Oracle Enterprise Landing Zone v1 Architecture

Oracle Enterprise Landing Zone (OELZ) v1 is a set of automated modules that help you configure your Oracle Cloud Infrastructure (OCI) cloud tenancy to prepare for moving your workloads to the cloud.

Important: OCI provides multiple landing zone implementations that you can choose from. See How Do I Decide Which Landing Zone to Use?

OELZ v1 provides the baseline architectural framework for your organization to deploy new projects and workloads in OCI. The landing zone consists of Terraform modules, in addition to architecture and implementation information. The landing zone helps you quickly and securely create a foundation for your cloud deployment based on Oracle recommendations, customer experience, and industry-standard best practices.

OELZ v1 creates infrastructure that consists of compartments, networking resources, and security at the infrastructure layer. Migrating or developing workloads isn't in scope for OELZ v1. However, setting up the right infrastructure is often the first step to successfully migrating workloads to the cloud or developing cloud-native workloads.

OELZ v1 is composed of two landing zone stacks. The first stack deploys the core infrastructure components. The second stack is the OELZ v1 - Workload Expansion, which deploys workload-specific architecture components forming the baseline for a workload deployment into the landing zone.

How to Deploy

You can deploy the landing zone as the OELZ v1 comprehensive version or as OELZ v1 - Lite.

Comprehensive Version

OELZ v1 includes implementation information and architectural guidance. Use OELZ v1 - Workload Expansion to deploy multiple workloads with separate networks for isolation and access, add private connectivity to your environment from on-premise locations by using OCI FastConnect or Site-to-Site VPN, and optionally federate with Microsoft Active Directory.

Core infrastructure components: To deploy the core infrastructure components, install OELZ v1 as the first stack by using the OCI Console, Resource Manager, or the OCI Terraform provider.

The Terraform template for the core infrastructure components is available in GitHub: https://github.com/oracle-quickstart/oci-enterprise-scale-baseline-landing-zone

OELZ v1 - Workload Expansion: After you install the core infrastructure components, you can deploy the workload infrastructure components by installing OELZ v1 - Workload Expansion as the second stack by using the Console, Resource Manager, or the OCI Terraform provider.

The Terraform template for OELZ v1 - Workload Expansion is available in GitHub: https://github.com/oracle-quickstart/oci-esblz-workload-expansion

Oracle Enterprise Landing Zone v1 - Lite

OELZ v1 - Lite includes a limited set of functionality that lets you get started with OELZ v1. Install OELZ v1 - Lite from the Deploy a baseline Landing Zone Quickstarts card on the Console home page.

Primary Objectives

The primary objectives of OELZ v1 include the following items:

  • Reduce the time taken to onboard to OCI
  • Provide an architecturally strong foundation
  • Maintain the balance between flexibility to customize and prescriptive guidance, while the implementation evolves to your organization's needs

Key Design Principles

Key design principles for resiliency and security ensure that OELZ v1 deploys a strong foundation for your cloud environment.

Resiliency

A resilient cloud architecture helps you to avoid single points of failure for your cloud-based workloads.

At the infrastructure level, OCI provides physical and logical resources to help you design for resiliency, such as regions, availability domains, and fault domains.

Resiliency depends on the nature, architecture, and implementation of the workloads that you plan to deploy in OCI. For best practices, see Resilience and Continuous Availability of Oracle Cloud Infrastructure Services and Platform FAQ and Best practices for designing reliable and resilient cloud topologies.

Security

OELZ v1 follows these best practices for security design principles:

  • Design to mitigate attacks
    • Limit permissions based on requirements
    • Enforce network segmentation
  • Leverage cloud-native security controls
  • Use identity as primary access control
  • Accountability
  • Embrace automation
  • Focus on information protection
  • Design for resilience
    • Ongoing vigilance
    • Defense in depth
    • Defense at edge
    • Least privilege
  • Assume zero trust

For more information, see the security design principles in Best practices framework for Oracle Cloud Infrastructure.

Architecture Overview

OELZ v1 creates an architectural framework that's ready for you to launch new projects and workloads in OCI. To achieve this, you must run both the core infrastructure stack and the OELZ v1 - Workload Expansion stack.

