Set Up Your Tenancy to Host Oracle E-Business Suite Environments

This chapter covers the following topics:

Overview of Setting Up Your Tenancy to Host Oracle E-Business Suite Environments

This chapter describes how to define a new compartment and create related cloud resources in order to prepare Oracle Cloud Infrastructure tenancy for deploying a new set of Oracle E-Business Suite environments managed by a new group of Oracle E-Business Suite administrators (DBAs) using Oracle E-Business Suite Cloud Manager 19.2.1 or later.

The companion chapter, Deploy Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure, leads you through the process of deploying Oracle E-Business Suite Cloud Manager along with the compartments and resources that it requires. You must first complete the applicable steps in the companion chapter mentioned earlier before performing the tasks in this chapter.

Note: This chapter is not applicable to Oracle E-Business Suite Cloud Manager releases prior to version 19.2.1. Oracle strongly recommends upgrading Oracle E-Business Suite Cloud Manager to the latest version at your earliest convenience. To upgrade Oracle E-Business Suite Cloud Manager, follow the instructions in Update Oracle E-Business Suite Cloud Manager to Latest Version (Conditional).

If you need to continue to use an older version of Oracle E-Business Suite Cloud Manager for a limited period, refer to the documentation listed in My Oracle Support Knowledge Document 2363536.1, Oracle E-Business Suite on Oracle Cloud Tutorial Archive.

Before using Oracle E-Business Suite Cloud Manager to provision a new set of environments (for example, for production usage), you must prepare the tenancy by identifying or creating a new network compartment and creating a new group, users, and corresponding policies to organize and control access to that compartment.

You can create additional compartments to implement separation of duties, such as separate compartments to administer production and development environments.

The following diagram depicts the relationship between the different categories of users and the compartments that could be defined in your tenancy. In this example, three compartments are defined: Production, Development, and Network. Each compartment has a separate group of administrators associated with it: the Application Administrators Production group for the production compartment, defined by the Production Network Profile; the Application Administrators Development group for the development compartment, defined by the Development Network Profile; and the Network Administrators group for the network compartment.

Separation of Duties Implemented with Compartments and Groups

the picture is described in the document text

You may choose to define a new network compartment, or use the one that was defined while deploying the Oracle E-Business Suite Cloud Manager. This chapter assumes that the network compartment (called network-compartment in our example) that hosts the network resources is already in place. The production compartment is used as an example to explain how to prepare a tenancy specifically for the users of Oracle E-Business Suite production environments through the following steps:

  1. Identify or create the new compartment in Oracle Cloud Infrastructure, which we call ebsprod-compartment in this example.

  2. Create the Oracle Identity and Access Management (IAM) group that will operate on the ebsprod-compartment compartment.

  3. Create the Oracle Identity Cloud Service (IDCS) group and map it to Oracle Identity and Access Management in order to federate the authentication.

  4. Create policies that allow the Oracle Identity and Access Management group to manage resources in the ebsprod-compartment compartment.

  5. Create users in the Oracle Identity Cloud Service Admin Console and make them members of the Oracle Identity Cloud Service group created previously in step 3.

  6. Create network resources for the new set of Oracle E-Business Suite environments.

  7. Create a new network profile in Oracle E-Business Suite Cloud Manager that maps the ebsprod-compartment compartment and the network you just defined.

Note that Oracle E-Business Suite administrators are referenced throughout this chapter. They can access the Oracle E-Business Suite Cloud Manager user interface (UI) to provision environments and conduct lifecycle management activities. These users are usually referred to as Oracle E-Business Suite DBAs.

Create or Identify a Compartment to Host Oracle E-Business Suite Environments

When preparing the tenancy to deploy your Oracle E-Business Suite production instances, first you will determine which compartment will host the compute VMs or database services and load balancer that make up your environments. You can use an existing compartment (shared compartment) or create a new compartment (non-shared compartment), as described in this section. See Deploy Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure for diagrams outlining some compartment topology examples.

Note: All these topology options can be used in nested compartments. However, in a non-shared scenario, the compartments cannot be children of each other.

To create a compartment called ebsprod-compartment for hosting the Oracle E-Business Suite Production environments:

  1. First, use single sign-on to log in to your cloud account using your tenancy administrator credentials. Do not use Oracle Cloud Infrastructure Direct Sign-In.

  2. In the Oracle Cloud Infrastructure Service console navigation menu, under Identity & Security, select Identity, and click Compartments.

  3. On the Compartments page, click Create Compartment.

  4. In the dialog window, enter the required details:

    • NAME: Enter the compartment name. (For example, ebsprod-compartment)

    • DESCRIPTION: Enter a description of your choice.

  5. Click Create Compartment at the bottom of the window.

    For information on creating compartments and related policies for network resources and Oracle E-Business Suite Cloud Manager, see Deploy Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure.

