Disable Public Network Access

Sign in to your Oracle Cloud Infrastructure (OCI) account.

Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.

For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.

Click on the name (link) of the Autonomous AI Database that you want to examine, listed in the Display Name column.

Select the Autonomous AI Database information tab, and check the Access type configuration attribute value, listed in the Network section. If Access type is set to Allow secure access from everywhere, the selected OCI Autonomous AI Database can be accessed through public endpoints. As a result, all networks, including the Internet, will have access to your Autonomous AI Database.

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:

oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

The command output should return the requested database instance IDs:

[
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database get command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected database instance is enabled:

oci db autonomous-database get
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.["whitelisted-ips","private-endpoint-ip"]'

The command output should return the network access configuration for the selected instance. The "whitelisted-ips" configuration property represents the trusted network(s)/IP(s) and "private-endpoint-ip" property represents the private endpoint IP:

[
	null,
	null
]

If the db autonomous-database get command output returns null for both "whitelisted-ips" and "private-endpoint-ip" properties, as shown in the output example above, the selected OCI Autonomous AI Database can be accessed through public endpoints. As a result, all networks, including the Internet, will have access to your Autonomous AI Database.

Sign in to your Oracle Cloud Infrastructure (OCI) account.

Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.

For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.

Click on the name (link) of the Autonomous AI Database that you want to configure, listed in the Display Name column.

Select More actions from the page top menu, choose Update network access, and perform one of the following actions to disable public network access to your database instance:

1. For Access type, choose Secure access from allowed IPs and VCNs only to disable public exposure and restrict access to specific, trusted IP addresses and/or VCNs. With this option you must define access control rules in an Access Control List (ACL). An ACL blocks all IP addresses, CIDR blocks, and VCNs that are not in the list from accessing the database. To configure access control rules, provide the following information in the Access control rules configuration section:
   1. To allow database access to trusted IP addresses, choose IP address from the IP notation type dropdown list and specify the authorized, allowed IP address(es) in the Values box.
   2. To allow database access to trusted Virtual Cloud Networks (VCNs), choose Virtual cloud network from the IP notation type list, choose the appropriate OCI compartment, select the name of the trusted VCN, and specify the authorized private IP address(es) in the IP addresses or CIDRs box (optional).
   3. Toggle the Add my IP address(\) to IP value button to add your current IP address to the Access Control List (ACL).
2. For Access type, choose Private endpoint access only to disable public exposure and restrict access to a private endpoint within an OCI VCN. This option allows traffic only from the VCN you specify, all other access is blocked. This allows you to define inbound/outbound rules at the Network Security Group (NSG) level and to control traffic to your database instance. To configure private endpoint access only, provide the following information:
   1. For Virtual cloud network, choose the name of the Virtual Cloud Network (VCN) that you want to use for your private endpoint. Ensure that you select the correct OCI compartment from the Compartment dropdown menu.
   2. For Subnet, select the VCN subnet where the private endpoint will be deployed. Ensure that you select the appropriate OCI compartment from the Compartment dropdown menu.
   3. (Optional) Choose Advanced options, select Private endpoint access, and perform the following actions to configure the private endpoint:
      1. For Private IP address, enter a custom private IP address. The private IP address you provide must be within the selected subnet's CIDR range. If you don't provide a custom private IP, an IP address is automatically assigned.
      2. For Host name prefix, enter a hostname prefix for the database instance. This also ssociates a DNS name with your instance. If you don't provide a hostname prefix, a system-generated hostname prefix is supplied.
      3. (Optional) For Network security groups (NSGs), select a Network Security Group (NSG) to associate with the selected database instance, from the Network security groups dropdown list. Ensure that you select the correct OCI compartment from the Compartment dropdown menu. This creates a configurable virtual firewall for your Autonomous AI Database. The Network Security Group (NSG) must have one the following configurations:
         1. For Mutual TLS (mTLS) authentication, the NSG must have a stateful inbound rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to 1522.
         2. For TLS authentication, the NSG must have a stateful inbound rule with the source set to the address range you want to allow to connect to your database, the IP Protocol set to TCP, and the Destination Port Range set to either 1521 or 1522.
         3. To use Oracle APEX, Database Actions, and Oracle REST Data Services, use port 443 for the NSG rule.
3. Choose Update to apply the network changes.

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:

oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

The command output should return the requested database instance IDs:

[
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database update command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to configure as the identifier parameter, to disable public exposure and restrict access to specific, trusted IP addresses and/or VCNs. With this option you must define access control rules in an Access Control List (ACL). An ACL blocks all IP addresses, CIDR blocks, and VCNs that are not in the list from accessing the database. To configure the client IP Access Control List (ACL), use the --whitelisted-ips command parameter. The following example disables public network access and allows access from 10.0.0.25:

oci db autonomous-database update
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--whitelisted-ips '["10.0.0.25"]'

The command output should return the information available for the modified database instance:

{
	"data": {
		"allocated-storage-size-in-tbs": 0.0078125,
		"are-primary-whitelisted-ips-used": null,
		"auto-refresh-frequency-in-seconds": null,
		"auto-refresh-point-lag-in-seconds": null,
		"autonomous-container-database-id": null,
		"autonomous-maintenance-schedule-type": "REGULAR",
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"failed-data-recovery-in-seconds": null,
		"freeform-tags": {},
		"id": "ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"in-memory-area-in-gbs": null,
		"in-memory-percentage": null,
		"infrastructure-type": null,
		"is-access-control-enabled": null,
		"is-auto-scaling-enabled": true,
		"is-auto-scaling-for-storage-enabled": true,
		"is-backup-retention-locked": false,
		"is-data-guard-enabled": true,
		"is-dedicated": false,
		"is-dev-tier": null,
		"is-free-tier": false,
		"is-local-data-guard-enabled": false,
		"is-mtls-connection-required": true,
		"is-preview": false,
		"is-reconnect-clone-enabled": false,
		"is-refreshable-clone": null,
		"is-remote-data-guard-enabled": false,
		"key-store-wallet-name": null,
		"kms-key-id": "ORACLE_MANAGED_KEY",

		...

