Overview of Restricting Access with ACLs

When you select the network access Secure access from allowed IPs and VCNs only option when you provision or clone an instance, you can restrict network access by defining an Access Control List (ACL). You can also add, update, or remove an ACL for an active instance.

Specifying an access control list blocks all IP addresses that are not in the ACL list from accessing the database. After you specify an access control list, the database only accepts connections from addresses on the access control list and the database rejects all other client connections.

Depending on where the client machines that connect to your database are located you have the following options with ACLs:

• If your client machines connect to your database through the public internet, then you can use ACLs to specify the client machine's public IP addresses or their public CIDR blocks. In this case only the specified public IP addresses can access your database.

• If the client machines reside in an Oracle Cloud Infrastructure Virtual Cloud Network (VCN), you can configure a Service Gateway to connect to your database. In this case, you can specify the VCN in your ACL, this allows all client machines in that VCN to access your database and blocks all other connections. Furthermore, you can specify the VCN and a list of private IP addresses or CIDR blocks in that VCN. This allows only those client machines with the specified IP addresses or CIDR blocks to access your database and blocks all other connections.

  See VCNs and Subnets for details on Virtual Cloud Networks (VCN).

  See Access to Oracle Services: Service Gateway for details on setting up a Service Gateway.

• If you have on-premises clients that connect to your database through Transit Routing, you can specify the VCN and also the private IP addresses or CIDR blocks of these on-premises clients to access to your database.

  See Transit Routing: Private Access to Oracle Services for details on Transit Routing.

• You can use these options together to set multiple rules to allow access from different types of clients. Multiple rules do not exclude each other.

See Configuring Network Access with Access Control Rules (ACLs) for the steps for configuring network access with ACLs, either when you provision or clone your database, or whenever you want to add, modify or remove ACLs.