Create the Oracle E-Business Suite Administrators Group and Assign Policies

In this section, you will define a group of Oracle E-Business Suite administrators that will operate on the new compartment that you previously created and assign the required policies to allow the group to manage resources in the new compartment. Throughout the examples in this chapter, we use ebsprod-compartment for the compartment name and ebscm-proddba-grp as the group name for the Oracle E-Business Suite administrators group. As shown in the following diagram, you enable the users in this group to manage the Oracle E-Business Suite production environments by defining policies giving them access to the appropriate compartment and resources.

Production EBS Administrators Group and Policies

the picture is described in the document text

Run the following commands to create the Oracle E-Business Suite administrators group and assign the required policies:

Create and Map Oracle E-Business Suite Administrators Groups in Oracle Identity and Access Management and Identity Cloud Service

Run the following commands to create the Oracle E-Business Suite administrators group and map it in Oracle Identity Access Management (IAM) and Identity Cloud Service (IDCS).

  1. In the Oracle Cloud Infrastructure console navigation menu, under Identity & Security, select Identity, and then click Groups.

  2. Create the Oracle Identity Access and Management group as follows:

    1. Click Create Group.

    2. In the dialog window, enter the required details:

      • NAME: Enter the name for the group (for example, ebscm-proddba-grp).

      • DESCRIPTION: Enter a description of your choice.

    3. Click Create.

  3. Create the Oracle Identity Cloud Service group as follows:

    1. In the console navigation menu, under Identity & Security, select Identity, and then click Federation.

    2. Click on the name of the identity provider that corresponds to Oracle Identity Cloud Service.

    3. On the left hand side under Resources, click Groups.

    4. Click Create IDCS Group.

    5. In the dialog window, enter the required details:

      • NAME: Supply a name for the group (for example, idcs-ebscm-proddba-grp).

      • DESCRIPTION: Enter a description of your choice.

    6. Click Create.

  4. Within the same page, map the groups in Oracle Identity Cloud Service as follows:

    1. Click Group Mappings on the left hand side.

    2. Click Add Mappings.

    3. In the dialog window, select the Identity Provider group and the corresponding Oracle Cloud Infrastructure group from the drop down-lists (for example, idcs-ebscm-proddba-grp and ebscm-proddba-grp).

    4. Click Add Mappings.

Assign Policies

  1. In the console navigation menu, under Identity & Security, select Identity, and click Policies.

  2. Create a policy for the network compartment to allow Oracle E-Business Suite administrators to use the network compartment:

    1. Select the network compartment from the COMPARTMENT drop-down list on the left.

    2. Click Create Policy.

    3. In the dialog window, enter the required details:

      • NAME: Supply a name (for example, networkcompartment-policy).

      • DESCRIPTION: Enter a description of your choice.

      • Add the following policy statements, substituting your own group name in place of ebscm-proddba-grp and your own network compartment in place of network-compartment, if different from our example.

        Allow group ebscm-proddba-grp to use virtual-network-family in compartment network-compartment 
    4. Click Create.

  3. Create the policy for the Oracle E-Business Suite administrators to perform operations on Oracle Cloud Infrastructure resources at the tenancy level.

    1. Select the root compartment of your tenancy from the COMPARTMENT drop-down list on the left.

    2. Click Create Policy.

    3. In the dialog window, enter the required details:

      • NAME: Enter a name (for example, ebsproddba-root-policy).

      • DESCRIPTION: Enter a description of your choice.

      • Add the following policy statements, substituting your own group name in place of ebscm-proddba-grp, if appropriate.

        Allow group ebscm-proddba-grp to manage buckets in tenancy
        Allow group ebscm-proddba-grp to manage objects in tenancy
        Allow group ebscm-proddba-grp to manage app-catalog-listing in tenancy
        Allow group ebscm-proddba-grp to inspect compartments in tenancy
        Allow group ebscm-proddba-grp to inspect users in tenancy
        Allow group ebscm-proddba-grp to inspect groups in tenancy
        Allow group ebscm-proddba-grp to use tag-namespaces in tenancy where target.tag-namespace.name='Oracle-Tags' 
    4. Click Create Policy.

  4. Create the policy for the Oracle E-Business Suite administrators to perform operations on Oracle Cloud Infrastructure resources within their own compartment.

    1. Select the Oracle E-Business Suite compartment from the COMPARTMENT drop-down list on the left.

    2. Click Create Policy.

    3. In the dialog window, enter the required details:

      • NAME: Enter a name (for example, ebsproddba-policy).

      • DESCRIPTION: Enter a description of your choice.

      • Add the following policy statements, substituting your own group name and compartment name if different from those in our example.

        Allow group ebscm-proddba-grp to manage instance-family in compartment ebsprod-compartment
        Allow group ebscm-proddba-grp to manage database-family in compartment ebsprod-compartment
        Allow group ebscm-proddba-grp to manage load-balancers in compartment ebsprod-compartment
        Allow group ebscm-proddba-grp to manage volume-family in compartment ebsprod-compartment
        Allow group ebscm-proddba-grp to use tag-namespaces in compartment ebsprod-compartment
        Allow group ebscm-proddba-grp to manage tag-namespaces in compartment ebsprod-compartment
        Allow group <Oracle E-Business Suite Cloud Manager administrators group> to manage tag-namespaces in compartment ebsprod-compartment
    4. Click Create Policy.

