Connect from OIC to OCI Database with private endpoint
It is a quite common requirement to integrate Oracle E-Business Suite instances running on Oracle Cloud Infrastructure (OCI) through Oracle Integration Cloud (OIC). In the past this required - since E-Business Suite is nevertheless an "on Premise Solution" to install a Connectivity Agent to connect to the database of Oracle E-Business Suite through the database adapter. Recently it is possible to skip that step by using a private endpoint.
Let us have a closer look at this!
Architecture when using the Connectivity Agent
Traditionally when connecting from Oracle Integration Cloud (that runs in the OCI data center) to on premise environments the natural solution is to leverage a Connectivity Agent. This is described over there (for OIC3): https://docs.oracle.com/en/cloud/paas/application-integration/integrations-user/downloading-and-running-premises-agent-installer.html#GUID-C12FA0F2-6264-4C60-BC90-C76850317304
My colleague Yves Chassein has covered that in great detail over here.
Integration Pattern when using the Connectivity Agent
Note: It doesn't matter here if the "Customer on prem application" is technically running on OCI as well. You still had to install the Connectivity Agent on a virtual machine in OCI to allow (private) connectivity between OIC (on OCI) and your own Virtual Cloud Networks (on OCI as well).
Private Endpoints
Luckily recently Oracle OIC is providing more and more "private endpoints". This results in an architecture as follows:
Architecture with private endpoints
So using this concept you're able to directly connect from the OIC instance that runs in a "special network" in OCI to a Virtual Cloud Network (VCN) of your own OCI Tenancy.
Setup Step-by-Step
The actual setup is very easy:
First, we create an appropriate subnet in your OCI VCN and allow it to access your target instance; here that is an OCI Base Database Service:
Subnets used for the OIC private endpoint (named soa-subnet here)
Ingress rule attached to the database network allowing connectivity from the OIC private endpoint network
After that we can create a private endpoint in the Oracle Integration Cloud (OCI console part):
Private endpoint connecting OIC to a OCI VCN Subnet
Finally, you can change your database connection to be a DBaaS (instead of a regular Database) Adapter Connection and then enter the details to connect to the database as follows:
Connecting through a Base Database through a private endpoint
The DBaaS adapter has the same capabilities as the "regular", "onPrem" Database adapter of OIC. Note: as the documentation states, it is mandatory to provide the hostname and NOT the IP address of the database to be connected; otherwise, you'll get a very difficult to understand or correlate error:
{"detail":"","status":"HTTP 500 Internal Server Error","title":"Operation [testConnection] failed: This connection is configured with an address which is not in an allowable range","type":"https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.5.1"}
The documentation for this can be found here: https://docs.oracle.com/en/cloud/paas/application-integration/dbaas-adapter/using-oracle-database-cloud-service-adapter-oracle-integration-3.pdf
Summary
Using a private endpoint provides a much easier way to access databases in an OCI network from OIC. Unfortunately, when scanning through the list of all OIC adapters (https://docs.oracle.com/en/cloud/paas/application-integration/find-adapters.html), not all adapters so far support private endpoints. The feature is available e.g. for:
- Oracle Database Cloud Service Adapter
- REST Adapter
- AQ Adapter
It is not available however for:
- Oracle Database Adapter
- Oracle E-Business Suite Adapter
- MySQL Adapter
So unfortunately, so far you can not use a private endpoint to
- access a database that is just running on an OCI compute instance or
- use an IPSEC VPN Tunnel to get from the private endpoint network to some onPrem database instance.
This seems "highly random", and I hope this will be changed soon. Eventually/Probably you can work around this by just using the Database Cloud Service Adapter instead and still connect to an OnPrem / OnCompute Database instance.