		"license-model": "LICENSE_INCLUDED",
		"lifecycle-details": null,
		"lifecycle-state": "UPDATING",
		"local-adg-auto-failover-max-data-loss-limit": null,
		"local-disaster-recovery-type": "BACKUP_BASED",
		"time-data-guard-role-changed": null,
		"time-deletion-of-free-autonomous-database": null,
		"time-disaster-recovery-role-changed": null,
		"time-earliest-available-db-version-upgrade": "2025-12-13T14:10:00+00:00",
		"time-latest-available-db-version-upgrade": "2025-12-13T13:40:00+00:00",
		"time-local-data-guard-enabled": "2025-12-13T09:27:58.721000+00:00",
		"time-maintenance-begin": "2025-12-15T06:00:00+00:00",
		"time-maintenance-end": "2025-12-15T08:00:00+00:00",
		"time-of-auto-refresh-start": null,
		"time-of-joining-resource-pool": null,
		"time-of-last-failover": null,
		"time-of-last-refresh": null,
		"time-of-last-refresh-point": null,
		"time-of-last-switchover": null,
		"time-of-next-refresh": null,
		"time-reclamation-of-free-autonomous-database": null,
		"time-scheduled-db-version-upgrade": null,
		"time-undeleted": null,
		"time-until-reconnect-clone-enabled": null,
		"total-backup-storage-size-in-gbs": 0.0,
		"used-data-storage-size-in-gbs": null,
		"used-data-storage-size-in-tbs": null,
		"vanity-connection-urls": null,
	},
	"etag": "abcd1234",
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

Run db autonomous-database update command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to configure as the identifier parameter, to disable public exposure and restrict access to a private endpoint within your Virtual Cloud Network (VCN). This option allows traffic only from the VCN you specify, all other access is blocked. To configure private endpoint access only, specify a name (label) and a custom private IP address for the new private endpoint. Use the --subnet-id command parameter to specify the target VCN subnet. The private IP address you provide using the --private-endpoint-ip parameter must be within the selected subnet's CIDR range:

oci db autonomous-database update
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--subnet-id 'ocid1.subnet.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--private-endpoint-label 'project5-private-endpoint'
	--private-endpoint-ip '10.0.0.10'

The command output should return the information available for the modified database instance:

{
	"data": {
		"allocated-storage-size-in-tbs": 0.0078125,
		"are-primary-whitelisted-ips-used": null,
		"auto-refresh-frequency-in-seconds": null,
		"auto-refresh-point-lag-in-seconds": null,
		"autonomous-container-database-id": null,
		"autonomous-maintenance-schedule-type": "REGULAR",
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"failed-data-recovery-in-seconds": null,
		"freeform-tags": {},
		"id": "ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"in-memory-area-in-gbs": null,
		"in-memory-percentage": null,
		"infrastructure-type": null,
		"is-access-control-enabled": null,
		"is-auto-scaling-enabled": true,
		"is-auto-scaling-for-storage-enabled": true,
		"is-backup-retention-locked": false,
		"is-data-guard-enabled": true,
		"is-dedicated": false,
		"is-dev-tier": null,
		"is-free-tier": false,
		"is-local-data-guard-enabled": false,
		"is-mtls-connection-required": true,
		"is-preview": false,
		"is-reconnect-clone-enabled": false,
		"is-refreshable-clone": null,
		"is-remote-data-guard-enabled": false,
		"key-store-wallet-name": null,
		"kms-key-id": "ORACLE_MANAGED_KEY",

		...

		"license-model": "LICENSE_INCLUDED",
		"lifecycle-details": null,
		"lifecycle-state": "UPDATING",
		"local-adg-auto-failover-max-data-loss-limit": null,
		"local-disaster-recovery-type": "BACKUP_BASED",
		"time-data-guard-role-changed": null,
		"time-deletion-of-free-autonomous-database": null,
		"time-disaster-recovery-role-changed": null,
		"time-earliest-available-db-version-upgrade": "2025-12-13T14:10:00+00:00",
		"time-latest-available-db-version-upgrade": "2025-12-13T13:40:00+00:00",
		"time-local-data-guard-enabled": "2025-12-13T09:27:58.721000+00:00",
		"time-maintenance-begin": "2025-12-15T06:00:00+00:00",
		"time-maintenance-end": "2025-12-15T08:00:00+00:00",
		"time-of-auto-refresh-start": null,
		"time-of-joining-resource-pool": null,
		"time-of-last-failover": null,
		"time-of-last-refresh": null,
		"time-of-last-refresh-point": null,
		"time-of-last-switchover": null,
		"time-of-next-refresh": null,
		"time-reclamation-of-free-autonomous-database": null,
		"time-scheduled-db-version-upgrade": null,
		"time-undeleted": null,
		"time-until-reconnect-clone-enabled": null,
		"total-backup-storage-size-in-gbs": 0.0,
		"used-data-storage-size-in-gbs": null,
		"used-data-storage-size-in-tbs": null,
		"vanity-connection-urls": null,
	},
	"etag": "abcd1234",
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}