  5. (Conditional) If you plan to use the Default Network Profiles created by the ProvisionOCINetwork.pl script described in Use a Default Network with Automated Scripts, then make sure the user running the script is a member of the network administrators group. Refer to Assign Policies under Create Oracle Cloud Infrastructure Accounts and Resources in the "Deploy Oracle E-Business Suite Cloud Manager on Oracle Cloud Infrastructure" chapter.

Create Users in Oracle Identity Cloud Service

You will create users in Oracle Identity Cloud Service for the Oracle E-Business Suite administrators.

The users will create and own the Oracle Cloud Infrastructure resources that run your Oracle E-Business Suite production environments.

Oracle Identity Cloud Service is used for authenticating Oracle E-Business Suite administrators.

  1. As the tenancy administrator, log in to the My Services dashboard by navigating to https://myservices-<your tenancy name>.console.oraclecloud.com/mycloud/cloudportal/dashboard and clicking Sign In.

  2. Click the Users icon in the top right corner, then select My Home.

  3. Click on Oracle Identity Cloud Service Admin Console.

  4. For each Oracle E-Business Suite production administrator to be added (for example, members of idcs-ebscm-proddba-grp), perform the following steps:

    1. Click the navigation menu and select Users.

    2. Click Add.

    3. In the dialog window, supply the following information:

      • First Name

      • Last Name

      • User Name / Email

    4. Select the check box Use email address as the user name.

    5. Click Next.

    6. In the dialog window, select the check box for the group you just created (for example, idcs-ebscm-proddba-grp).

    7. Click Finish.

      Note: You can create and add further such Oracle E-Business Suite administrators at any later time.

    8. At this point, Oracle Identity Cloud Service will dynamically send an email that will the request the newly added Oracle E-Business Suite administrators to activate their accounts. Provide the administrators the Oracle E-Business Suite Cloud Manager link and notify them that they must now self-register by following the instructions in Access Oracle E-Business Suite Cloud Manager.

Create Network Resources for Deploying Oracle E-Business Suite Environments

In this section, the network administrator and Oracle E-Business Suite Cloud Manager administrator perform tasks as indicated.

Before the Oracle E-Business Suite Cloud Manager can be used to provision environments, a network and associated network profiles must be created. A network profile maps Oracle Cloud Infrastructure network definitions with Oracle E-Business Suite instances network requirements. You could have multiple Oracle E-Business Suite environments in the same network or a network designated for a specific purpose, such as production, test, etc.

When creating a network, the network administrator can start by defining the subnets associated with network resources either using the automated scripts provided through a default network or manually creating required resources with chosen topology.

Use a Default Network with Automated Scripts

When creating a network through a default network, the following scripts are used prior to accessing the Oracle E-Business Suite Cloud Manager UI to create and then upload two default network profiles, one for One-Click Provisioning and one for Advanced Provisioning:

Create Default Network and Network Profiles Using ProvisionOCINetwork.pl

The following script will use Oracle Cloud Infrastructure API to create the network resources required by the Oracle E-Business Suite environment. When prompted for the script, you must provide authentication credentials that belong to the network administrator. We recommend that you upload the network adminstrator private API keys temporarily to the Cloud Manager VM to be able to run the script.

Add API Key to the Network Administrator

  1. Log in to the Oracle Cloud Infrastructure Service Console as the network administrator user. Note that this user should be a non-federated user (in the form <firstname>.<lastname>@<domain>) and not a federated user (for example, oracleidentitycloudservice/<firstname>.<lastname>@<domain>).

  2. Click the user icon.

  3. Select User Settings from the context menu.

  4. Under Resources in the navigation menu on the left, click API Keys. Then, click Add Public Key.

  5. Select the Paste Public Keys radio button.

  6. Paste the contents of the API public key in the dialog box and click Add. The key's fingerprint is displayed.

  7. Copy the Oracle Cloud Infrastructure API private PEM key file to the Oracle E-Business Suite Cloud Manager Compute instance. The file must be placed in a directory owned by the oracle user, for example /u01/install/APPS/.oci. The fully qualified path to the Oracle Cloud Infrastructure API private PEM key file will be needed for running ProvisionOCINetwork.pl.

Identify Credentials Required for Network Provisioning Script

While still logged into the Oracle Cloud Infrastructure Service Console as the network administrator user, identify and record the OCID of your user. You will need to provide this credential when you run the ProvisionOCINetwork.pl script.

  1. From the Oracle Cloud Infrastructure console, click on the user profile icon on the top right hand side of your screen, and select User Settings.

  2. Click Copy to copy the OCID of the user into your clipboard, and record this value for use in Run ProvisionOCINetwork.pl.

Run ProvisionOCINetwork.pl

The network administrator performs the tasks described in this section.

Note: The network laid down by this script creates only public subnets, not private subnets.

