Autonomous Database connection timeout from compute instances in custom subnet

We’re experiencing connection timeouts when trying to connect to an Autonomous Database from compute instances deployed in a custom subnet. The connection attempts hang and eventually timeout after 60 seconds.

The Autonomous Database is configured with a private endpoint, and our compute instances are in the same VCN but a different subnet. Connection attempts using SQL*Plus fail:

sqlplus admin/password@adb_service
-- Error: ORA-12170: TNS:Connect timeout occurred

We’ve verified the tnsnames.ora configuration includes the correct private endpoint hostname, and the security list on the compute subnet allows egress traffic to all destinations. The subnet route table points to an Internet Gateway for default routing.

Is there a specific security list configuration or route table setup required for private endpoint association? What subnet and security list rules are needed for compute instances to access Autonomous Database via private endpoint?

Yes, you need the ingress rule on the ADB private endpoint subnet’s security list. For route tables, if both subnets are in the same VCN, local routing should work automatically. However, if you’ve customized route tables, ensure there’s no route blocking local VCN traffic. The default ‘local VCN’ route should handle traffic between subnets automatically, but custom route tables might override this. Check if your compute subnet’s route table has any conflicting routes that might be directing traffic away from the local VCN.

Here’s the complete solution for resolving Autonomous Database connection timeouts from compute instances using private endpoints:

1. Security List Configuration - Compute Subnet: The compute instance subnet’s security list needs an egress rule to allow database traffic to the Autonomous Database private endpoint subnet.

Egress Rule:

Destination: <ADB-Private-Endpoint-Subnet-CIDR> (e.g., 10.0.2.0/24)
Protocol: TCP
Destination Port Range: 1521-1522
Description: Allow ADB connections to private endpoint subnet

If using mutual TLS (mTLS), port 1522 is required. For TLS connections without wallet, port 1521 is sufficient. Including both ports (1521-1522) covers all connection types.

2. Security List Configuration - ADB Private Endpoint Subnet: This is the critical configuration often missed. The private endpoint subnet’s security list must have an ingress rule allowing traffic from the compute subnet.

Ingress Rule:

Source: <Compute-Subnet-CIDR> (e.g., 10.0.1.0/24)
Protocol: TCP
Destination Port Range: 1521-1522
Description: Allow database connections from compute subnet

Without this ingress rule, the private endpoint will reject connection attempts, causing timeouts.

3. Subnet and Route Table Setup: For subnets in the same VCN, local routing should work automatically. However, verify:

a) Both subnets are in the same VCN (check VCN OCID)

b) Route tables on both subnets include local VCN routes

Default route table configuration:

Destination: <VCN-CIDR> (e.g., 10.0.0.0/16)
Target: Local
Description: Local VCN routing

If you’re using custom route tables, ensure they don’t override local VCN routing. The presence of a default route (0.0.0.0/0) to an Internet Gateway shouldn’t affect local VCN traffic, but verify no more specific routes conflict.

4. Private Endpoint Association Verification: Confirm the Autonomous Database is correctly associated with the private endpoint:

• Navigate to Autonomous Database → Network
• Verify ‘Access Type’ is set to ‘Private endpoint access only’
• Note the ‘Private Endpoint Subnet’ OCID
• Check ‘Private Endpoint IP Address’ (this is the IP your compute instances will connect to)

If the private endpoint isn’t properly configured, connections will always fail regardless of security list rules.

5. Connection String and TNS Configuration: Ensure your tnsnames.ora or connection string uses the private endpoint hostname:

adb_service = (DESCRIPTION=
  (ADDRESS=(PROTOCOL=TCP)(HOST=<private-endpoint-hostname>)(PORT=1521))
  (CONNECT_DATA=(SERVICE_NAME=<service_name>))
)

The private endpoint hostname is different from the public endpoint. Find it in the Autonomous Database connection details under ‘Private Endpoint’ section.

6. Network Security Groups (NSGs) - If Applicable: If your compute instances or ADB private endpoint use NSGs instead of security lists, configure similar rules in the NSGs:

Compute Instance NSG - Egress:

Destination: <ADB-Private-Endpoint-Subnet-CIDR>
Protocol: TCP
Port: 1521-1522

ADB Private Endpoint NSG - Ingress:

Source: <Compute-Subnet-CIDR>
Protocol: TCP
Port: 1521-1522

NSGs take precedence over security lists, so both must be configured if NSGs are attached.

7. Testing Connectivity: After configuring security lists and verifying route tables:

a) Test network connectivity from compute instance:

telnet <private-endpoint-ip> 1521
# Should connect successfully

b) Test TNS connectivity:

tnsping adb_service
# Should resolve and respond

c) Test database connection:

sqlplus admin/password@adb_service

8. Troubleshooting Persistent Timeouts: If connection timeouts persist:

• Verify security list changes have propagated (can take 1-2 minutes)
• Check if Network Security Groups are overriding security list rules
• Confirm the private endpoint IP address matches the one in your connection string
• Review VCN flow logs to identify where packets are being dropped
• Ensure no firewall rules on the compute instance OS level block outbound port 1521/1522
• Verify the Autonomous Database is in ‘Available’ state (not stopped or scaling)

9. Common Mistakes to Avoid:

• Using public endpoint connection strings when private endpoint is configured
• Forgetting to add ingress rules on the ADB private endpoint subnet (most common issue)
• Mixing up subnet CIDRs in security list rules
• Not including both ports 1521 and 1522 (some connection types require 1522)
• Assuming ‘Allow All’ egress rules on compute subnet are sufficient (ingress rules on ADB subnet are still required)

The root cause of your connection timeout is almost certainly the missing ingress security list rule on the Autonomous Database private endpoint subnet. Adding this rule to allow TCP ports 1521-1522 from your compute subnet CIDR will resolve the timeout issue. The combination of proper security list configuration on both subnets, correct route table setup for local VCN routing, and verified private endpoint association will enable successful database connections from your compute instances.

I checked the security lists and our compute subnet has ‘Allow All Protocols to 0.0.0.0/0’ for egress, which should cover port 1521 to the ADB subnet. However, I’m not sure about the ADB private endpoint subnet’s security list. Where do I find the subnet associated with the private endpoint? Is it automatically created when the private endpoint is configured?

When you create a private endpoint for Autonomous Database, you specify the subnet where the endpoint should be created. This subnet’s security list needs ingress rules allowing traffic from your compute subnet. Navigate to your Autonomous Database → Network → Private Endpoint Details to find the subnet OCID. Then check that subnet’s security list for the required ingress rules on port 1521/1522. Also verify the route table association - the compute subnet might need a local route or specific route to the ADB subnet if they’re in different route domains.