Preparing Your Tenancy

Before the Compute Cloud@Customer infrastructure is connected to Oracle Cloud Infrastructure, the tenancy administrator must set up compartments, create policies, and configure a virtual cloud network. This setup is used to connect the Compute Cloud@Customer infrastructure to Oracle Cloud Infrastructure.

You can prepare your tenancy before the Compute Cloud@Customer rack is delivered to your site.

If working in the Oracle Cloud Infrastructure environment is new to you, consider reviewing Learn Best Practices for Setting Up Your Tenancy.

Prepare your tenancy by completing these activities:

You can also watch this Video: Prepare your Oracle Cloud Infrastructure Tenancy for Compute Cloud@Customer.

Note

The tasks you perform in this section are required to establish the connection between OCI and the Compute Cloud@Customer infrastructure. You need to perform similar administrative tasks, beyond what is described here, before you can create resources such as instances on Compute Cloud@Customer infrastructure. Most of the additional administrative tasks can be performed after you prepare your tenancy, or after the installation. See Postinstallation Administration.

Establish a Federated Identity Provider

Before Compute Cloud@Customer is installed, your tenancy must be set up to use a federated identity provider to manage authentication.

When Oracle installs Compute Cloud@Customer, Oracle configures the Compute Cloud@Customer infrastructure to use the same federated identity provider. This enables you to use the same credentials to access Oracle Cloud Infrastructure and Compute Cloud@Customer.

If your tenancy is already configured to use a federated identity provider, including Oracle's Identity Cloud Service, you're all set. Share your federated identity information with your Oracle representative. Otherwise, work with your Oracle representative to establish a federated identity provider.

You can use an external identity provider or Oracle Identity Cloud Service. The type of identity provider you can use depends on the type of tenancy you have (a tenancy with IAM identity domains or without IAM identity domains).

For more information, see these resources:

Determining the Tenancy Type
Tenancies with Identity Domains – Federating with Identity Providers
Tenancies without Identity Domains – Federating with Identity Providers

Important

If you change your identity provider configuration in Oracle Cloud Infrastructure, Oracle must make the same administrative changes on Compute Cloud@Customer. In this situation, open an Oracle service request to request help. See Create a service request.

For information about securing IAM Federation, see IAM Federation.

Create Users and Groups

To prepare your Oracle Cloud Infrastructure tenancy, identify users and create groups for the people in your organization who administer the Compute Cloud@Customer infrastructure.

Perform this task before Compute Cloud@Customer is connected to Oracle Cloud Infrastructure.

Identify your tenancy administrator.
Create at least one group with users who can perform these administrative tasks:
- Create, update, and delete Compute Cloud@Customer infrastructures.
- Create, update, and delete Compute Cloud@Customer upgrade schedules

The groups will be included in policies you define later. See Add Required Policies.

Create or Identify Compartments

When Compute Cloud@Customer is connected to Oracle Cloud Infrastructure, one or more compartments are needed.

A compartment is a collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating your cloud resources. You use them to separate resources for the purposes of controlling access (using policies), and isolation (separating the resources for one project or business unit from another).

For Compute Cloud@Customer, at least one compartment is needed for the following items:

Compute Cloud@Customer infrastructure connection to Oracle Cloud Infrastructure.
The VCN you eventually created for the connection to Oracle Cloud Infrastructure.

Compute Cloud@Customer can be connected to your tenancy (root compartment), to an existing compartment, or to a new compartment. You can use multiple compartments. For example, you can use one compartment for the infrastructure connection, and another for the VCN.

Create or choose a compartment based on how you use compartments to control access to resources.

If you plan to create a new compartment, sign in to OCI and use the Oracle Cloud Console, or use the OCI CLI or OCI API to create the compartment in your tenancy.

Note

Compartments used for Compute Cloud@Customer, including compartments for the installation, are created and managed in OCI. Compartments aren't managed in the Compute Cloud@Customer infrastructure. All compartments in the tenancy are automatically synchronized to the Compute Cloud@Customer infrastructure, every ten minutes or so.

For an introduction to compartments, and for instructions for managing compartments, see Managing Compartments.

Add Required Policies

Certain IAM policies must be configured before Compute Cloud@Customer is connected to your tenancy.

Configure the following policies in your tenancy.

For information about how to work with policies, see Managing Access to Resources.

If your tenancy supports Identity Domains, you can create policies that specify the dynamic group. To determine if your tenancy has Identity Domains or not, see Determining the Tenancy Type.

Note

Different policy statements can be constructed to achieve the same level of access to resources. The following list of policies provide examples. You can use the example, or create policy variations, as long as the policies allow access to the correct user or group for the particular resource.
Policy 1 – Allows users to create, read, update, and delete Compute Cloud@Customer infrastructures and upgrade schedules.

Specify the IAM group that only includes the users who require permissions to manage infrastructures and upgrade schedules. Administration of these resources is critical to the functionality of Compute Cloud@Customer, and must not be allowed for unauthorized users.

Policy example for IAM with or without Identity Domains:
```
allow group <group_name> to manage ccc-family in tenancy
```
Policy 2 – Allows Compute Cloud@Customer to use your IAM data for identity and access management on Compute Cloud@Customer resources.

Policy example for IAM with or without Identity Domains:
```
allow any-user to {COMPARTMENT_INSPECT, USER_INSPECT, GROUP_INSPECT, DYNAMIC_GROUP_INSPECT, POLICY_READ, TAG_NAMESPACE_INSPECT, USER_READ, TAG_DEFAULT_INSPECT, TAG_NAMESPACE_READ} in tenancy where all { request.principal.id='<ccc-infrastructure _OCID>', request.principal.type='cccinfrastructure' }
```
Policy example for IAM with Identity Domains:
```
allow dynamic-group <dynamic-group> to {COMPARTMENT_INSPECT, USER_INSPECT, GROUP_INSPECT, DYNAMIC_GROUP_INSPECT, POLICY_READ, TAG_NAMESPACE_INSPECT, USER_READ, TAG_DEFAULT_INSPECT, TAG_NAMESPACE_READ} in tenancy
```
Policy 3 – A policy that allows the Compute Cloud@Customer infrastructure service to send you notifications about upgrades.

For more information about upgrade notifications and how to subscribe to receive them, see Subscribing to Upgrade Notifications.

Policy example for IAM with or without Identity Domains:
```
allow any-user to manage ons-topics in tenancy where request.principal.type ='cccinfrastructurenotifier'
```

For information about Compute Cloud@Customer policies you can use to control access to Compute Cloud@Customer infrastructure and upgrade schedule operations, see Compute Cloud@Customer Policy Reference.

Create a VCN and Subnet

Before Compute Cloud@Customer is connected to your tenancy, create a VCN with a subnet in the tenancy.

Infrastructures require the following network resources in the tenancy:

One Virtual Cloud Network (VCN). See Creating a VCN. We recommend a small CIDR block, for example 192.168.100.0/29.
For each infrastructure, create one subnet in the VCN. See Creating a subnet. For example, 192.168.100.0/30.

What's Next?

Work with Oracle to install and connect Compute Cloud@Customer to your network. After Oracle initializes Compute Cloud@Customer, you then create an Compute Cloud@Customer infrastructure, and connect it to your OCI tenancy. See Creating a Compute Cloud@Customer Infrastructure in OCI.

For a complete list of installation tasks, see Installing and Configuring Compute Cloud@Customer.