  1. As the oracle user, run ProvisionOCINetwork.pl:

    $ sudo su - oracle
    $ cd /u01/install/APPS/apps-unlimited-ebs/bin
    $ perl ProvisionOCINetwork.pl
  2. The screen will display the name of the log file for this session in the format ProvisionOCINetwork_<Date_and_Time_Stamp>.log, as illustrated by this example:

    Log File : /u01/install/APPS/apps-unlimited-ebs/out/ProvisionOCINetwork_Thu_Jul_11_13_38_17_2019.log
  3. After a list of the subnets to be created is displayed, you will be prompted to select Y to proceed or N to exit. Enter Y, as shown in this example:

    Enter Y to proceed or N to exit: Y
  4. You will now enter your details, substituting your own values for the example values shown:

    Enter OCID of network administrator user              : ocid1.user.oc1..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Enter absolute path of private key of API signing key : /u01/install/APPS/.oci/oci_api_key_network_admin.pem
    Enter tenancy ocid                                    : ocid1.tenancy.oc1..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    
    Validating user and fetching OCI metadata...
    
    Enter unique identifier for the EBS network         : ebscmnet
    Enter EBS subnet 1 CIDR (E.g. 10.0.1.0/24)          : 10.0.59.0/28
    Enter EBS subnet 2 CIDR (E.g. 10.0.2.0/24)          : 10.0.83.16/28
    Enter LBaaS subnet CIDR (E.g. 10.0.3.0/24)          : 10.0.83.32/28
  5. You will now be prompted to select Y to proceed or N to exit. Enter Y, as shown in this example:

    Are you sure you want to proceed with the above inputs? [Y/N]: Y
  6. When processing is complete, you will see a success screen with content similar to the following:

    Oracle EBS Cloud related network created successfully.
    
    List of resources created:
    ebscmnet_lbaas_subnet
    ebscmnet_lbaas_seclist
    ebscmnet_lbaas_routetable
    ebscmnet_db_subnet
    ebscmnet_db_seclist
    ebscmnet_db_routetable
    ebscmnet_apps_subnet
    ebscmnet_apps_seclist
    ebscmnet_apps_routetable
    
    Program: ProvisionOCINetwork.pl completed at Thu <DATE> <TIME> <YEAR>
    Advanced Network Profile JSON Path: /u01/install/APPS/apps-unlimited-ebs/build/ebscmnet/ebscmnet_DEFAULT_PROFILE_ADVANCED.json
    OneClick Network Profile JSON Path: /u01/install/APPS/apps-unlimited-ebs/build/ebscmnet/ebscmnet_DEFAULT_PROFILE_ONECLICK.json
    Execute /u01/install/APPS/apps-unlimited-ebs/bin/UploadOCINetworkProfile.pl to Upload JSON into DB 
  7. Remove the network administrator's private key from the Cloud Manger Compute instance after running the ProvisionOCINetwork.pl script.

    $ rm /u01/install/APPS/.oci/oci_api_key_network_admin.pem

Upload Network Profile Definitions Using UploadOCINetworkProfile.pl

The Oracle E-Business Suite Cloud Manager administrator performs the tasks described in this section.

As seen at the bottom of your success screen in step 6 of Run ProvisionOCINetwork.pl, the Oracle E-Business Suite Cloud Manager administrator now needs to run the upload script. The script needs to be uploaded twice, the first time for the One-Click Provisioning default network profile and the second time for the Advanced Provisioning default network profile.

The following example illustrates running the script for the Advanced Provisioning default network profile.

  1. As the oracle user, run the UploadOCINetworkProfile.pl script:

    $ sudo su - oracle
    $ cd /u01/install/APPS/apps-unlimited-ebs/bin
    $ perl UploadOCINetworkProfile.pl
  2. The screen will display the name of the log file for this session in the format ProvisionOCINetwork_<Date_and_Time_Stamp>.log, as illustrated by this example:

    Log File : /u01/install/APPS/apps-unlimited-ebs/out/UploadOCINetworkProfile_Thu_Jul_11_13_55_49_2019.log 
  3. Enter your details, substituting your own values for the example values shown:

    Enter Network profile JSON file absolute path             : /u01/install/APPS/apps-unlimited-ebs/build/ebscmnet/ebscmnet_DEFAULT_PROFILE_ADVANCED.json
    Enter OCID of EBS Cloud Manager administrator user        : ocid1.user.oc1..xxxxxxxxxx
    Enter EBS Cloud Manager admin password                    : 
    Enter Absolute path of private key of API signing key     : /u01/install/APPS/oci_api_key.pem
    Enter Tenancy OCID                                        : ocid1.tenancy.oc1..xxxxxxxxxxxxxxxxx
    Enter Oracle E-Business Suite Cloud Manager Admin Password: 

    Note: The value you enter for "Network profile JSON file absolute path" must be the same value displayed on the ProvisionOCINetwork.pl success screen. Refer to step 6 of Run ProvisionOCINetwork.pl.

  4. When a profile has been updated, you will see a success message similar to the one shown in this example:

    Executing: ebscm_add_default_network_profile API for DEFAULT_PROFILE_ADVANCED
    Executing Stored Procedure: ebscm_add_default_network_profile
    RetCode: 0
    Row count: 0
    
    ADVANCED Network Profile uploaded successfully.

