Summary
Reference
Course Notes
Course notes:
Introducing Private Endpoints
In traditional security architectures, data tier services are deployed deep inside the customer private network with many layers of security access control above it.
Customers who migrate to the cloud want their services to ubiquitously accessible from their private network.
Private Endpoints
Private endpoints (PE) is an evolution of the private connectivity model whereby customers access Oracle services over a private IP allocated from a private subnet within their VCN.
- In this setup, the VCN CIDRs are advertised to the on-premises network by the DRG using BGP.
- The DRG routes the inbound traffic that is from the on-premises network and destined for the PE that represents a supported Oracle service.
Traffic destined to the PE is tunneled directly to the supported Oracle service.
Private endpoints provide the following benefits:
- Extended private connectivity
- Enhanced security
- Seamless service integration
- Simplified management
- Reverse connection, proxy services (DNS, SCAN)
Reverse Connection Endpoints
A set of services require Service to Consumer (S2C) private connectivity to initiate connections back into the consumer network.
- The PE reverse connection endpoints (RCE) feature allows services to connect to servers (typically data sources) in the customer's private private network.
- Reverse connections is an optional feature of PE
- In case a service requires only the RCE feature, a forward connection private endpoint is still provisioned.
- RCE introduces new constructs:
- DNS Proxy: Pseudo-DNS resolver
- SCAN Proxy: Proxy to handle SCAN protocol
Service Gateway Versus PE
Functionality Private Endpoint Service Gateway Ease of access Consumers can't open acess to multiple services with one service private endpoint. They need to create a service private endpoint for each service (or service instance) they need to access. Consumers have open access to all services or just Object Storage by using a single service gateway. Limiting services Further limit traffic by using security lists or NSGs applied to a single service. Further limit traffic by using security lists or NSGs specifying all services or a single service using specific IP ranges. Private connectivity direction Service private endpoint supports connections in both directions Consumers can initiate a connection to the service, but a service can't initiate a connection to the consumer private network. Resource limits Private endpoint isn't counted as a customer resource. Service gateway is counted as a customer resource Selective access Single endpoint provides access to a single service. Single gateway provides access to multiple services. Service endpoint representation Represented using the private IP address inside the consumer network. Represented as a gateway to enable provide private access. Service is represented using the public IP address outside the consumer network. Specific address Need to know specific private IP addresses for the service's PE, which are inside the VCN's CIDR. Service's public endpoints are represented as an "all services in OSN" object.
Security Policies
The security policies needed to manage private endpoints in a tenancy are:
Allow group <group_name> to manage orm-private-endpoints in tenancy Allow group <group_name> to use virtual-network-family in tenancy where any request.operation={'CreatePrivateEndpoint'}"
The summary of security permissions for private endpoints is:
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | ORM_PRIVATE_ENDPOINT_INSPECT | ListPrivateEndpoints | none |
read | ORM_PRIVATE_ENDPOINT_READ | GetPrivateEndpoint GetReachableIp | none |
use | ORM_PRIVATE_ENDPOINT_UPDATE | UpdatePrivateEndpoint | none |
manage | ORM_PRIVATE_ENDPOINT_CREATE ORM_PRIVATE_ENDPOINT_DELETE ORM_PRIVATE_ENDPOINT_MOVE | ChangePrivateEndpointCompartment CreatePrivateEndpoint DeletePrivateEndpoint | none |