If you're experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.
Accessing AWS Managed Services from ODB Network Using Amazon VPC Lattice
This guide walks through how to connect an existing Oracle Database@AWS (ODB) network to AWS managed services using Amazon VPC Lattice resource connectivity. CloudWatch Logs is used as the example service, but the same pattern applies to any AWS service that supports VPC endpoints. Note that this setup is not required for S3 as it has an existing AWS managed service integration that can be enabled during ODB network creation.
Overview
Oracle Database@AWS (ODB) brings Oracle Exadata infrastructure into AWS, but the ODB network is an isolated environment - Exadata VMs cannot reach AWS service endpoints by default, even when the ODB network is connected to a customer VPC via ODB peering. Peering provides connectivity between VPC address space and ODB, but it does not extend access to VPC endpoints. This means services like CloudWatch Logs, Secrets Manager, or KMS remain unreachable from Exadata regardless of how the ODB network is peered.
Amazon VPC Lattice resource connectivity closes that gap. The approach works by placing a VPC endpoint for the target AWS service in a customer-managed VPC, then making it reachable from the ODB network through a Lattice service network and resource configuration. ODB networks come with a built-in Lattice service network and a corresponding service network endpoint - when a resource configuration is associated with that service network, it becomes reachable from Exadata VMs through the endpoint.
That endpoint is assigned an IP from the AWS-managed 129.224.0.0/20 range - address space that is separate from the customer-assigned ODB network CIDR. It uses public IP addresses but is not internet-routable; it is only locally reachable from within the ODB network. The OCI-side steps at the end of this guide configure DNS and security group rules to steer Exadata traffic to that IP.
Prerequisites
- An ODB network already deployed. The ODB network automatically creates a VPC Lattice service network and a service network endpoint - you will need their IDs in Step 3.
- A customer-managed VPC in the same region with at least one subnet in the same Availability Zone as the ODB network.
- Permissions to create VPC endpoints, VPC Lattice resources, and access to the OCI Console for the VCN backing the ODB network.
Step 1 - Create a VPC Endpoint for CloudWatch Logs
Create an interface VPC endpoint for CloudWatch Logs in your customer-managed VPC. At least one subnet should overlap with the Availability Zone of the ODB network to minimize cross-AZ traffic. Private DNS is optional unless you plan to use this endpoint for local VPC resources as well.
aws ec2 create-vpc-endpoint \ --vpc-id vpc-0abc123456789 \ --vpc-endpoint-type Interface \ --service-name com.amazonaws.us-east-1.logs \ --subnet-ids subnet-0123456789abcdef0 \ --security-group-ids sg-0123456789abcdef0 \ --private-dns-enabled \ --region us-east-1
After the endpoint reaches available state, note the VPCE hostname — specifically the one prefixed with vpce- that resolves publicly. You will use this as the target for the resource configuration in Step 4.
vpce-0abc123...-xyz.logs.us-west-2.vpce.amazonaws.com
Step 2 - Create a Resource Gateway
Create a VPC Lattice resource gateway in your customer-managed VPC. The resource gateway is the ingress point through which Lattice forwards traffic to resources in your VPC (in our example CloudWatch VPC Endpoint).
Required: At least one subnet of the resource gateway must be in the same Availability Zone as the ODB network.
aws vpc-lattice create-resource-gateway \ --name my-resource-gateway \ --vpc-identifier vpc-0abc123456789 \ --subnet-ids subnet-0123456789abcdef0 \ --security-group-ids sg-0123456789abcdef0
Note the resource gateway ID from the output (e.g., rg-abc). You will use it in Step 4.
Step 3 - Locate the ODB Service Network and Endpoint IDs
When an ODB network is created, AWS automatically provisions a VPC Lattice service network and a service network endpoint. You need both IDs before proceeding.
In the AWS Console, navigate to Oracle Database@AWS → ODB networks → <your network> → Service integrations.
