This page explains how you can use VPC Service Controls to secure Oracle Database@Google Cloud resources. VPC Service Controls let you create a service perimeter that protects the resources and data of the services that you specify.
Using VPC Service Controls provides the following advantages:
- Protecting against the risk of data exfiltration
- Preventing data leakage by restricting access to resources, except those specifically allowed in the ingress and egress rules
- Providing an extra layer of security against misconfigured Identity and Access Management (IAM) policies
For more information about VPC Service Controls, its security benefits, and its capabilities, see Overview of VPC Service Controls .
Before you begin
- Set up your Oracle Database@Google Cloud environment .
- Grant the IAM roles and permissions required to create service perimeters.
- Create an access policy , if you don't already have one.
-
Enable the Compute Engine API.
-
Enable the Service Networking API.
-
Review limitations when you use VPC Service Controls with Oracle Database@Google Cloud.
-
Additionally, to use Google Cloud CMEK along with VPC Service Controls for your Exadata VM Clusters and Autonomous AI Databases, enable Private Google Access on all database subnets. This is required to access
iamcredentials.googleapis.comandcloudkms.googleapis.com.For more information, see Configure Private Google Access .
Create a service perimeter
To create a service perimeter, follow the instructions in Create a service perimeter .
If you plan to use Google Cloud CMEK for your Exadata VM Clusters and Autonomous AI Databases, you must also complete the following additional step:
-
Configure VPC accessible services to ensure that the required services are accessible from network endpoints inside the perimeter. While creating the perimeter, do the following:
-
If under VPC accessible servicespane, the Services accessible using Private Google Accessis set to Select Services, then add the following services to the list:
-
sts.googleapis.com -
iamcredentials.googleapis.com -
cloudkms.googleapis.com
-
-
-
Configure ingress and egress rules for Autonomous AI Database .
Configure ingress and egress rules for Exadata VM Cluster
To configure the service perimeter for Exadata VM Clusters, add the following egressrule as per the Egress rules reference :
Add a principal identifier in the following format:
principalSet://iam.googleapis.com/ WORKLOAD_IDENTITY_POOL /*
You can obtain the WORKLOAD_IDENTITY_POOL as follows:
- In the OCI console, go to the VM Cluster informationpage.
- Click the value of the Identity connectorfield.
- From the Identity Connectorpage, copy the value of the Workload Identity Poolfield.
iamcredentials.googleapis.com
*
gcp-sa-oci
Project name:
gcp-sa-oci
For instructions about how to add an egress rule, see Configuring ingress and egress policies .
Configure ingress and egress rules for Autonomous AI Database
Autonomous AI Databases use Oracle-managed service accounts. The configuration
of the service perimeter for an Autonomous AI Database differs based on the
value of the ROUTE_OUTBOUND_CONNECTIONS
database property.
Before creating the ingress and egress rules, obtain the value of the ROUTE_OUTBOUND_CONNECTIONS
property by running the following SQL query in the
database:
SELECT
*
FROM
DATABASE_PROPERTIES
WHERE
PROPERTY_NAME
=
'ROUTE_OUTBOUND_CONNECTIONS'
;
Based on the value of the ROUTE_OUTBOUND_CONNECTIONS
database property, configure
your service perimeter as follows:
-
Case 1:
ROUTE_OUTBOUND_CONNECTIONSis not set, that is, it has default value (public routing). In this case, the traffic enters Google Cloud from the public internet and is treated as an ingress violation.Add the following ingressrule as per the Ingress rules reference :
Ingress rule attribute Value From: Identities Identity: Oracle-managed service account
You can obtain the service account from the Autonomous AI Database detailspage in Google Cloud console, in the Oracle-managed service accountsection.
Source: access level containing the Outbound IP address of the database.
To obtain the Outbound IP address, run the following SQL query in the database:
SELECT cloud_identity FROM v$pdbs;
In the resulting JSON response, look for the
OUTBOUND_IP_ADDRESSproperty.To Service cloudkms.googleapis.comOperations * -
Case 2:
ROUTE_OUTBOUND_CONNECTIONSis set toENFORCE_PRIVATE_ENDPOINT(private path enforcement). In this case, the traffic is forced through the private endpoint in the service perimeter and is treated as an egress violation.Add the following egressrule as per the Egress rules reference :
Egress rule attribute Value From: Identities Identity: Oracle-managed service account
You can obtain the service account from the Autonomous AI Database detailspage in Google Cloud console, in the Oracle-managed service accountsection.
Source: your Google Cloud project.
To Service iamcredentials.googleapis.comTo Methods *
For instructions about how to adds ingress and egress rules, see Configuring ingress and egress policies .
Add Oracle Database@Google Cloud API to the perimeter
To mitigate the risk of your data being exfiltrated from Oracle Database@Google Cloud, you must restrict the Oracle Database@Google Cloud API.
To add Oracle Database@Google Cloud as a restricted service through Google Cloud console, see update a service perimeter .
Alternatively, you can use the gcloud access-context-manager perimeters update
command to restrict Oracle Database@Google Cloud. For reference information, see access-context-manager perimeters update
.
gcloud access-context-manager perimeters update PERIMETER_ID \ --policy= POLICY_ID \ --add-restricted-services=oracledatabase.googleapis.com
Replace the following:
- PERIMETER_ID : the ID of the perimeter
- POLICY_ID : the ID of the access policy
Test the perimeter
Test your VPC Service Controls perimeter before enforcing it. For more information, see Dry run mode for service perimeters and Using dry-run mode to test ingress or egress policies .
Update the perimeter
To add or remove resources, you can update a service perimeter .
Create access levels
Optionally, to permit external access to protected resources inside a perimeter, you can use access levels. Access levels apply only to requests for protected resources coming from outside the service perimeter. You can't use access levels to give protected resources or VMs permission to access data and services outside the perimeter.
See Allowing access to protected resources from outside a perimeter .