Note: The OELZ v1 - Workload Expansion stack can't be deployed in standalone mode. Instead, deploy the core infrastructure stack first, and then deploy the OELZ v1 - Workload Expansion stack.

  • Compartments: Use compartments to organize and isolate your resources to make it easier to manage and secure access to them.
  • Tags: Use tags to organize and list resources based on your business needs.
  • Budgets and alerts: Use budgets to set soft limits on your OCI spending, and use alerts to let you know when you might exceed your budget.
  • Oracle Cloud Infrastructure Identity and Access Management (IAM): Use IAM to control access to your cloud resources in OCI.
  • Networking and connectivity: Create a virtual cloud network (VCN), subnets, and other networking and connectivity resources that are required to run your workloads and connect to the internet or your on-premises network.
  • Security: Enable a strong security posture by enabling security services such as Oracle Cloud Guard, OCI Vulnerability Scanning Service (Vulnerability Scanning), and OCI Bastion.

Compartments

Use compartments to organize and isolate your resources to make it easier to manage and secure access to them.

OELZ v1 creates a compartment structure for your organization. You control access to compartment by creating policies that specify the actions groups of users can take on the resources in those compartments. The following diagram shows the compartments that are created by OELZ v1. The components that are deployed by the OELZ v1 - Workload Expansion stack are noted.

Diagram showing the compartment structure created by OELZ v1.

The following information describes the compartments that are created by OELZ v1.

Compartment Name Hierarchy Level Description
Root - 0 Created when your tenancy is provisioned. Your root compartment holds all your cloud resources. Think of the root compartment similar to a root folder in a file system.
<Parent_compartment> Root/ 1

Parent compartment for OELZ v1.

You can choose a name for the parent compartment. OELZ v1 creates the parent compartment as the first level compartment under the root compartment (tenancy).

All other resources that are created by OELZ v1 are created in the parent compartment and its subcompartments. Think of the parent compartment as the container compartment for your landing zone deployment.

Common Infra Root/<Parent_compartment> 2 Contains resources related to network and security.
Network Root/<Parent_compartment>/Common Infra 3 Resources for networking and connectivity are created in this compartment. These resources include the virtual cloud network (VCN), subnets, gateways, and other related components.
Security Root/<Parent_compartment>/Common Infra 3 All resources related to security and monitoring are created in this compartment. Resources related to governance, such as logging, notifications, and events, are also created in this compartment.
Applications Root/<Parent_compartment> 2 Contains the workloads that you want to move to OCI.

<Workload 1> to <n>

Note: Deployed only with the Oracle Enterprise Landing Zone v1 - Workload Expansion stack

Root/<Parent_compartment>/Applications 3

One or more workload compartments. Create a separate workload compartment for each workload that you plan to run in OCI. Then, place all compute and storage resources for the applications in the associated workload compartment. Example resources include compute instances, block volumes, functions, and OCI Container Engine for Kubernetes (OKE) resources.

Provide the names for your workload compartments during the landing zone deployment. To make it easier to identify and manage your workloads, assign names to the workload compartment that describe the workloads that will run in the compartment.

Note that OELZ v1 creates the workload compartments, but does not create any workload-related resources.

Example Compartment Structure

If you wanted to deploy three workloads in OCI: a finance application, a human resources (HR) application, and a marketing application, the first step is to deploy the OELZ v1 modules, which create the foundation of your environment.

After you deploy the core infrastructure components, you run the OELZ v1 - Workload Expansion stack for your first workload, the finance application. You configure the relevant parameters and naming conventions according to your organization's policies. Then, you're ready to migrate the application.

For the remaining applications, you perform the same process of running the OELZ v1 - Workload Expansion stack and defining the relevant parameters needed for each application. When you're ready, you can migrate each application to the relevant environment.

This process gives you complete control and isolation over each application. The workload compartments can share common infrastructure resources such as identity domains, FastConnect, Cloud Guard targets, and so on.

Tags

OELZ v1 creates a basic tagging structure to help you manage your resources.

Tagging lets you define keys and values and associate them with resources. You can then use the tags to help you organize and list resources based on your business needs.

