Granting access to the DBaaS instance – enabling network security rules to open ports on the Cloud Compute Node

1

After a database instance is provisioned in the DBaaS cloud service, it is not automatically accessible from services outside the identity domain. Various processes and applications running as part of the database instance can be accessed through specific ports – such as 1521 [the default] for SQL*Net access and 5500 [the default] for Enterprise Manager Database Express 12c. The next figure shows the situation after provisioning the DBaaS instance.

image

The DBaaS instance MyJCSDB – whose creation is described in this article – lives on a compute node (MyJCSDB db_1 1) created implicitly during database provisioning. It is at the level of this compute node that network access is arranged. A public IP address is allocated to the compute node – and that is the address to access the database and the applications associated with the database – such as Enterprise Manager 11g Database Control, Enterprise Manager Database Express 12c, GlassFish Server administration console, Oracle REST Data Services, Oracle Application Express, and the Oracle Cloud on-instance database monitor.

Initially, all these services are not accessible from outside the compute node. Explicit network security rules in the compute node have to be enabled – and sometimes defined – in order to make these services accessible. This instruction in the Oracle DBaaS documentation describes how to open up these ports and which network security rules to enable. As an example, let’s enable access to Enterprise Manager Database Express 12c. This means that port 5500 needs to be opened up.

Initially it is not:

SNAGHTML51420e2

Go to the service console for the compute node MyJCSDB db_1 1 on the Compute Cloud Service.

SNAGHTML5164ec5

Click on the Network tab. Locate the network security rule ora_p2_dbexpress that governs access to port 5500. Click on the hamburger menu icon for this rule.

image

In the popup, choose the option Update.

In the popup that opens for the security rule, change the status to Enabled. Then press Update.

image

The rule is updated and a confirmation message appears.

image

At this point, port 5500 is opened on the compute node to the public internet.

image

That means we should now be able to access Enterprise Manager Database Express 12c for the MyJCSDB DBaaS instance.

The browser now wants us to acknowledge that we know what we are doing.

SNAGHTML51b5c3d

After adding the exception, the Database Express login dialog appears:

SNAGHTML51cca6a

And we can start doing our administration things.

image

In a similar way, we can enable the network security rules to open up other ports, such as 80 and 443 for HTTP and HTTPS access (for ORDS, APEX and others) and 1521 for SQL*Net access for example to support JDBC connections.

 

Resources

See documentation Using Oracle Database Cloud – Database as a Service – Enabling Access to a Compute Node Port

.

About Author

Lucas Jellema, active in IT (and with Oracle) since 1994. Oracle ACE Director and Oracle Developer Champion. Solution architect and developer on diverse areas including SQL, JavaScript, Kubernetes & Docker, Machine Learning, Java, SOA and microservices, events in various shapes and forms and many other things. Author of the Oracle Press book Oracle SOA Suite 12c Handbook. Frequent presenter on user groups and community events and conferences such as JavaOne, Oracle Code, CodeOne, NLJUG JFall and Oracle OpenWorld.

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.