01 · Introduction
When people hear "Oracle Exadata Cloud@Customer," they picture a powerful Exadata rack sitting quietly inside a company data center. What they don't see is the networking architecture that makes the entire platform work.
Every database connection, backup job, OCI API call, monitoring request, and cloud management operation depends on a carefully designed network. Unlike a traditional on-premises database server, Exadata Cloud@Customer isn't isolated — it securely connects your local data center with Oracle Cloud Infrastructure while keeping customer databases protected inside your own environment.
That connectivity runs on VCNs, Private Endpoints, Dynamic Routing Gateways, and FastConnect. Tracing this traffic reveals how ExaCC communicates with both your applications and Oracle Cloud without exposing databases to the public internet.
What is Oracle Exadata Cloud@Customer (ExaCC) networking?
Oracle Exadata Cloud@Customer networking is a hybrid architecture that bridges an on-premises physical Exadata rack with Oracle Cloud Infrastructure (OCI). It isolates application database traffic within local private subnets while using secure, private OCI endpoints for cloud control plane management — completely bypassing the public internet.
02 · Why Does ExaCC Need OCI Networking?
Exadata Cloud@Customer is neither a pure on-premises appliance nor a public cloud resource. It's exactly what the name says: Oracle Cloud control plane services managing physical infrastructure inside your data center.
This hybrid footprint changes the rules. Physical hardware — compute nodes, storage cells, InfiniBand or RoCE switches — sits behind your corporate firewall. But VM cluster provisioning, OCPU scaling, grid patching, and health monitoring all originate from the OCI console or OCI APIs.
Figure 1 · ExaCC hybrid cloud model — control plane in OCI, data plane on-premises
ExaCC requires OCI networking for two primary communication channels:
Control Plane (Management Network)
The pathway Oracle uses to manage infrastructure. When a DBA clicks "Create Database" in the OCI Console, that instruction flows from the OCI region to ExaCC control plane agents on the physical hardware. Handles automated backups, telemetry, logging, and security patching.
Data Plane (Client / Backup Networks)
Where enterprise applications query the database, ETL tools run batch jobs, and DBAs access the OS via SSH. This is production traffic — the traffic your business actually depends on.
Without OCI networking extending into your data center, ExaCC would be a disconnected island of hardware. OCI networking bridges the physical reality of your server room with the logical flexibility of the cloud.
03 · What Is a Virtual Cloud Network (VCN)?
If you're a DBA moving to the cloud, think of a VCN as a software-defined private data center inside Oracle Cloud Infrastructure. It's a customizable private network in an OCI region, defined by a continuous IPv4 CIDR block (for example, 10.0.0.0/16), with smaller functional subdivisions called subnets carved out inside it.
Subnets: Public vs. Private
| Subnet Type | Characteristics | ExaCC Usage |
|---|---|---|
| Public Subnet | Resources can have public IPs; routable from the internet if allowed | Not used for ExaCC databases |
| Private Subnet | Only private IPs (e.g., 10.0.1.25); no direct internet route | Required — all ExaCC databases live here |
Guarding the VCN: Security Lists and NSGs
Two firewall mechanisms control packet flow:
- Security Lists — applied at the subnet level; ingress and egress rules for every resource in that subnet.
- Network Security Groups (NSGs) — applied at the vNIC level; granular rules for specific resources like a single ExaCC VM cluster.
Think of a VCN as a secure corporate office. The CIDR block is the building address. Subnets are floors. A public subnet is the ground-floor lobby. A private subnet is the locked boardroom. Security Lists are the guards at the elevators; NSGs are the biometric locks on specific office doors.
Figure 2 · ExaCC network architecture — structural separation between data center and OCI cloud layer
04 · Private Endpoints — Why They Matter
Managing ExaCC via the OCI control plane requires OCI components to reach your infrastructure without traversing the public internet. An OCI Private Endpoint solves this by injecting a virtual network interface (vNIC) with a private VCN IP address into a designated subnet.
It acts as a localized bridge. When a management service — say, the Cloud VM Cluster provisioning engine — needs to orchestrate an action on your ExaCC nodes, traffic routes through this Private Endpoint.
Why Avoid Public Endpoints?
In enterprise database architectures, data sovereignty and defense-in-depth are non-negotiable. Public endpoints would force management traffic through public IP spaces and require inbound holes in your perimeter firewalls.
