Control Network Access

To control network access, you protect the usability and integrity of your network and data by routing and restricting traffic appropriately. Network access control for Oracle Integration is primarily oriented around restricting the IP addresses that can access Oracle Integration and its related resources.

Types of Traffic

Inbound traffic originates outside an Oracle Integration instance, and outbound traffic originates in an Oracle Integration instance.

Inbound traffic goes to the Oracle Integration APIs, an Oracle Integration instance, or File Server. Outbound traffic originates in an Oracle Integration instance.

Oracle routes and restricts traffic according to its type. The following table provides a quick overview of the routing and restrictions for inbound and outbound traffic.

Type of traffic Definition

Inbound traffic

Also called ingress traffic, this traffic originates outside Oracle Integration and goes to:

  • An Oracle Integration instance

  • The Oracle Integration APIs, including the built-in APIs and the customer-built APIs

  • File Server

To restrict the traffic, create an allowlist for the Oracle Integration instance. The allowlist applies to traffic from the service gateway and the public internet. Keep reading for more details and links to step-by-step instructions.

Outbound traffic

Also called egress traffic, this traffic originates in an Oracle Integration instance and goes to a target system.

Inbound and outbound traffic is routed in the following ways.

Type of traffic How the traffic is routed

Traffic across Oracle Cloud Infrastructure services that are in the same region

Traffic within a region is routed through a service gateway:

  • Inbound traffic

    If your organization creates a service gateway for the route rule All <region> Services in Oracle Services Network, and the service gateway is in the same region as the Oracle Integration instance, all inbound traffic that originates in an application that is within Oracle Cloud Infrastructure goes through the service gateway. Traffic that goes through a service gateway never leaves the regional Oracle Cloud Infrastructure.

  • Outbound traffic

    If your organization creates a service gateway, outbound traffic goes through the service gateway if the target endpoint is an Oracle Cloud Infrastructure service that supports a service gateway. Traffic that goes through a service gateway never leaves Oracle Cloud Infrastructure.

    To see the list of services that support service gateways, see Service Gateway: Supported Cloud Services.

Traffic across Oracle Cloud Infrastructure services that are in different regions

Cross-region traffic is routed through a NAT gateway or the internet gateway.

Traffic that comes through the public internet

Inbound and outbound traffic that comes through the public internet doesn't require any configuration.

Traffic that comes through either (1) the connectivity agent over the public internet or (2) FastConnect and VPN

Inbound and outbound traffic that comes through an on-premises connectivity agent goes over the public internet.

Inbound and outbound traffic that comes through FastConnect and VPN goes through the FastConnect link.

Outbound traffic that comes through a private channel

If your organization configures a private endpoint to connect to private resources that are in your virtual cloud network (VCN), outbound traffic to these resources goes through a private channel that is set up within Oracle Cloud Infrastructure.

Control Inbound Network Access

After you create an Oracle Integration instance, access to the Oracle Integration's built-in APIs, the Oracle Integration customer-built APIs, and File Server is open by default. However, you can use allowlists to control the inbound access to the APIs and File Server.

An allowlist restricts access based on the source system or source networks and creates a stronger security posture.

If you choose to control inbound network access, you are responsible for completing the required tasks.

Security goal Owner More information

Restrict traffic that comes from the same Oracle Cloud Infrastructure region as your Oracle Integration instance

Oracle Cloud Infrastructure instance administrators

About this traffic

By default, all inbound traffic coming from an Oracle Cloud Infrastructure Virtual Cloud Network (VCN) that is in the same region as an Oracle Integration instance is open. However, you can restrict the traffic using a service gateway.

How to achieve this goal

  1. Configure a Virtual Cloud Network (VCN) in the same region as your Oracle Integration instance.

    See Create and configure a virtual cloud network.

  2. Create a service gateway as a configured route in the VCN.

    See Creating a Service Gateway in the Oracle Cloud Infrastructure Documentation.

  3. Configure an allowlist for Oracle Integration so that the Oracle Integration instance allows only traffic from the IP address or the VCN ID of the service gateway.

    You can update the allowlist when you create the Oracle Integration instance or afterward.

    See Restrict Access to an Instance in Provisioning and Administering Oracle Integration 3.

  4. If the connectivity agent is hosted in the same region, update the allowlist for the service gateway so that the connectivity agent can access the Oracle Integration instance.

  5. Ensure that all source traffic comes from a VCN that is configured as an allowlisted IP address or VCN ID.

Notes

  • If your organization doesn't use a VCN, your traffic comes over a network that is configured outside of Oracle Cloud Infrastructure.

  • If you don't create a service gateway and your organization has configured a NAT gateway, then traffic goes through the NAT gateway instead.

Restrict traffic that comes from outside the Oracle Cloud Infrastructure region of your Oracle Integration instance

Oracle Cloud Infrastructure instance administrators

About this traffic

Inbound traffic to Oracle Integration comes from the following sources:

  • A request from an Oracle Cloud Infrastructure VCN that's in a different region than your Oracle Integration instance.
  • A request from outside an Oracle Cloud Infrastructure Virtual Cloud Network (VCN).

By default, this traffic comes over the internet. Restricting the traffic that comes in over the internet provides your organization with an additional level of security. Restrict this traffic by using a Classless Inter-Domain Routing (CIDR) block range.

How to achieve this goal

  1. Configure an allowlist for Oracle Integration. The allowlist must allow access to only the specified individual IP addresses or Classless Inter-Domain Routing (CIDR) block (a range of IP addresses).

    You can update the allowlist when you create the Oracle Integration instance or afterward.

    See Restrict Access to an Instance in Provisioning and Administering Oracle Integration 3.

