:

3. In the dialog, under Configure access control rules specify rules by selecting an IP notation type and values:
   • IP address:

     In Values field enter values for the IP address. An IP address specified in a network ACL entry is the public IP address of the client that is visible on the public internet that you want to grant access. For example, for an Oracle Cloud Infrastructure VM, this is the IP address shown in the Public IP field on the Oracle Cloud Infrastructure console for that VM.

     Note
     
     Optionally select Add my IP address to add your current IP address to the ACL entry.
   • CIDR block:

     In Values field enter values for the CIDR block. The CIDR block specified is the public CIDR block of the clients that are visible on the public internet that you want to grant access.

   • Virtual cloud network:

     Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

     • In Virtual cloud network field select the VCN that you want to grant access from. If you do not have the privileges to see the VCNs in your tenancy this list is empty. In this case use the selection Virtual cloud network (OCID) to specify the OCID of the VCN.
     • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.
   • Virtual cloud network (OCID):

     Use this option when the network route from the client to the database is going through an Oracle Cloud Infrastructure Service Gateway. See Access to Oracle Services: Service Gateway for more information.

     • In the Values field enter the OCID of the VCN you want to grant access from.
     • Optionally, in the IP addresses or CIDRs field enter private IP addresses or private CIDR blocks as a comma separated list to allow specific clients in the VCN.

   If you want to specify multiple IP addresses or CIDR ranges within the same VCN, do not create multiple ACL entries. Use one ACL entry with the values for the multiple IP addresses or CIDR ranges separated by commas.

4. Click Add access control rule to add a new value to the access control list.
5. Click x to remove an entry.
   You can also clear the value in the IP addresses or CIDR blocks field to remove an entry.
6. Click Update.
7. In the Confirm dialog, type the Autonomous Database name to confirm the change.
8. In the Confirm dialog, click Update.

Describes restrictions and notes for access control rules on Autonomous Database.

• If you want to only allow connections coming through a service gateway you need to use the IP address of the service gateway in your ACL definition. To do this you need to add an ACL definition with the CIDR source type with the value 240.0.0.0/4. Note that this is not recommended, instead of this you can specify individual VCNs in your ACL definition for the VCNs you want to allow access from.

  See Access to Oracle Services: Service Gateway for more information.

• When you restore a database the existing ACLs are not overwritten by the restore.

• The network ACLs apply to the database connections and Oracle Machine Learning notebooks. If an ACL is defined, if you try to login to Oracle Machine Learning Notebooks from a client whose IP is not specified on the ACL this shows the "login rejected based on access control list set by the administrator" error.

• The following Autonomous Database tools are subject to ACLs. You can use Virtual Cloud Network, Virtual Cloud Network (OCID), IP address, or CIDR block ACLs to control access to these tools:

  • Database Actions
  • Oracle APEX
  • Oracle Graph Studio
  • Oracle Machine Learning Notebooks
  • Oracle REST Data Services

• If you have a private subnet in your VCN that is configured to access the public internet through a NAT Gateway, you need to enter the public IP address of the NAT Gateway in your ACL definition. Clients in the private subnet do not have public IP addresses. See NAT Gateway for more information.

• If you are using ACLs and TLS connections are allowed, you must change your network configuration to not allow TLS connections before removing all ACLs. See Update your Autonomous Database Instance to Require mTLS and Disallow TLS Authentication for more information.

• To view the network information for your instance, see View Network Information on the OCI Console.