All management traffic stays in RFC 1918 address space
Databases shielded from scanning and brute-force attempts
Cloud-management traffic follows defined private route tables you control
05 · What Does a Dynamic Routing Gateway (DRG) Do?
If the VCN is your software-defined data center, the DRG is the programmable router connecting it to everything else. It's the centralized routing hub for all hybrid traffic — on-premises networks, other VCNs (via Remote VCN Peering), and third-party cloud environments.
Lifecycle of a Network Packet
Trace a packet from an on-premises app server reading data from an ExaCC database:
Figure 3 · Packet lifecycle — on-premises application to ExaCC database via DRG
The DRG normalizes on-premises and cloud networks so packets cross the boundary between local fiber and cloud infrastructure without manual intervention at each hop.
06 · Why Enterprises Choose FastConnect
Linking your data center to OCI gives you two options: IPSec VPN over the public internet, or Oracle Cloud Infrastructure FastConnect. VPN works well as a backup. Production environments almost universally standardize on FastConnect.
| Attribute | IPSec VPN (Internet) | FastConnect (Private Circuit) |
|---|---|---|
| Path | Public internet | Dedicated private circuit via provider (Equinix, Megaport, AT&T) |
| Bandwidth | Shared, variable | Isolated and guaranteed |
| Latency | Subject to internet congestion | Flat and predictable |
| Best For | Dev/test, DR backup link | Production, batch workloads, financial close |
| Cost | Lower | Higher — justified by SLA |
When jitter costs you a regulatory deadline
A global financial institution pulls hundreds of gigabytes from legacy on-premises apps into an ExaCC database during month-end close. Over IPSec VPN, a surge in regional internet traffic — or a localized ISP fiber cut — introduces packet drop and jitter. Batch windows stretch from minutes to hours.
FastConnect uses a dedicated port through a network provider directly into Oracle's edge routing. Bandwidth is isolated. Latency stays flat. Batch jobs finish within predictable windows regardless of what's happening on the public internet.
Figure 4 · Hybrid connectivity — enterprise network to OCI via dedicated FastConnect path
07 · How Hybrid Connectivity Works
Hybrid connectivity makes disparate networks behave as one. For ExaCC, that integration spans routing, DNS, backup paths, and monitoring — not just basic IP forwarding.
DNS Integration
Applications should target a SCAN hostname (e.g., exacc-cluster.sub01.vcn01.oraclevcn.com), not hardcoded IPs. Hybrid DNS requires:
- OCI Private DNS Zones resolve VCN resources.
- DNS Listeners and Forwarders in OCI forward on-premises domain queries to corporate DNS (Active Directory, Bind).
- Conditional forwarders on corporate DNS route
oraclevcn.comqueries to the OCI Private DNS Resolver.
Backup Routing
ExaCC backs up databases directly to OCI Object Storage — traffic that can consume massive bandwidth. Configure backup traffic to flow over FastConnect via a Service Gateway in your VCN, so bulk backup streams don't compete with production application traffic or leak onto the public internet.
Identity and Monitoring
Infrastructure components report telemetry to Oracle Management Cloud or Cloud Guard. Enterprise routing ensures health metrics, OS alerts, and security audit trails pass through designated proxy nodes or explicit private connections — maintaining compliance with internal security standards.
08 · Application-to-Database Connection Flow
When an application initiates a stateful session to an Oracle Database on ExaCC, seven distinct phases execute across hybrid network boundaries:
Figure 5 · Seven-phase connection pathway for enterprise client to ExaCC database
The routing decision at step 2 is where most post-deployment issues surface. If the corporate route table doesn't have an explicit path for the VCN CIDR via FastConnect, the packet never reaches the DRG — and the DBA sees a timeout, not a firewall rejection.
09 · Common Networking Misconceptions
10 · Enterprise Networking Best Practices
- Rigorous CIDR Allocation PlanningEnsure the OCI VCN CIDR is completely non-overlapping with on-premises infrastructure. Overlapping IP space creates routing chaos.
- Adopt Network Security Groups (NSGs)Don't rely solely on broad subnet Security Lists. Apply specific rules directly to Exadata VM cluster vNICs.
- Implement HA FastConnect PathsDual FastConnect circuits on separate edge routers and distinct OCI FastConnect routers — no single point of failure.
