Planning an Environment
This topic describes the features of environments that you should consider before you create an environment. You create environments in an environment family.
Environments in an environment family share certain characteristics. Before you plan your environment, see Planning an Environment Family.
About Environment Types
In the environment family, you can create both production and non-production environments (test and development). Each Fusion Applications subscription allows one production environment and one test environment. In addition, you can order non-production development environments.
Production environment
The production environment supports your day-to-day real-time business operations by authorized users. An environment family is allotted one production environment to provision.
Non-production environments
- Test environment
The test environment is typically used for staging before application deployment to production and for validation of maintenance updates before the same maintenance is applied to the production environment. An environment family is allotted one test environment to provision.
- Development (also referred to as Additional Test Environment or ATE)
Development environments are typically used as individual or collaborative development sandboxes for developing extensions (such as reporting, pages, and interfaces) or integrations with other applications. You must order the number of development environments needed by your organization.
The following table summarizes characteristics of the three environment types:
Feature | Production | Test | Development/ATE |
---|---|---|---|
Workload type | Production | Non-production | Non-production |
Typical usage | Production workloads for business users |
|
|
Typical user | Business user | Development user | Development user |
Purchase requirement | Included with the Fusion Applications purchase | 1 (and only 1) test environment is included with every Fusion Applications production environment |
|
Limit | One per environment family | One per environment family | Limit based on the number purchased |
Provisioning behavior and dependencies |
|
|
|
Default maintenance cadence | Production cadence See Types of Maintenance and Schedules for definitions of the production and non-production cadences. |
Non-production cadence | Non-production cadence |
Concurrent upgrade behavior | 1st or 3rd weekend based on custom selection | 1st or 3rd weekend based on custom selection | 1st or 3rd weekend based on custom selection |
Environment refresh | Self-service refresh not supported | Self-service refresh supported from any source environment within the environment family (see Refreshing an Environment) | Self-service refresh supported from any source environment within the environment family (see Refreshing an Environment) |
Integrated services | Provisioned | Some services provisioned | Some services provisioned |
Termination | Self-service termination not allowed after the environment is live. To terminate, file a service request. | Self-service termination not allowed after production is live. To terminate, file a service request. | Self-service termination allowed |
Choosing a Compartment
A compartment is a logical grouping of resources for controlling access to those resources. Placing resources in compartments allows you to restrict access to as granular a level as you require.
For example, if your tenancy has multiple environments, you can restrict access to each family to different groups of users by placing them in different compartments. You then write policy to allow access based on the group and compartment. If you don't specifically choose a compartment (or if your organization has not set up multiple compartments) the environment family will be created directly in the tenancy (also called the root compartment). If your organization chooses to set up compartments later, you can move the environment family to a different compartment.
Also, if you plan to have different administrators for your environment families and your environments, you can place each of them in different compartments to create different access policies for each. For more information about planning compartments, see Learn Best Practices for Setting Up Your Tenancy.
You have two options for when you create the compartment:
- Create the compartment before you create the environment.
If you create the compartment first, then you can create the Fusion Applications environment in the compartment. The benefit of this approach is that the supporting resources that are created with the environment, such as the Oracle Digital Assistant instance, are also created in the compartment.
To create the environment in the compartment, choose it during environment creation.
- Create the compartment after you create the environment.
If you have already created the environment, it is easy to move it to another compartment. See To move an environment to a different compartment. You will also need to move the instances of the integrated applications and other related resources to the same compartment.
Here is the basic procedure for creating a compartment. For full details on working with compartments, see Managing Compartments.
- Open the navigation menu and click Identity & Security. Under Identity, click Compartments. The list of the compartments is displayed.
-
Navigate to the compartment in which you want to create the new compartment:
- To create the compartment in the tenancy (root compartment) click Create Compartment.
- Otherwise, click through the hierarchy of compartments until you reach the detail page of the compartment in which you want to create the compartment. On the Compartment Details page, click Create Compartment.
- Enter the following:
- Name: A unique name for the compartment (maximum 100 characters, including letters, numbers, periods, hyphens, and underscores). The name must be unique across all the compartments in your tenancy. Avoid entering confidential information.