As part of OELZ v1 deployment, resources created by the landing zone are assigned tags for cost center and geographic location. You should define values for these tags that help you identify and separate resources based on your organization's workloads. We recommended that you map the cost center tag to a project or line of business that a workload supports. The geographic location should default to the OCI region where your workload runs.

Budgets and Alerts

OELZ v1 configures basic budgets and alerts to help you manage your resources.

A budget can be used to set soft limits on your OCI spending. You can set alerts on your budget to let you know when you might exceed your budget. You can view all your budgets and spending from one place in the Console.

OELZ v1 creates the necessary resources to use budgets and alerts, including a threshold metric for alerts and an email recipient to receive the alerts.

IAM

Use OCI Identity and Access Management (IAM) to control access to your cloud resources in OCI.

OELZ v1 creates IAM groups and policies that control access to the resources created by the landing zone. Optionally, with OELZ v1, you can federate with your organization's Microsoft Active Directory implementation.

We recommend that you create one or more break-glass users during your deployment, especially if you're using federation. Break-glass users are administrators who have emergency access to all OCI services and resources in the tenancy.

Non-Federated Setup

For non-federated users, OELZ v1 creates IAM groups and policies. For information about the IAM groups created by OELZ v1, see IAM Policies and Groups.

Federating with Microsoft Active Directory

With OELZ v1, you can optionally federate with Microsoft Active Directory.

Use the same group names in OCI as you use for Microsoft Active Directory. To do this, pass the Microsoft Active Directory group names as variables to the OELZ v1 Terraform module. The groups are created by the landing zone and mapped to your Microsoft Active Directory groups.

The following diagram shows the Microsoft Active Directory federation that OELZ v1 supports.

Diagram of the Microsoft Active Directory federation supported by the Oracle Enterprise Landing Zone v1.

For more information about federating with Microsoft Active Directory, see Federating with Microsoft Active Directory.

IAM Policies

For information about the IAM policies created by OELZ v1, see IAM Policies and Groups.

Networking and Connectivity

OELZ v1 helps you configure the network architecture for your organization's cloud deployment.

OELZ v1 creates a virtual cloud network (VCN) in the Network compartment. You can choose the name and IPv4 CIDR blocks for the VCN. We recommend that you use a single VCN with multiple subnets, and deploy each workload on its own subnet. This leads to better network isolation for your workloads. Ensure that you create the VCN with a large enough CIDR range for your workloads.

The following diagram shows the VCN that is created by OELZ v1. The components deployed by the OELZ v1 - Workload Expansion stack are noted.

Diagram showing the virtual cloud network that is created by OELZ v1.

Tip: If you plan to deploy a virtual appliance, we recommend that you manually create another VCN to host the virtual appliance.

Subnets

OELZ v1 creates public and private subnets within the VCN.

  • Subnet-Public: Public subnet to host all internet-facing servers and resources, including load balancers. This subnet must be secured with the correct Cloud Guard recipes and other security features described in Security.
  • Subnet-Shared Services: Private subnet to host all common or shared services that your organization uses. Depending on your applications, you must create security lists to allow the network traffic between servers in your cloud tenancy (east and west traffic) to enter and exit this subnet. Create security lists during deployment of your workloads.
  • Subnet Bastion Service: Private subnet to host the Bastion service. Bastion provides restricted and time-limited access to target resources that don't have public endpoints. Configuring bastions is important to ensure that your organization's cloud administrators can access resources that reside in private subnets.
  • Subnet - <Workload>: Deployed only with the OELZ v1 - Workload Expansion stack. This is a private subnet that you should use to host all resources needed by a specific workload, with the exception of databases. You can create multiple subnets, one for each workload.
  • Subnet - <Workload> - Database Services: Deployed only with the OELZ v1 - Workload Expansion stack. This is a private subnet to host database resources for your applications. You can create multiple subnets, one for each workload's database resources.

Gateways

OELZ v1 creates the gateways that your applications might need to connect with OCI services and the internet, plus the basic components to control access.