    Note: These two default network profiles are available to all users.

Use a Custom Network

This section describes how network administrators can manually create the minimal network resources required for Oracle E-Business Suite Cloud Manager Advanced Provisioning, which allows Oracle E-Business Suite administrators to provision an Oracle E-Business Suite instance with their chosen topology.

Note: Oracle E-Business Suite deployment on Oracle Cloud Infrastructure in a Hybrid DNS Configuration always requires access to a VCN DNS resolver. If you are using such a configuration, ensure that IP address 169.254.169.254 is listed as a DNS server in the DHCP options.

In this example, we will configure the network settings specifically for deploying Oracle E-Business Suite production environments managed by Oracle E-Business Suite Cloud Manager.

The configuration includes the following tasks:

Note: If you are using Exadata Cloud Service, you must have already setup required route rules, security lists, subnets required for the database tier. Review the corresponding resources created in this section for database tier and add any missing resources.

Establish Your VCN

Customers have the option to create their own Virtual Cloud Network (VCN) or use an existing VCN (such as the VCN where the Oracle E-Business Suite Cloud Manager is deployed). If you use a VCN separate from the Oracle E-Business Suite Cloud Manager VCN for your Oracle E-Business Suite environments, ensure that adequate network communication is established between the two.

Note: When VCNs reside in the same tenancy, local VCN peering is supported for communication between the VCN holding Oracle E-Business Suite Cloud Manager VM and the VCN holding Oracle E-Business Suite environments. With this configuration, you can have Oracle E-Business Suite Cloud Manager VM installed on one VCN and create instances on other VCNs in the same tenancy.

For more information about local VCN peering and how to set it up, see Local VCN Peering (Within Region).

If you decide to create a new VCN for your Oracle E-Business Suite environments, follow the instructions in Create a Virtual Cloud Network.

Create an Internet Gateway (Conditional)

Note: The resources created (including route tables, security lists, and subnets) must be sufficient to support your chosen topology, and therefore may need to be more extensive than the examples shown here.

The Oracle E-Business Suite provisioning and cloning flows create new Compute instances and update them to the latest OS patches using yum. Your compute instances use a gateway to access the public yum repository on the internet.

If you plan to use a public subnet for your Compute instances, and you created a new VCN, you will need to create an internet gateway for that VCN by following the instructions for either a public or private subnet, as found in Create Network Resources for Deploying Oracle E-Business Suite Cloud Manager.

Create a NAT Gateway (Conditional)

If you plan to use a private subnet for your Oracle E-Business Suite environments, you must use a NAT gateway. Note that there is a limit of one NAT gateway per VCN.

If you did not create a NAT Gateway previously, follow these steps to create one:

  1. From the Oracle Cloud Infrastructure Service Console, click the menu icon at the top left to open the navigation menu. Under CORE INFRASTRUCTURE, go to Networking, and click Virtual Cloud Networks.

  2. On the Virtual Cloud Networks screen, click the link with the name of your VCN, such as ebscm-vcn.

  3. Under Resources on the navigation menu at the left, select NAT Gateway.

  4. Click Create NAT Gateway:

    • CREATE IN COMPARTMENT: Select your network compartment (for example, network-compartment).

    • NAME: Specify a suitable name (for example, ebs-ngw).

    • Click Create NAT Gateway at the bottom of the window.

Create a Service Gateway (Conditional)

If you plan to use a private subnet for your Oracle E-Business Suite environments, you can make use of a service gateway along with a NAT gateway. Note that there is a limit of one service gateway per VCN.

To create a service gateway:

  1. On the Virtual Cloud Networks screen, click the link with the name of your VCN, such as ebscm-vcn.

  2. Under Resources on the navigation menu at the left, select Service Gateways.

  3. Click Create Service Gateway:

    • NAME: Specify a suitable name (for example, ebscm-srvgw).

    • CREATE IN COMPARTMENT: Select your network compartment (for example, network-compartment).

    • SERVICES: Select All <XXX> Services In Oracle Services Network (where XXX is a region-specific code, such as IAD or LHR).

    • Click Create Service Gateway at the bottom of the window.

Create Route Tables

In this section, you will create three separate route tables. Their roles and example names are shown in the following table:

Table 3-1 Route Tables
Component Route Table Needed For Example Route Table Name
Load Balancer ebslbaas-RouteTable
Oracle E-Business Suite Application Tier apps-RouteTable
Oracle E-Business Suite Database Tier db-RouteTable

The steps you will take depend on whether you are using a public subnet or a private subnet. Follow whichever of the two subsections below applies to you.

Create Route Tables for a Public Subnet

To create each of the four route tables for a public subnet, use the following steps:

  1. On the Virtual Cloud Networks screen, click the link with the name of your VCN, such as ebsnetwork-vcn.

  2. Under Resources on the navigation menu at the left, select Route Tables.

  3. Click Create Route Table:

    1. NAME: Enter a name such as, ebslbaas-RouteTable, apps-RouteTable, or db-RouteTable.

    2. CREATE IN COMPARTMENT: Select your network compartment (for example, network-compartment).

    3. Click + Another Route Rule.

    4. Enter Route Rules details as follows:

      • TARGET TYPE: Select Internet Gateway.

