Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Public Network Access

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that public network access to your Oracle Analytics Cloud (OAC) instances via public endpoints is disabled in order to enhance security by preventing unauthorized access.

Security

The public access option assigns your OAC instance a public endpoint, making it accessible from all IP addresses on the Internet (i.e., access from anywhere). This configuration raises the likelihood of unauthorized access and security breaches for your sensitive data. It is strongly recommended to disable public network access and configure access control rules for enhanced security and controlled connectivity.

Audit

To determine whether public network access to your Oracle Analytics Cloud (OAC) instances is disabled, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Analytics Instances console available at https://cloud.oracle.com/analytics.

  3. Under List scope, choose an OCI compartment from the Compartment dropdown menu, to list the OAC instances provisioned in the selected compartment.

  4. Click on the name (link) of the OAC instance that you want to examine, listed in the Name column.

  5. Select the Instance Details tab, and check the Access Type and Access Control attributes values, listed in the Network Access section. If Access Type is set to Public and Access Control is set to Not Configured, the selected Oracle Analytics Cloud (OAC) instance can be accessed through the public endpoint without restriction. As a result, all networks, including the Internet, will have access to your OAC instance.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run analytics analytics-instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Oracle Analytics Cloud (OAC) instance provisioned in the selected OCI compartment:

    oci analytics analytics-instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OAC instance IDs:

    [
	"ocid1.analyticsinstance.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.analyticsinstance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run analytics analytics-instance get command (Windows/macOS/Linux) with the name of the OAC instance that you want to examine as the identifier parameter and custom output filters to determine if the network access to the selected analytics instance is public and unrestricted:

    oci analytics analytics-instance get
	--analytics-instance-id 'ocid1.analyticsinstance.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.["network-endpoint-details"."network-endpoint-type","network-endpoint-details"."whitelisted-ips"]'

  6. The command output should return the network access configuration for the selected instance. The "network-endpoint-type" configuration property value (first line) represents the trusted network endpoint type ("PUBLIC" or "PRIVATE") and "whitelisted-ips" property value (second line) represents the trusted network(s)/IP(s) defined in the access control rules:

    [
	"PUBLIC",
	[]
]

    If the analytics analytics-instance get command output returns "PUBLIC" for "network-endpoint-type" property and an empty array (i.e., []) for "whitelisted-ips", as shown in the output example above, the selected Oracle Analytics Cloud (OAC) instance can be accessed through the public endpoint without restriction. As a result, all networks, including the Internet, will have access to your OAC instance.

Remediation / Resolution

To disable public network access to your Oracle Analytics Cloud (OAC) instances, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Analytics Instances console available at https://cloud.oracle.com/analytics.

  3. Under List scope, choose an OCI compartment from the Compartment dropdown menu, to list the OAC instances provisioned in the selected compartment.

  4. Click on the name (link) of the OAC instance that you want to configure, listed in the Name column.

  5. Select the Instance Details tab, and choose Edit next to the Access Control status, choose Another Access Control Rule, and perform the following actions to configure access control rules:

    1. For Rule Type, choose what you want to allowlist: an IP address, a CIDR block, a Service, or a Virtual Cloud Network.
    2. For the rule value, specify the trusted, authorized IP address, CIDR block, OCI service, or Virtual Cloud Network (VCN) that can access the selected OAC instance.
    3. Choose Save Changes to apply the changes and save the new access control rule.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run analytics analytics-instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Oracle Analytics Cloud (OAC) instance provisioned in the selected OCI compartment:

    oci analytics analytics-instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OAC instance IDs:

    [
	"ocid1.analyticsinstance.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.analyticsinstance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run analytics analytics-instance change-network-endpoint command (Windows/macOS/Linux) with the ID of the OAC instance that you want to configure as the identifier parameter, to create a new access control rule for the selected OAC instance. Replace \<ipv4-address\> with the trusted IP address or CIDR block. To configure an access control rule for Virtual Cloud Networks (VCNs), add '{"whitelisted-vcns": ["\<vcn-ocid\>"],"network-endpoint-type": "PUBLIC"}' for the --network-endpoint-details parameter, where \<vcn-ocid\> is the OCID of the trusted VCN. To configure an access control rule for an OCI service, add '{"whitelisted-services": ["\<service-name\>"],"network-endpoint-type": "PUBLIC"}' for --network-endpoint-details, where \<service-name\> is the OCID of the trusted OCI service:

    oci analytics analytics-instance change-network-endpoint
	--analytics-instance-id 'ocid1.analyticsinstance.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--network-endpoint-details '{"whitelisted-ips": ["<ipv4-address>"],"network-endpoint-type": "PUBLIC"}'

  6. The command output should return the working request ID:

    {
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Publication date Dec 7, 2025

Related OCI-OAC rules