  • Internet gateway: Virtual router that connects the edge of the VCN with the internet to allow direct connectivity to the internet. OELZ v1 creates an internet gateway and the following components:
    • Security lists: Virtual firewalls that let you control ingress and egress traffic. OELZ v1 creates a security list associated with the internet gateway. The actual ingress and egress rules depend on your workloads and the traffic that you want to allow. Configure the ingress and egress rules when you move your workloads to OCI.

      Note: OELZ v1 creates stateful security lists. If you have a public-facing application or load balancer that requires you to support a large number of connections, we recommend that you create stateless security lists. For more information, see Stateful Versus Stateless Rules.

    • Route table: Used to map the traffic of a VCN from subnets through gateways to external destinations. OELZ v1 creates a route table associated with the internet gateway. You must create rules in the route table to allow necessary traffic to go to the internet gateway. The rules created depend on your workloads.

  • Network Address Translation (NAT) gateway: Gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections. OELZ v1 creates a NAT gateway for the landing zone deployment. It also creates a route table and route rule to route traffic from each of your workload compartments. The actual route rules created depend on your workloads. Create the rules when you move your workloads to OCI.
  • Private endpoints: Private IP address within your VCN that you can use to access a service within OCI. OELZ v1 creates private endpoints to access the following OCI services: Autonomous Database, Streaming, Data Safe, Data Catalog, Analytics Cloud, and Data Flow. We recommend that you use private endpoints if your workloads need to connect with any of these services.
  • Service gateway: Lets cloud resources without public IP addresses privately access Oracle services without the traffic going over the internet. OELZ v1 creates a service gateway. You must create service CIDR labels, route rules, and security rules for the service gateway when you move your workloads to OCI. The configuration depends on your workloads.

Connectivity

With OELZ v1, you can optionally configure dynamic routing gateways (DRGs) using Site-to-Site VPN or FastConnect.

  • Site-to-Site VPN: A site-to-site IPSec connection between your on-premises network and your VCN. Provide the IP address of your customer-premises equipment (CPE) to the landing zone Terraform module. Also provide the static routes for the IPSec connection.
  • FastConnect: A dedicated, private connection between your data center and OCI, using your choice of Oracle partners. In addition to selecting an Oracle partner, provide the following information:
    • FastConnect routing policy
    • Virtual circuit bandwidth shape
    • Virtual circuit cross connect mapping - customer Border Gateway Protocol (BGP) peering
    • Virtual circuit cross connect mapping - Oracle BGP peering
    • Virtual circuit customer autonomous system number (ASN)

Security

OELZ v1 helps you configure a security architecture for your organization's cloud deployment.

Security features are deployed in the Security compartment. Depending on your organization's structure, a cybersecurity or cloud platform team typically manages the security functions for your tenancy.

The following diagram shows the reference architecture for security features in OELZ v1.

Diagram showing the reference architecture for security features in OELZ v1.

As a starting point to secure your cloud environment in OCI, we recommend that you enable and use services such as Cloud Guard, Vulnerability Scanning, and Bastion. Customize the security architecture for your organization based on your organization's requirements.

Cloud Guard

Use Cloud Guard to manage the security of your cloud resources in alignment with Oracle best practices.

Cloud Guard is a cloud-native service that helps customers monitor, identify, achieve, and maintain a strong security posture in the Oracle Cloud. Use the service to examine your OCI resources for security weakness related to configuration, and your OCI operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions based on your configuration.

Use Oracle-managed recipes as the baseline starting point. Available recipes include:

  • OCI configuration detector recipe: Set of rules designed to detect resource configuration settings that could pose a security problem.
  • OCI activity detector recipe: Set of rules designed to detect actions on resources that could pose a security problem.
  • Responder recipe: Defines the action or set of actions to take in response to a problem that a detector has identified.

OELZ v1 implements security best practices monitoring by enabling Cloud Guard at the tenancy level. It also enables security posture monitoring of the parent compartment by using Oracle-managed configuration detector recipes and activity detector recipes.

Note: To avoid potential application outages from unexpected platform modification, responder recipes aren't enabled. We recommend that you apply responder recipes after reviewing and testing them for your organization.

Consider the following information:

  • Your Cloud Guard administrator should review the detector recipes and customize the scope with conditional groups as needed.
  • Before enabling the responder recipes and related policies, your Cloud Guard administrator should review them with the stakeholders of any existing applications.
  • You can create customer-managed responder recipes and detector recipes by cloning Oracle-managed recipes.