      • DESTINATION CIDR BLOCK: 0.0.0.0/0

      • COMPARTMENT: Select the previously identified compartment.

      • TARGET INTERNET GATEWAY: Select the previously created gateway (for example, ebscm-igw).

    5. Click Create Route Table at the bottom of the window.

Create Route Tables for a Private Subnet

To create each of the three route tables for a private subnet, use the following steps:

  1. On the Virtual Cloud Networks screen, click the link with the name of your VCN, such as ebscm-vcn.

  2. Under Resources on the navigation menu at the left, select Route Tables.

  3. Click Create Route Table:

    1. NAME: Specify a name such as ebslbaas-RouteTable, apps-RouteTable, or db-RouteTable.

      Note: If you are creating a route table for subnet hosting load balancer and you are using private subnets, no route rules are required. You can directly skip to the last substep 7 and click Create Route Table at the bottom of the window. Additional rules are only required for subnet hosting Oracle E-Business Suite application tier or database tier nodes.

    2. CREATE IN COMPARTMENT: Select your network compartment (for example, network-compartment).

    3. Click + Another Route Rule.

    4. Enter Route Rules details as follows:

      • TARGET TYPE: Select NAT Gateway.

      • DESTINATION CIDR BLOCK: 134.70.0.0/17

      • COMPARTMENT: Select the previously identified compartment.

      • TARGET NAT GATEWAY: Select the previously created NAT Gateway (for example, ebs-ngw).

    5. Enter Route Rules details as follows:

      • TARGET TYPE: Select Service Gateway.

      • DESTINATION SERVICE: Select All <XXX> Services In Oracle Services Network (where XXX is a region-specific code, such as IAD or LHR).

      • COMPARTMENT: Select the previously identified compartment.

      • TARGET SERVICE GATEWAY: Select the previously created Service Gateway (for example, ebs-srvgw).

    6. Click Create Route Table at the bottom of the window.

Create Security Lists

In this section, you will create up to three separate security lists. Their roles and some example names are shown in the table below:

Table 3-2 Security Lists
Component Security List Needed For Example Security List Name
Load Balancer ebslbaas-seclist
Oracle E-Business Suite Application Tier apps-seclist
Oracle E-Business Suite Database Tier db-seclist

To create a security list:

  1. On the Virtual Cloud Networks screen, click the link with the name of your VCN, such as ebscm-vcn.

  2. Under Resources on the navigation menu at the left, select Security Lists.

  3. Click Create Security List:

    1. NAME: Specify a name such as ebslbaas-seclist, apps-seclist, or db-seclist.

    2. CREATE IN COMPARTMENT: Select your compartment name, such as network-compartment.

    3. If default rules named Ingress Rule 1 and Egress Rule 1 appear, remove these rules.

    4. Click Create Security List at the bottom of the window.

Create Subnets

In this section, you will create new subnets, specifying your own names and parameters.

The following example can be used as a reference for defining the subnets that will be used for deploying your Oracle E-Business Suite environment that could have internal and external web entry points (such as in a common DMZ configuration).

Oracle E-Business Suite Cloud Manager Network Profile Maps and Internal and External Subnets

the picture is described in the document text

If you choose to use regional subnets, see the following table with example values for guidance:

Table 3-3 Examples of Regional Subnets
Subnet Name CIDR Block Route Table Subnet Access Security List
internal-ebslbaas-subet-phx 10.0.3.0/24 ebslbaas-RouteTable Public or private subnet internal-ebslbaas-seclist
internal-apps-subnet-phx 10.0.4.0/24 apps-RouteTable Public or private subnet internal-apps-seclist
external-ebslbaas-subet-phx (optional) 10.0.5.0/24 ebslbaas-RouteTable Public or private subnet external-ebslbaas-seclist
external-apps-subnet-phx 10.0.6.0/24 apps-RouteTable Public or private subnet external-apps-seclist
db-subnet-phx 10.0.7.0/24 db-RouteTable Public or private subnet db-seclist

To create each new subnet:

  1. On the Virtual Cloud Networks screen, click the link with the name of your VCN, such as ebscm-vcn.

  2. Under Resources in the navigation menu on the left, select Subnets.

  3. Click Create Subnet, specifying your choice for the following parameters:

    • NAME

    • SUBNET TYPE: Select either Regional (Recommended) or Availability Domain-Specific. If you choose Availability-Domain Specific, select your availability domain.

    • CIDR BLOCK

    • ROUTE TABLE: When you create a subnet, you can specify it as either a Public Subnet or a Private Subnet. If you are creating a public subnet, ensure you choose a route table that has a target type of Internet Gateway. If you are creating a private subnet, ensure you choose a Route Table that has a target type of NAT Gateway.

    • SUBNET ACCESS: As mentioned in the ROUTE TABLE previously, subnet access can be either public or private. Be aware that if you select a private subnet for any VM, the corresponding VM will not have a public IP address and no inbound connections to this VM from outside the current VCN will be allowed.

