Oracle Cloud Infrastructure Documentation

Creating a Private Endpoint in Object Storage

Create a private endpoint to reach Object Storage using a private IP address within your VCN without accessing the public internet.

    1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Private Endpoints.
    2. Select the compartment from the list under List Scope. All the Object Storage private endpoints in that compartment are listed in tabular form. This is the compartment where the Object Storage private endpoint is created.
    3. Click Create private endpoint. The Create private endpoint dialog box appears.
    4. Enter a Name for the private endpoint. The name value is a case-insensitive string using alpha-numeric characters (no special characters). 
    5. Enter a DNS Prefix for the private endpoint. This value is part of the URL used to access Object Storage. The DNS prefix is a case-insensitive string using alpha-numeric characters (no special characters). It must be unique within the VCN.
    6. Select the VCN for your private endpoint from the Select VCN in <compartment> list. Click Change Compartment to select a VCN in another compartment.
    7. Select a subnet under the VCN from the list.
    8. (Required) Add an access target to the private endpoint. Complete the following:

      • Namespace: Enter the namespace for the access target. You can enter either the namespace's name or "*" to specify a wildcard. You can only use the wildcard if the compartment and buckets values also specified as "*" as described below. See Namespaces for more information.

      • Compartment OCID: Enter the OCID of the compartment for the access target. You can enter either the compartment's OCID, or "*" to indicate all the compartments are available.

      • Bucket name: Enter the name of the bucket for the target. You can enter either the bucket's name, or "*" to indicate all the buckets within the compartments are available.

      Click Access target to create another access target. You can create a total of 10 access targets.

    9. (Optional) Click Show advanced options to perform any of the following tasks.
    10. Click the Advanced option tab. Complete the following:

      • Preferred IP Address: Enter or select the IP address you prefer used with the private endpoint.

      • +NSG: Click to add a Network security group (NSG) to the private endpoint. Enter the name of the NSG from the list. The available NSGs are determined by the VCN you selected earlier. Click X to delete the NSG.

      • +Additional DNS prefix: Click to add another DNS prefix to the private endpoint. Click X to remove the DNS prefix.

    11. Click the Tags tab. The Tagging options appear where you can apply tags to the resource. See Tagging a Private Endpoint at Creation for more information about using tagging with an Object Storage private endpoint. See Overview of Tagging for general information about tagging.
    12. Click Create.

  • Use the oci os private-endpoint create command and required parameters to create a private endpoint in Object Storage:

    oci os private-endpoint create --name name --compartment-id compartment_ocid --subnet-id subnet_ocid --prefix prefix --access-targets access_targets [OPTIONS]

    where the following variables apply:

    • prefix is the DNS prefix of the private endpoint.

    • access_targets are listed in JSON format. Separate each access target with a comma (",").

    For example:

    oci os private-endpoint create --compartment-id ocid1.tenancy.oc1..exampleuniqueID --subnet-id ocid1.subnet.region1.sea..exampleuniqueID --name pe1 --prefix pe1 --access-targets '[{"namespace":"MyNamespace", "compartmentId":"*", "bucket":"*"}]'
{
  "opc-work-request-id": "99f4f963-cf65-49c4-8923-4e5210742105"
}

    If you have several access targets, the output would appear as this:

    oci os private-endpoint create  --compartment-id ocid1.tenancy.oc1..exampleuniqueID --subnet-id ocid1.subnet.region1.sea..exampleuniqueID --name pe1 --prefix pe1 --access-targets '[{"namespace":"MyNamespace", "compartmentId":"*", "bucket":"*"}, {"namespace":"MyNamespace2", "compartmentId":"*", "bucket":"*"}]'
{
  "opc-work-request-id": "1f270b21-473e-4adf-8d13-5a35e8240d1e"
}

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the following API operation:

    POST n/object_storage_namespace/pe/

    These are the available payload properties:

    • name: The name of the private endpoint.
    • compartmentId: The ID of the compartment the private endpoint is created.
    • subnetId: The OCID of the customer's subnet where the private endpoint VNIC resides.
    • prefix: The DNS prefix to use for the private endpoint FQDN in the VCN's private DNS zone.
    • accessTargets: A list of targets that can be accessed by the private endpoint.
    • additionalPrefixes (optional): A list of more DNS prefixes that you can provide.
    • privateEndpointIp (optional): The private IP address to assign to this private endpoint if its available. Will return an error if IP address unavailable.
    • nsgIds (optional): A list of the OCIDs of the network security groups (NSGs) to add the private endpoint's VNIC.
    • freeformTags (optional): Free-form tags for this resource.
    • definedTags (optional): Defined tags for this resource.