How to deploy an Oracle APEX instance publicly through a custom URL domain using Oracle Cloud (OCI) load balancers
The problem
So, you've created your own Oracle APEX application instance on OCI using its Autonomous Database service. You can access and share the application using OCI's default URL that looks like this:
https://kfawejskfefk-rwesjdjnweidfjwe.adb.us-ashburn-1.oraclecloudapps.com/ords/r/apex/workspace-sign-in/administration-sign-in?session=32492384908239
Can we change this so that our users can access the APEX application on a custom vanity URL like: my-apex.farisdurrani.com?
The Key Solution: Load Balancer
Yes! The key is using a public application load balancer (LB) with a DNS that points our custom URL to the load balancer's public IP address.
We'll follow the steps mentioned in Oracle's blog post about this topic and additionally demonstrate the access on a real URL, show how to deploy the DNS records, create a self-signed certificate, and showcase a private URL access to the instance from a private OCI network.
Step 1: Create a VCN
In OCI (cloud.oracle.com), create a VCN with Internet Connectivity. Using the VCN Wizard is the easiest way to do this. This will create a public subnet and a private subnet for us to use.
Step 2: Create a public load balancer
Internet traffic should hit our public application load balancer (LB) before reaching our APEX instance.
In addition to providing a public IP address, the LB also serves to balance the traffic load across multiple instances and to secure the traffic against Layer 7 attacks using the Web Application Firewall if included (not in current scope).
Choose public access:
Choose public subnet:
Let the backend servers be empty as default:
Modify the health check policy to use:
- Protocol: HTTP
- Port: 443
- Status Code: 302
- URI
/
Modify the listener to use non-SSL HTTP 80 for now:
Leave the rest as default and create. Now we have a public load balancer with a non-HTTPS listener. We'll fix that soon.
Step 3: Create new Network Security Groups
We need to create two new Network Security Groups (NSG)--one for the load balancer (LB) and another for the autonomous database (ADB)--to allow the internet to access the load balancer, which in turn accesses the ADB.
Optionally, you can instead opt to modify the security lists instead.
NSG for LB
One simple NSG to allow access from everywhere on the internet to port 443.
NSG for ADB
One simple NSG to allow access from the public subnet CIDR range (10.0.0.0/24 in my case) to port 443.
Step 3: Create an APEX or APEX-included autonomous database
We create a new APEX autonomous database in OCI and select the APEX option as its Workload type.
It is possible to later upgrade the workload type to a Transaction Processing database without affecting the APEX instance.
It's not important, but we'll use 23ai as our version and using the minimum storage amount of 20 GB to save costs.
Importantly, select Private endpoint access only as the Network Access type so we can have a private IP address to use.
Alternatively, if you've already provisioned your autonomous database with Secure access from everywhere option, you can change the network type in the More actions menu.
Add the NSG created for this ADB. In the ADB page, under Autonomous Database information tab, go to Network > Network security groups. Click Edit.
Add the NSG for the ADB:
Now, we copy the database's private IP address:
Step 4: Add IP address to LB
Now, we add that private IP address to the LB we created. Back to the load balancer's details page, go to the Backend sets tab and click on the sole backend set.
We add a backend by selecting Add backends and putting in the database's private IP address (10.0.1.67 in my case) and port 443. Click Add.
Wait for the backend to finish updating and then wait a minute or two for the backend health to turn to Ok. This confirms the backend is able to connect to our database.
Troubleshoot: If this fails, check the health check of the backend set and the NSG settings.
Step 5: Add NSG to LB
Now, we'll add the NSG we created to the load balancer to allow the internet to connect to the load balancer.
In the LB page, under Details > Load balancer information > Network security groups, click Edit. Add the NSG we created for the LB.
Step 6: Create a self-signed SSL certificate
Now, we will create a self-signed SSL certificate to add to the load balancer and subsequently modify the listener to be an HTTPS listener.
Use the following command to create a temporary self-signed certificate.
Of course, users will see a warning that this certificate is not trusted but we assume you'll eventually get a trusted certificate.
openssl req -x509 -nodes -newkey rsa:2048 -keyout private.key -out certificate.crt -days 7
You may skip (press Enter) on all options to leave them as default.
This will create a temporary self-signed SSL certificate valid for 7 days in the form of two files: certificate.crt and private.key.
In the load balancer page, go to the Certificates and ciphers tab and under Load balancer managed certificates, click Add certificate.
Upload the following files to the following fields:
- SSL certificate:
certificate.crt - CA certificate:
certificate.crt - Private key:
private.key
Leave the private key passphrase as empty. Give a name and click Add certificate.
Step 7: Modify the listener to be an HTTPS listener
At the load balancer page, go to the Listeners tab and Edit the sole listener.
Update the following fields:
- Protocol: HTTPS
- Port: 443
- Use SSL: Yes
- Certificate resource: Load balancer managed certificate
- Certificate name: the certificate you created
Leave the rest as default. Click Save changes.
Now, you are able to go to the IP address (https://129.153.150.95 for me, make sure to add the https) and access the APEX instance through the LB. Note that there may be a warning due to our use of a self-signed SSL certificate.
Step 8: Add to DNS record
Finally, we'll add the load balancer's public IP address to our DNS records as an A record to give it a vanity custom URL. I have my own domain to test that I use in CloudFlare, so I'll add it here.
And voilà! I'm able to go to https://my-apex.farisdurrani.com and access the APEX instance.
Advanced: Private DNS and Load Balancer
Alternatively, if you want to set up a private DNS zone where only the internal network can access the LB through a private DNS record, you can use an OCI Private Load Balancer and an OCI DNS Private Zone.
Create a private LB in the same public subnet (the LB must be in a distinct subnet than the ADB subnet). Add the appropriate NSG, backend, and listener. The LB will only have a private IP address, copy that IP address.
Head over to Networking > DNS management > Private zones and create a new private zone (I choose my-apex-instance.com). Add the IP address as an A record to the zone. I choose the domain www.my-apex-instance.com.
Open a Cloud Shell instance, change the Network to the public subnet, and run curl -k https://www.my-apex-instance.com to verify connectivity to the APEX instance. Note that we need to add the insecure -k flag since we are using a self-signed certificate.
References
Safe harbor statement
The information provided on this channel/article/story is solely intended for informational purposes and cannot be used as a part of any contractual agreement. The content does not guarantee the delivery of any material, code, or functionality, and should not be the sole basis for making purchasing decisions. The postings on this site are my own and do not necessarily reflect the views or work of Oracle or Mythics, LLC.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Top comments (0)