      For more information, see VCNs and Subnets.

    • SECURITY LIST

  4. Click Create at the bottom of the window.

Create Security Rules

In this section, you will add the mandatory security rules shown in the following tables to the security lists created in Creating Security Lists.

Internal Load Balancer Security List

This section includes the following security rules for the internal load balancer security list:

Table 3-4 Ingress Rules for Both Public and Private Subnets
Source Type Source Protocol Source Port Range / Type and Code Destination Port Range / Type and Code
CIDR CIDR that describes the IP range users will use to access your Oracle E-Business Suite environments. TCP All Depends on the web entry port you will use during the provisioning of your environment.
Table 3-5 Egress Rules When Using a Public Subnet
Destination Type Destination Protocol Source Destination
CIDR 0.0.0.0/0 TCP All All
CIDR 0.0.0.0/0 ICMP N/A N/A
Table 3-6 Egress Rules When Using a Private Subnet
Destination Type Destination Protocol Source Destination
CIDR <Internal application tier subnet CIDR> TCP All All
CIDR 0.0.0.0/0 ICMP N/A N/A

External Load Balancer Security List (Optional)

This section includes the following security rules for the external load balancer security list:

Table 3-7 Ingress Rules for Both Public and Private Subnets
Source Type Source Protocol Source Port Range / Type and Code Destination Port Range / Type and Code
CIDR CIDR that describes the IP range users will use to access your Oracle E-Business Suite environments. TCP All Depends on the web entry port you will use during the provisioning of your environment.
Table 3-8 Egress Rules When Using a Public Subnet
Destination Type Destination Protocol Source Destination
CIDR 0.0.0.0/0 TCP All All
CIDR 0.0.0.0/0 ICMP N/A (leave Type and Code blank) N/A
Table 3-9 Egress Rules When Using a Private Subnet
Destination Type Destination Protocol Source Destination
CIDR <External application tier subnet CIDR> TCP All All
CIDR 0.0.0.0/0 ICMP N/A N/A

Application Tier Security List for Internal Subnets

This section includes the following security rules for the application tier security list for internal subnets:

Table 3-10 Ingress Rules for Both Public and Private Internal Subnets
Source Type Source Protocol Source Port Range / Type and Code Destination Port Range / Type and Code
CIDR <Internal application tier subnet CIDR> TCP All All
CIDR <EBS Cloud Manager subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <Internal load balancer subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <EBS Cloud Manager subnet CIDR> TCP All 22
CIDR <External application tier subnet CIDR> TCP All 111
CIDR <External application tier subnet CIDR> TCP All 2049
CIDR <Database tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <Internal application tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <External application tier subnet CIDR> TCP All 7001-7003
CIDR <External application tier subnet CIDR> TCP All 6801-6802
CIDR <External application tier subnet CIDR> TCP All 16801-16802
CIDR <External application tier subnet CIDR> TCP All 12345
CIDR <External application tier subnet CIDR> TCP All 36501-36550
CIDR <Internal load balancer subnet CIDR> TCP All 8000
Table 3-11 Egress Rules When Using a Public Subnet
Destination Type Destination Protocol Source Destination
CIDR 0.0.0.0/0 TCP All All
CIDR 0.0.0.0/0 ICMP N/A N/A
Table 3-12 Egress Rules When Using a Private Subnet
Destination Type Destination Protocol Source Destination
CIDR 134.70.0.0/17 TCP All All
Service All <XXX> Services in the Oracle Services Network
(XXX is a region-specific code, such as IAD or LHR)
TCP All All
Service All <XXX> Services in the Oracle Services Network
(XXX is a region-specific code, such as IAD or LHR)
ICMP N/A N/A
CIDR <External application tier subnet CIDR> TCP All All
CIDR <Internal application tier subnet CIDR> TCP All All
CIDR <Database tier subnet CIDR> TCP All 1521-1524
CIDR <EBS Cloud Manager subnet CIDR> TCP All 443
CIDR 0.0.0.0/0 ICMP N/A N/A

Application Tier Security List for External Subnets (Optional)

This section includes the following security rules for the application tier security list for external subnets:

Table 3-13 Ingress Rules for Application Tier Subnet 2 (appSubnet2)
Source Type Source Protocol Source Port Range / Type and Code Destination Port Range / Type and Code
CIDR <External application tier subnet CIDR> TCP All All
CIDR <EBS Cloud Manager subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <External load balancer subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <EBS Cloud Manager subnet CIDR> TCP All 22
CIDR <Internal application tier subnet CIDR> TCP All 111
CIDR <Internal application tier subnet CIDR> TCP All 2049
CIDR <Internal application tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <Database tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <External application tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <Internal application tier subnet> TCP All 22
CIDR <Internal application tier subnet CIDR> TCP All 5556-5557
CIDR <Internal application tier subnet CIDR> TCP All 7201-7202
CIDR <Internal application tier subnet CIDR> TCP All 17201-17202
CIDR <Internal application tier subnet CIDR> TCP All 7401-7402
CIDR <Internal application tier subnet CIDR> TCP All 17401-17402
CIDR <Internal application tier subnet CIDR> TCP All 7601-7602
CIDR <Internal application tier subnet CIDR> TCP All 17601-17602
CIDR <Internal application tier subnet CIDR> TCP All 7801-7802
CIDR <Internal application tier subnet CIDR> TCP All 17801-17802
CIDR <Internal application tier subnet CIDR> TCP All 6801-6802
CIDR <Internal application tier subnet CIDR> TCP All 16801-16802
CIDR <Internal application tier subnet CIDR> TCP All 9999-10000
CIDR <Internal application tier subnet CIDR> TCP All 1626
CIDR <Internal application tier subnet CIDR> TCP All 12345
CIDR <Internal application tier subnet CIDR> TCP All 36501-36550
CIDR <Internal application tier subnet CIDR> TCP All 6100-6101
CIDR <Internal application tier subnet CIDR> TCP All 6200-6201
CIDR <Internal application tier subnet CIDR> TCP All 6500-6501
CIDR <External load balancer subnet CIDR> TCP All 8000
Table 3-14 Egress Rules When Using a Public Subnet
Destination Type Destination Protocol Source Destination
CIDR 0.0.0.0/0 TCP All All
CIDR 0.0.0.0/0 ICMP N/A N/A
Table 3-15 Egress Rules When Using a Private Subnet
Destination Type Destination Protocol Source Destination
CIDR 134.70.0.0/17 TCP All All
CIDR <External application tier subnet CIDR> TCP All All
CIDR <Database tier subnet CIDR> TCP All 1521-1524
CIDR <EBS Cloud Manager subnet CIDR> TCP All 443
CIDR 0.0.0.0/0 ICMP N/A N/A
CIDR <Internal application tier subnet CIDR> TCP All All
Service All <XXX> Services in the Oracle Services Network
(XXX is a region-specific code, such as IAD or LHR)
TCP All All
Service All <XXX> Services in the Oracle Services Network
(XXX is a region-specific code, such as IAD or LHR)
ICMP N/A N/A

Database Tier Security List

This section includes the following security rules for database tier security list:

Table 3-16 Ingress Rules for Both Public and Private Subnets
Source Type Source Protocol Source Port Range / Type and Code Destination Port Range / Type and Code
CIDR <EBS Cloud Manager subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <Database tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <EBS Cloud Manager subnet CIDR> TCP All 22
CIDR <Internal application tier subnet CIDR> TCP All 1521-1524
CIDR <Internal application tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <External application tier subnet CIDR> TCP All 1521-1524
CIDR <External application tier subnet CIDR> ICMP N/A (leave Type and Code blank) N/A (leave Type and Code blank)
CIDR <Database tier subnet CIDR> TCP All 22
CIDR <Database tier subnet CIDR> TCP All 1521-1524
Table 3-17 Egress Rules When Using a Public Subnet
Destination Type Destination Protocol Source Destination
CIDR 0.0.0.0/0 TCP All All
CIDR 0.0.0.0/0 ICMP N/A N/A
Table 3-18 Egress Rules When Using a Private Subnet
Destination Type Destination Protocol Source Destination
CIDR 134.70.0.0/17 TCP All All
CIDR <EBS Cloud Manager subnet CIDR> TCP All 443
CIDR <Database tier subnet CIDR> TCP All 1521-1524
CIDR <Database tier subnet CIDR> TCP All 22
CIDR 0.0.0.0/0 ICMP N/A N/A
Service All <XXX> Services in the Oracle Services Network
(XXX is a region-specific code, such as IAD or LHR)
TCP All All
Service All <XXX> Services in the Oracle Services Network ICMP All All

Oracle E-Business Suite Cloud Manager Security List

Note: When creating a custom network, the following security rules need to be added to the Oracle E-Business Suite Cloud Manager security list. For information on creating the security list for Oracle E-Business Suite Cloud Manager, see Create Network Resources for Deploying Oracle E-Business Suite Cloud Manager.

Table 3-19 Ingress Rules
Source Type Source Protocol Source Port Range / Type and Code Destination Port Range / Type and Code
CIDR <Application tier subnet CIDR> TCP All 443
CIDR <Database tier subnet CIDR> TCP All 443
Table 3-20 Egress Rules
Destination Type Destination Protocol Source Destination
CIDR <Application tier subnet CIDR> TCP All 22
CIDR <Database tier subnet CIDR> TCP All 22

Create Network Profiles

The Oracle E-Business Suite Cloud Manager administrator performs the tasks in this section.

A network profile maps Oracle Cloud Infrastructure network definitions with Oracle E-Business Suite instances network requirements. Before the Oracle E-Business Suite Cloud Manager can be used to provision environments, a network and associated network profiles must be created.

After the network administrator creates the network, the Oracle E-Business Suite Cloud Manager administrator will use the Oracle E-Business Suite Cloud Manager UI to define related network profiles that can then be selected by the Oracle E-Business Suite administrators (in our example, the administrators are members of the ebscm-proddba-grp group).

To create a new network profile, see Create a Network Profile.