Record the following values from the Network configuration panel:
| Value | Where to find it | Example |
|---|---|---|
| Service network ID | Service network ARN, suffix after / | sn-abc |
| VPC endpoint ID | VPC endpoint id field | vpce-123 |
Step 4 - Create a Resource Configuration and Associate It with the ODB Service Network
Create a resource configuration of type SINGLE that targets the CloudWatch Logs VPC endpoint hostname captured in Step 1. Use the resource gateway ID from Step 2 (note, this is a different resource gateway to the one visible in your ODB network configuration section) .
aws vpc-lattice create-resource-configuration \ --name cw-logs-resource-config \ --type SINGLE \ --resource-gateway-identifier rg-abc \ --resource-configuration-definition '{ "dnsResource": { "domainName": "vpce-0abc123...-xyz.logs.us-west-2.vpce.amazonaws.com", "ipAddressType": "IPV4" } }' \ --port-ranges "443"
Note the resource configuration ID from the output (e.g., rcfg-123).
Now associate the resource configuration with the service network that belongs to the ODB network. Private DNS is not required here.
aws vpc-lattice create-service-network-resource-association \ --resource-configuration-identifier rcfg-123 \ --service-network-identifier sn-abc \ --no-private-dns-enabled
Step 5 - Identify the Lattice DNS Hostname for the Resource Configuration
The ODB service network endpoint exposes a unique DNS hostname for each resource configuration associated with it. You need this hostname to resolve the IP address that Exadata will send traffic to.
In the AWS Console, navigate to VPC → Endpoints, filter by the ODB endpoint ID (vpce-123), then open the Associations tab. Filter associations by the resource configuration ARN (rcfg-123) to find the specific DNS name:
vpce-def-snra-123.rcfg-123.123ccc.vpc-lattice.rsc.us-west2.on.aws
Step 6 - Resolve the Lattice Hostname to an IP Address
From any host with DNS access, resolve the hostname. The returned IP will be in the AWS-managed 129.224.0.0/20 range — this is the address Exadata VMs will send traffic to.
dig vpce-def-snra-123.rcfg-123.123ccc.vpc-lattice.rsc.us-west2.on.aws +short 129.224.15.130
Note this IP address - you will use it in the next two steps on the OCI side.
Step 7 - Configure a Private DNS Zone in OCI
The following steps are performed in the OCI Console against the VCN that represents the ODB network on the AWS side.
Create a private hosted zone matching the AWS service domain (logs.us-west-2.amazonaws.com) and add an A record at the zone apex pointing to the IP address resolved in Step 6.
| Field | Value |
|---|---|
| Zone name | logs.us-west-2.amazonaws.com |
| Record type | A |
| TTL | 60 |
| RDATA | 129.224.15.130 |
This causes any CloudWatch Logs API call originating from Exadata VMs to resolve to the Lattice resource association IP, routing the traffic through the service network to your VPC endpoint rather than attempting to reach the public internet.
Step 8 - Create a Network Security Group in OCI to Allow Egress
By default, Exadata VMs do not have outbound access to the 129.224.0.0/20 range. You must create a new Network Security Group (NSG) and associate it with your Exadata VMs.
Important: Do not modify existing NSGs. They are managed by ODB automation and any manual changes will be overwritten.
Add the following egress security rule to the new NSG:
| Direction | Destination Type | Destination | Protocol | Destination Port | Description |
|---|---|---|---|---|---|
| Egress | CIDR | 129.224.15.130/32 | TCP | 443 | Allow traffic to AWS services via Service Network Endpoint |
Associate the new NSG with the Exadata VM cluster VNICs. Exadata will now be able to send HTTPS traffic to CloudWatch Logs through the Lattice path.
Summary
The complete traffic path from Oracle Exadata to Amazon CloudWatch Logs is:
Oracle Exadata VM
→ OCI NSG (egress allowed to 129.224.15.130/32 on port 443)
→ OCI Private DNS resolves logs.us-west-2.amazonaws.com → 129.224.15.130
→ ODB Service Network Endpoint (vpce-123, in AWS-managed 129.224.0.0/20 range)
→ VPC Lattice Service Network
→ Resource Configuration (rcfg-123, targeting VPCE DNS hostname)
→ Resource Gateway (rg-abc, in customer-managed VPC)
→ VPC Endpoint for CloudWatch Logs
→ Amazon CloudWatch Logs
This pattern is reusable for any AWS service that supports interface VPC endpoints. Replace the CloudWatch Logs service name and VPCE hostname with those of the target service, and repeat Steps 1 and 4–8 accordingly.
- Language
- English
