Use Private Endpoints for Autonomous AI Databases

Sign in to your Oracle Cloud Infrastructure (OCI) account.

Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.

For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.

Click on the name (link) of the Autonomous AI Database that you want to examine, listed in the Display Name column.

Select the Autonomous AI Database information tab and search for the Private endpoint IP configuration attribute in the Network section. If the Private endpoint IP attribute is not listed in the Network section, the selected OCI Autonomous AI Database is not configured to allow network access via private endpoints only.

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:

oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

The command output should return the requested database instance IDs:

[
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database get command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to examine as the identifier parameter and custom output filters to describe the IP address of the private endpoint configured for the selected database instance:

oci db autonomous-database get
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.{"private-endpoint-ip":"private-endpoint-ip"}'

The command output should return the private custom IP address assigned to the private endpoint:

{
	"private-endpoint-ip": null
}

If the db autonomous-database get command output returns null for the "private-endpoint-ip" property, as shown in the output example above, the selected OCI Autonomous AI Database is not configured to allow network access via private endpoints only.

Sign in to your Oracle Cloud Infrastructure (OCI) account.

Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.

For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.

Click on the name (link) of the Autonomous AI Database that you want to configure, listed in the Display Name column.

Select More actions from the page top menu, choose Update network access, and perform the following actions to ensure that your database instance is accessed exclusively through a private endpoint:

1. For Access type, choose Private endpoint access only to restrict access to a private endpoint within an OCI Virtual Cloud Network (VCN). This option allows traffic only from the VCN you specify, all other access is blocked. This allows you to define inbound/outbound rules at the Network Security Group (NSG) level and to control traffic to your database instance. To configure private endpoint access only, provide the following information:
   1. For Virtual cloud network, choose the name of the Virtual Cloud Network (VCN) that you want to use for your private endpoint. Ensure that you select the correct OCI compartment from the Compartment dropdown menu.
   2. For Subnet, select the VCN subnet where the private endpoint will be deployed. Ensure that you select the appropriate OCI compartment from the Compartment dropdown menu.
   3. (Optional) Choose Advanced options, select Private endpoint access, and perform the following actions to configure the private endpoint:
      1. For Private IP address, enter a custom private IP address. The private IP address you provide must be within the selected subnet's CIDR range. If you don't provide a custom private IP, an IP address is automatically assigned.
      2. For Host name prefix, enter a hostname prefix for the database instance. This also associates a DNS name with your instance. If you don't provide a hostname prefix, a system-generated hostname prefix is supplied.
      3. (Optional) For Network security groups (NSGs), select a Network Security Group (NSG) to associate with the selected database instance, from the Network security groups dropdown list. Ensure that you select the correct OCI compartment from the Compartment dropdown menu. This creates a configurable virtual firewall for your Autonomous AI Database. The Network Security Group (NSG) must have one the following configurations:
         1. For Mutual TLS (mTLS) authentication, the NSG must have a stateful inbound rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522.
         2. For TLS authentication, the NSG must have a stateful inbound rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to either 1521 or 1522.
         3. To use Oracle APEX, Database Actions, and Oracle REST Data Services, use port 443 for the NSG rule.
2. Choose Update to apply the network changes.

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:

oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

The command output should return the requested database instance IDs:

[
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database update command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to configure as the identifier parameter, to restrict database access to a private endpoint within your Virtual Cloud Network (VCN). This option allows traffic only from the VCN you specify, all other access is blocked. To configure private endpoint access only, specify a name (label) and a custom private IP address for the new private endpoint. Use the --subnet-id command parameter to specify the target VCN subnet. The private IP address you provide using the --private-endpoint-ip parameter must be within the selected subnet's CIDR range:

oci db autonomous-database update
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--subnet-id 'ocid1.subnet.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--private-endpoint-label 'project5-private-endpoint'
	--private-endpoint-ip '10.0.0.10'

The command output should return the information available for the modified database instance:

{
	"data": {
		"allocated-storage-size-in-tbs": 0.0078125,
		"are-primary-whitelisted-ips-used": null,
		"auto-refresh-frequency-in-seconds": null,
		"auto-refresh-point-lag-in-seconds": null,
		"autonomous-container-database-id": null,
		"autonomous-maintenance-schedule-type": "REGULAR",
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"failed-data-recovery-in-seconds": null,
		"freeform-tags": {},
		"id": "ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"in-memory-area-in-gbs": null,
		"in-memory-percentage": null,
		"infrastructure-type": null,
		"is-access-control-enabled": null,
		"is-auto-scaling-enabled": true,
		"is-auto-scaling-for-storage-enabled": true,
		"is-backup-retention-locked": false,
		"is-data-guard-enabled": true,
		"is-dedicated": false,
		"is-dev-tier": null,
		"is-free-tier": false,
		"is-local-data-guard-enabled": false,
		"is-mtls-connection-required": true,
		"is-preview": false,
		"is-reconnect-clone-enabled": false,
		"is-refreshable-clone": null,
		"is-remote-data-guard-enabled": false,
		"key-store-wallet-name": null,
		"kms-key-id": "ORACLE_MANAGED_KEY",

		...

		"license-model": "LICENSE_INCLUDED",
		"lifecycle-details": null,
		"lifecycle-state": "UPDATING",
		"local-adg-auto-failover-max-data-loss-limit": null,
		"local-disaster-recovery-type": "BACKUP_BASED",
		"time-data-guard-role-changed": null,
		"time-deletion-of-free-autonomous-database": null,
		"time-disaster-recovery-role-changed": null,
		"time-earliest-available-db-version-upgrade": "2025-12-13T14:10:00+00:00",
		"time-latest-available-db-version-upgrade": "2025-12-13T13:40:00+00:00",
		"time-local-data-guard-enabled": "2025-12-13T09:27:58.721000+00:00",
		"time-maintenance-begin": "2025-12-15T06:00:00+00:00",
		"time-maintenance-end": "2025-12-15T08:00:00+00:00",
		"time-of-auto-refresh-start": null,
		"time-of-joining-resource-pool": null,
		"time-of-last-failover": null,
		"time-of-last-refresh": null,
		"time-of-last-refresh-point": null,
		"time-of-last-switchover": null,
		"time-of-next-refresh": null,
		"time-reclamation-of-free-autonomous-database": null,
		"time-scheduled-db-version-upgrade": null,
		"time-undeleted": null,
		"time-until-reconnect-clone-enabled": null,
		"total-backup-storage-size-in-gbs": 0.0,
		"used-data-storage-size-in-gbs": null,
		"used-data-storage-size-in-tbs": null,
		"vanity-connection-urls": null,
	},
	"etag": "abcd1234",
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}