- Description: A friendly description. You can change this later if you want to.
- Parent Compartment: The compartment you are in is displayed. To choose another compartment to create this compartment in, select it from the list.
- Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
- Click Create Compartment.
Understanding Language Packs
When you create an environment, English is installed by default. If you want to add more languages, you can select up to two languages when you provision the environment, or you can add them later. Adding a language pack does not impact the availability of the environment. Each language pack installed in an environment can slightly increase update duration. After you add a language pack, it can't be removed.
Understanding Environment Network Access Control Rules
You can set up network access control rules to limit the network traffic that is allowed to reach an environment. The rules can be created to:
- Allow only traffic from specified CIDR block ranges.
- Allow only traffic from specified Oracle Cloud Infrastructure virtual cloud networks (VCNs).
- Allow only traffic from specified CIDR block ranges within specified OCI VCNs.
After you set up the rules, traffic originating outside a specified allowed source is blocked. If you don't set up any rules for the environment, then all network traffic is allowed to reach the environment. The network access control rules only support defining allowed traffic. You can't set up a block list. You can set up the network access control list when you create the environment, or you can edit it after environment creation.
You can also set up location-based access in your Fusion Applications. For more information, see Location-Based Access.
Securing Network Access to a Fusion Applications Environment
Users can access Fusion Applications from the internet as long as they have valid user credentials. However, to do so you might need to update local network settings to allow traffic to the IP address ranges of the OCI region where the environment is provisioned. Along with allowing traffic to the primary OCI region, you might also need to allow-list IP address ranges of the Disaster Recovery OCI region to which your production environments will be failed over in a disaster situation. Note the following:
- To identify your disaster recovery (DR) region, see Disaster Recovery Support.
- For information on public IP address ranges for services that are deployed in Oracle Cloud Infrastructure, see IP Address Ranges. Use the IP addresses file to find the CIDR block ranges for the environment's primary and DR regions. Tip
The IP addresses file contains several types of CIDR IPs. You only need to add the CIDR IPs with the "OSN" tag.
After identifying the IP address ranges of the primary and DR regions, update the following on-premises configurations:
- Firewall rule for egress
- Network routing configuration (for example, VPN configurations)
Also, if you have set up your Fusion Applications for outbound integration with other services (for example, transmitting files and reports to external destinations, and external integrations such as Oracle Integration Cloud), you might need to perform the following network configurations:
-
Update Allow-lists for Transferring Files and External Integrations:
If the destination network or server of your external integration is using IP allow-listing to restrict access from only a trusted source, you must update the settings on the destination server to allow Oracle's DR region gateway IPs to continue receiving these transmissions. Common application flows where you might have Oracle IP allow-listing include:
- Oracle Fusion Payments Payment and Positive Pay file delivery (SFTP / HTTPS)
- Oracle Cash Management bank statement download (SFTP / HTTPS)
- Oracle Fusion Expenses corporate card transactions file upload (SFTP / HTTPS)
- Oracle Fusion Payments check printing (HTTPS)
- ERP Integration callback service (HTTPS)
- BI Publisher printer delivery option (HTTPS)
- BI Publisher report delivery option (SFTP)
- HCM Extracts delivery (SFTP)
-
Update Ports for Transmitting Files:
If you're transmitting files to external destinations in any of the above scenarios, you must also verify the port settings for these transmissions. Ensure that the ports are within this list: 22, 80, 443, 631, 993.
To further control access to your environment, Fusion Application supports the following options. These use cases are not mutually exclusive and can be supported with each other:
- Access Control List (ACL): Allow access to your environment only from selected public IPs (CIDRs) or virtual cloud networks (VCNs) using an Access Control List (ACL). You can set up the network access control rules at the time you create the environment or you can edit them later.
- Access privately from on-premises networks: Allow access to your environment from your on-premises network without going through the internet. This option requires setting up a secure VPN connection between your on-premises network and a VCN in your tenancy. For more information, see Securely Accessing Fusion Applications.
- Location Based Access Control (LBAC): Allow uses access to tasks and data based on their roles and compute IP addressed. This option is configured on your running application. For details, see Overview of Location-Based Access.