- Dedicated Backup Network LoopRoute bulk backup traffic through a dedicated backup NIC to an OCI Service Gateway, keeping client lanes clear.
- Design Resilient Hybrid DNSAutomated health-checked forwarders on both cloud and on-premises tiers. No static /etc/hosts workarounds.
11 · The Enterprise Networking Checklist
Use this before triggering an ExaCC deployment:
- IP Topology: VCN and subnet CIDR ranges registered with zero overlap against corporate or auxiliary cloud networks
- Isolation Architecture: All Exadata database nodes placed strictly within Private Subnets
- Private Endpoint Mapping: Dedicated IP block allocated for OCI Private Endpoints in the VCN layout
- Routing Validation: DRG attachments and VCN Route Tables populated with correct next-hops for all application subnets
- Bandwidth Capacity Proofing: Throughput requirements assessed against FastConnect vs. IPSec VPN capabilities
- Granular Security Policies: NSGs drafted to limit inbound port 1521 to verified application server IPs only
- DNS Forwarding Matrix: Conditional forwarders for oraclevcn.com and corporate domains configured on both sides
- Redundancy Auditing: FastConnect lines on separate physical paths and routers — no single point of failure
12 · 8 Networking Concepts Every ExaCC Architect Should Know
ExaCC relies on OCI networking to connect on-premises infrastructure with cloud control planes securely.
A VCN provides the core private, software-defined network layout for cloud-managed resources.
OCI configuration tools reach your databases directly — no public internet vectors.
The DRG is the central routing hub between your data center, VCNs, and external networks.
Dedicated, deterministic, high-bandwidth communication — bypassing the public internet entirely.
DNS resolution, backup routing, and authentication domains must align across environments.
Client traffic passes through firewalls, route tables, and cluster listeners before reaching database blocks.
ExaCC capability depends as much on hybrid network design as on compute and storage hardware.
Oracle Exadata Cloud@Customer isn't connected to Oracle Cloud by accident — it's connected by architecture. Every VCN, DRG, Private Endpoint, and FastConnect link exists to deliver cloud capabilities without sacrificing the security, performance, and control enterprises expect from their most critical databases.
13 · Frequently Asked Questions
Yes. Local databases continue running and serving application traffic normally. You won't be able to perform lifecycle operations (creating databases, scaling OCPUs, triggering cloud-managed backups) via the OCI console until connectivity is restored.
FastConnect provides a private physical circuit but does not natively encrypt traffic at the network layer. If compliance mandates encryption in transit, configure MACsec (Link Layer Security) or run an IPSec VPN tunnel over your FastConnect circuit.
The management network requires outbound access to specific Oracle Cloud addresses via HTTPS (port 443) and SSH (port 22) for infrastructure automation and log collection. Inbound management ports are handled securely through OCI Private Endpoints.
Yes. Using an OCI Dynamic Routing Gateway (DRG), you can route traffic from multiple VCNs within your OCI tenancy to your ExaCC deployment, provided there are no conflicting IP address allocations.
Exadata uses Oracle RAC. When an application targets the SCAN hostname, the SCAN listener distributes connection requests across available virtual IPs (VIPs) based on current CPU utilization and cluster load.
No. An Internet Gateway is not required. ExaCC infrastructure functions entirely within a private network ecosystem. Management and service connections route via the DRG or Service Gateways.
You need a hybrid approach. OCI Private DNS is required for specific internal OCI control plane endpoints, but integrates with corporate DNS via forwarders and listeners for seamless bidirectional name resolution.
The Client network handles application database traffic (typically port 1521). The Backup network is an isolated path for high-volume database backups to local storage or OCI Object Storage via a Service Gateway — keeping backup traffic off production channels.
ExaGuru Blog Series — Deep Dives into Enterprise Cloud Architecture. For further reading, explore our companion articles on OCI Networking Architectures, DRG Routing Profiles, and Optimizing FastConnect Performance for Oracle RAC.
Master ExaCC Networking with ExaGuru
Understanding VCNs, DRGs, and FastConnect isn't academic — it's the difference between a deployment that passes audit and one that passes traffic. Our Exadata Expert course covers ExaCC and ExaCS networking with hands-on labs, real enterprise scenarios, and mentors who've deployed production hybrid architectures.