  2. If the connectivity agent is hosted outside the Oracle Cloud Infrastructure region that holds your Oracle Integration instance, update the allowlist for internet traffic so that the connectivity agent can access the Oracle Integration instance.

    For example, this step applies when the agent is installed on a non-Oracle cloud, another region in the Oracle cloud, or your organization's data center.

  3. Ensure that all source traffic that comes from the internet comes from the configured IP addresses or CIDR blocks.

Allow your network to access File Server

Oracle Cloud Infrastructure instance administrators

Update the allowlist for File Server so that your organization's network can access File Server. This one-time task is required for every organization that uses File Server.

See Create an Allowlist for Public IP Addresses in Using File Server in Oracle Integration 3.

Control Outbound Network Access

Oracle Integration doesn't restrict outbound traffic from itself. However, Oracle Integration sends outbound traffic only as part of an integration that your organization configures.

The ways that you secure, enable, and allow this traffic depend upon the location of the external service that receives the outbound traffic. Keep reading for more details.

Security goal Owner More information

Secure outbound traffic to endpoints that are in either of the following locations:

  • A virtual cloud network (VCN) in the same region as the Oracle Integration instance.

  • Endpoints that are within the Oracle Services Network and in the same region as the Oracle Integration instance.

Oracle Cloud Infrastructure instance administrators

Secure this traffic using a private endpoint

A private endpoint ensures that an Oracle Integration instance can communicate with target applications using an allowlist, also known as an access control list (ACL).

If the endpoint is public facing, you must also configure a private NAT gateway.

Learn more about private endpoints

To learn more about private endpoints, including the traffic that you can secure using a private endpoint and the differences between private endpoints and the connectivity agent, see Connect to Private Resources in Provisioning and Administering Oracle Integration 3.

Your responsibilities

  1. If required, configure a private NAT gateway.

    Additionally, add the IP address for the NAT gateway to the allowlists for the endpoints that you need to connect to in the Oracle Services Network.

  2. Configure a private endpoint. See Configure a Private Endpoint for an Instance in Provisioning and Administering Oracle Integration 3.

Enable outbound traffic to endpoints that are in your organization's on-premises network, also known as a private cloud

Download the connectivity agent installer:

Instance users

Instance users with the ServiceAdministrator role

Complete all other tasks:

Other administrators

Other administrators complete these tasks in third-party applications and on virtual machines.

Enable this traffic by using an agent-based configuration

If an integration must connect to endpoints that are in your corporate network, use an agent-based configuration. You can use an on-premises connectivity agent, or an Oracle Cloud Infrastructure connectivity agent. You can use a FastConnect peering pattern with both options. Some adapters allow you to use a FastConnect peering pattern without installing the connectivity agent.

With the connectivity agent, you don't need to relax any network conditions; for example, you don't need to open a port for Oracle Integration.

The connectivity agent runs in your corporate network and polls Oracle Integration for work. The agent requires internet or Virtual Cloud Network (VCN) inbound access to the Oracle Integration instance.

Organizations that must use an agent-based configuration

Use an agent-based configuration if your organization has any of the following requirements:

  • An integration must connect to an on-premises application in your corporate network or an application in a private cloud.

  • You must route some or all traffic through an on-premises proxy. Typically, organizations route traffic this way as a means of controlling the traffic.

Learn more about the connectivity agent

To learn about the connectivity agent, including its components, functionality, compatible adapters, diagrams, and more, see About Connecting to On-Premises Applications with the Connectivity Agent in Using Integrations in Oracle Integration 3.

Your responsibilities

  1. If your organization requires one or more connectivity agents, make sure that the connectivity agent is compatible with your organization's operating procedures. See Requirements for the Connectivity Agent in Using Integrations in Oracle Integration 3.

  2. If required, install and configure the connectivity agent. See Download and Run the Connectivity Agent Installer and Key Points for the Installation of the Connectivity Agent in Using Integrations in Oracle Integration 3.

  3. If desired, configure a FastConnect peering pattern. See Connection Patterns for Hybrid Integrations in Using Integrations in Oracle Integration 3.

Allow Oracle Integration to access endpoints that are outside the Oracle Services Network

Obtain the IP address:

Instance users

Instance users with the ServiceAdministrator, ServiceDeveloper, ServiceUser, or ServiceViewer role

Update the allowlist:

Other administrators

Other administrators work in third-party applications and on virtual machines.

If a target application has an allowlist enabled, update the allowlist so that Oracle Integration has access by completing the following steps:

  1. Identify the IP address that the Oracle Integration instance uses to send traffic.

    See Obtain the Inbound and Outbound IP Addresses of the Oracle Integration Instance in Provisioning and Administering Oracle Integration 3.

  2. Add the IP address to the allowlist for the endpoint's application.

Transport Layer Security for Inbound Traffic

An application that connects to Oracle Integration negotiates the Transport Layer Security (TLS) for inbound traffic. Oracle Integration currently supports TLS 1.2 for inbound traffic.

For details about the ciphers that are supported, see TLS Cipher Suites Support in Provisioning and Administering Oracle Integration 3.

Transport Layer Security for Outbound Traffic

Oracle Integration negotiates the Transport Layer Security (TLS) automatically with the target applications in an integration. Oracle Integration supports TLS 1.3 and 1.2 for outbound traffic.

If a target application supports TLS 1.3, Oracle Integration negotiates and communicates using 1.3. If not, Oracle Integration attempts to negotiate with 1.2. If your organization's preferred network protocol is TLS 1.3, configure TLS 1.3 as the preferred protocol in each of the applications that you integrate with.