Use Zero Trust Packet Routing on
Autonomous Database
Oracle Cloud
Infrastructure Zero Trust Packet Routing (ZPR) protects sensitive data from unauthorized access through
intent-based security policies that you write for resources, such as an Autonomous Database on a private endpoint, that
you assign security attributes to.
Security attributes are labels that ZPR uses to identify and organize resources. ZPR
enforces policy at the network level each time access is requested regardless of
potential network architecture changes or misconfigurations. You can write ZPR based
policies in your tenancy to ensure an Autonomous Database instance on a private endpoint is only accessed by authorized
users/resources. ZPR is built on top of existing network security group (NSG) and
security control list (SCL) rules. For a packet to reach a target, it must pass all NSG
and SCL rules, and ZPR policies. If any NSG, SCL, or ZPR rule or policy doesn't allow
traffic, the request is dropped.
Note
On Autonomous Database Zero Trust Packet Routing (ZPR) applies only for incoming
connections when the instance is configured with a private endpoint. See Configure Private Endpoints for more information.
You can secure networks with Zero Trust Packet Routing (ZPR) in three steps:
Create and manage security attribute namespaces and security attributes
Write policies using security attributes to control access to resources
Apply security attributes to specified resources
Avoid entering confidential information when assigning descriptions, tags,
security attributes, or friendly names to cloud resources through the Oracle Cloud
Infrastructure Console, API, or CLI.
You have the following options to apply Zero Trust Packet Routing (ZPR) security
attributes to a private endpoint on Autonomous Database:
Apply security attributes when you provision an Autonomous Database instance and you
choose Private endpoint access only network access during
provisioning. See Provision an Autonomous Database Instance for more information.
Apply security attributes when you clone an Autonomous Database instance and you
choose Private endpoint access only network access during
cloning. See Clone an Autonomous Database Instance for more information.