Oracle Cloud Infrastructure Documentation

Creating an Object Storage Private Endpoint

Create a private endpoint to reach Object Storage using a private IP address within your VCN without accessing the public internet.

    1. On the Private Endpoints list page, select Create private endpoint. If you need help finding the list page, see Listing Private Endpoints.
      The Create private endpoint panel opens.
    2. Enter the following information:
      • Name: Enter a name for the private endpoint. The name value is a case-insensitive string using alpha-numeric characters (no special characters).
      • DNS prefix: Enter a DNS prefix for the private endpoint. This value is part of the URL used to access Object Storage. The DNS prefix is a case-insensitive string using alpha-numeric characters (no special characters). It must be unique within the VCN.
      • Select VCN compartment: Select the compartment containing the VCN you want.
      • Select VCN: Select the VCN you want from the list of all VCNs available in the compartment you previously chose.
      • Select subnet: Select a subnet from the list of subnets available from the VCN you previously chose.

    Access targets

    Add an access target to the private endpoint. Enter the following information:
    • Namespace: Enter the namespace for the access target. You can enter either the namespace's name or "*" to specify a wildcard. You can only use the wildcard if the compartment and buckets values also specified as "*" as described below. See Namespaces for more information.
    • Compartment OCID: Enter the OCID of the compartment for the access target. You can enter either the compartment's OCID, or "*" to indicate all the compartments are available.
    • Bucket name: Enter the name of the bucket for the target. You can enter either the bucket's name, or "*" to indicate all the buckets within the compartments are available.

    Select Add access target to create another access target. You can create a total of 10 access targets.

    Tags

    Select the Tags tab.

    Select Add tag. The tagging options appear where you can apply tags to the resource. For information about tagging, see Overview of Tagging.

    Security Attributes

    Add security attributes.

    Prerequisites

    To add a security attribute, you must have permissions to use the security attribute namespace. For more details on the permissions required to apply, update, or remove a security attribute for a resource, see Security Attributes and Zero Trust Packet Routing IAM Policies.

    You must also write ZPR policies to connect resources using security attributes.

    If you're not sure whether to add security attributes, skip this option or ask an administrator. You can add security attributes later.

    Add security attributes

    Once permissions are in place, you can add up to three security attributes to control access to this private endpoint. In the Security attributes section, select Add security attribute and then enter the following information:

    • Namespace: Select a security attribute namespace from the list. A security attribute namespace is a container for a set of security attributes in Zero Trust Packet Routing (ZPR).

      This list contains those security attribute namespaces already configured. See Creating a Security Attribute Namespace for more information.

    • Key: Select a key from the list. The key is the name for a specific security attribute.
    • Value: Enter a value or select a value for the corresponding key from the list. This is the value for a specific security attribute.

    See also Adding Security Attributes to a Private Endpoint.

    Advanced options

    Select Advanced options. Here you can configure the following optional features.

    IP address: Enter or select the IP address you prefer used with the private endpoint.

    Network security group (NSG)

    Select Add NSG to add a Network security group (NSG) to the private endpoint. Enter the name of the NSG from the list. The available NSGs are determined by the VCN you selected earlier.

    Additional DNS prefixes

    Select Add DNS prefix to add another DNS prefix to the private endpoint.
    Select Create private endpoint.

  • Use the oci os private-endpoint create command and required parameters to create a private endpoint in Object Storage:

    oci os private-endpoint create --name name --compartment-id compartment_ocid --subnet-id subnet_ocid --prefix prefix --access-targets access_targets [OPTIONS]

    where the following variables apply:

    • prefix is the DNS prefix of the private endpoint.

    • access_targets are listed in JSON format. Separate each access target with a comma (",").

    For example:

    oci os private-endpoint create --compartment-id ocid1.tenancy.oc1..exampleuniqueID --subnet-id ocid1.subnet.region1.sea..exampleuniqueID --name pe1 --prefix pe1 --access-targets '[{"namespace":"MyNamespace", "compartmentId":"*", "bucket":"*"}]'
{
  "opc-work-request-id": "99f4f963-cf65-49c4-8923-4e5210742105"
}

    If you have several access targets, the output would appear as this:

    oci os private-endpoint create  --compartment-id ocid1.tenancy.oc1..exampleuniqueID --subnet-id ocid1.subnet.region1.sea..exampleuniqueID --name pe1 --prefix pe1 --access-targets '[{"namespace":"MyNamespace", "compartmentId":"*", "bucket":"*"}, {"namespace":"MyNamespace2", "compartmentId":"*", "bucket":"*"}]'
{
  "opc-work-request-id": "1f270b21-473e-4adf-8d13-5a35e8240d1e"
}

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the following API operation:

    POST n/object_storage_namespace/pe/

    These are the available payload properties:

    • accessTargets: A list of targets that can be accessed by the private endpoint.
    • additionalPrefixes (optional): A list of more DNS prefixes that you can provide.
    • compartmentId: The ID of the compartment the private endpoint is created.
    • definedTags (optional): Defined tags for this resource.
    • freeformTags (optional): Free-form tags for this resource.
    • name: The name of the private endpoint.
    • nsgIds (optional): A list of the OCIDs of the network security groups (NSGs) to add the private endpoint's VNIC.
    • prefix: The DNS prefix to use for the private endpoint FQDN in the VCN's private DNS zone.
    • privateEndpointIp (optional): The private IP address to assign to this private endpoint if its available. Will return an error if IP address unavailable.
    • securityAttributes (optional): Security attributes for this resource. Each key is predefined and scoped to a namespace.

      Example: {"Oracle-ZPR": {"MaxEgressCount": {"value": "42", "mode": "enforce"}}}

    • subnetId: The OCID of the customer's subnet where the private endpoint VNIC resides.

    See also CreatePrivateEndpoint.