Vulnerability Scanning

Vulnerability and port scanning is enabled for the parent compartment of OELZ v1.

Vulnerability Scanning helps improve your security posture by routinely checking your cloud resources for potential vulnerabilities.

For information about the vulnerability sources and the platforms that the service detects vulnerabilities in, see Compute Targets.

The service also scans for ports in your compute instances that are unintentionally left open, might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.

  • A network mapper searches your public IP addresses for open ports.
  • Agent-based scanning checks for open ports that aren't accessible from public IP addresses.

Your administrator can extend Vulnerability Scanning to the tenancy level by defining a scan target at the root compartment with a standard recipe.

Important: Because Windows scanning doesn't include Open Vulnerability and Assessment Language (OVAL) data, we recommend that you do not rely solely on Vulnerability Scanning to ensure your Windows instances are up to date and secure.

Prolonged Archiving of Audit Logs

Use retention rules to preserve OCI Audit logs for long-term data governance, regulatory compliance, and legal hold requirements.

Consider the following information:

  • By default, Audit logs are retained for 365 days. If your organization needs to meet compliance or other requirements, you can optionally archive Audit logs for a longer length of time by saving them in immutable storage written to OCI Object Storage and Archive Storage buckets with locked, time-bound retention rules.
  • You should deploy immutable Audit log archiving only when there is a strong business need to keep Audit logs for longer than the retention period.
  • Review (or unlock) the retention rule within 14 days before it is locked.
    • Locking a retention rule is an irreversible operation. Not even a tenancy administrator can delete a locked rule.
    • There is a mandatory 14-day delay before a rule is locked. This delay lets you thoroughly test, modify, or delete the rule or the rule lock before the rule is permanently locked.
    • A rule is active at the time of creation. The lock only controls whether the rule itself can be modified. After a rule is locked, only increases in the duration are allowed.
    • Object modification is prevented and the rule can only be deleted by deleting the bucket. A bucket must be empty before it can be deleted.
    • To avoid difficulties in cleaning up your testing environment, consider using a short retention period in non-production environments, such as one day.
  • By default, Oracle manages the keys that encrypt the Object Storage or Archive Storage buckets. If you want greater control over the lifecycle and use of your encryption keys, you can choose a key from a vault that you have access to. For more information, see Overview of Vault.
  • After the audit log bucket is created, you can manually enable the write access logs to meet the Center for Internet Security (CIS) Oracle Cloud Infrastructure Benchmark.
  • You can integrate logs with third-party security information and event management (SIEM) solutions using the Service Connector Hub and Streaming services. For examples, see Oracle Cloud Infrastructure logging plugin for Splunk and Move logs from Oracle Cloud Infrastructure into IBM QRadar.

Bastion

The Bastion service provides secured, session-based access to resources without public endpoints.

Bastions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. When connected, users can interact with the target OCI resource by using any software or protocol supported by SSH. For example, you can use the Microsoft Remote Desktop Protocol (RDP) to connect to a Windows host, or use Oracle Net Services to connect to a database.

Consider the following information:

  • A bastion is associated with a single virtual cloud network (VCN). You cannot create a bastion in one VCN, and then use it to access target resources in a different VCN.
  • Bastions, like most OCI resources, are subject to service limits. Request a service limit increase if needed, and consider subcompartments for your bastions as an alternative.

VCN Flow Logs

Use VCN Flow Logs to view details about traffic that passes through your VCN.

VCN Flow Logs help you audit traffic and troubleshoot your network controls. After you enable VCN Flow Logs, they record traffic for the virtual network interface cards (VNICs) attached to compute instances in the subnet.

Your operational teams can use the predefined VCN Flow Logs dashboard in OCI Logging Analytics, or create custom dashboards to meet your organization's specific needs.

Managing Terraform State

OELZ v1 in Resource Manager and OELZ v1 - Lite in the Console Quickstarts manage Terraform state inherently as part of each landing zone deployment.

You can store Terraform state within Object Storage if needed. For more information, see Using Object Storage for State Files.