Self-Service Landing Zone

A landing zone is a secured, deployment-ready cloud environment.

Important: This reference architecture provides a Terraform-based landing zone template that meets the security guidance prescribed in Deploy a secure landing zone that meets the CIS Foundations Benchmark for Oracle Cloud. See How Do I Decide Which Landing Zone to Use?

The Self-Service Landing Zone includes definitions of the core technology components of the cloud (compute, storage, networking), security (segregated virtual cloud network design, compartments for resource isolation purposes), Oracle Cloud Infrastructure Identity and Access Management (IAM) groups, and encryption methodologies. Depending on your organization's requirements, you can include additional components such as firewalls, highly available/resilient scenarios, FastConnect, and identity federation.

You automate the deployment process in an infrastructure-as-code model by using Terraform scripts and templates to provision the Self-Service Landing Zone.

The following table describes the building blocks that are included in the Self-Service Landing Zone.

Landing Zone Component Description
Tenancy A secure and isolated partition within Oracle Cloud Infrastructure (OCI) where you can create, organize, and administer your cloud resources. When you sign up for OCI, a tenancy is created for your company. Tenancy also refers to the root compartment that contains all of your organization's compartments and other OCI resources.
Policies An IAM policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself.

A collection of related resources that can be accessed only by groups that have been given permission by an administrator in your organization.

Use compartments to organize your cloud resources, control access, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

Resources in the landing zone template are provisioned in the following compartments:

  • A Network compartment for all the networking resources, including the required network gateways.
  • A Security compartment for the logging, vault, and notifications resources.
  • An Application Development compartment for the application-related services, including compute, storage, functions, streams, Kubernetes nodes, and API Gateway.
  • A Database compartment for all database resources.
  • An optional compartment for Exadata Database Service on Dedicated Infrastructure.

This compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically separated among networking, security, application development, and database administrators.

Virtual cloud networks (VCNs) and subnets

A VCN is a customizable, software-defined private network that you set up in Oracle data centers. It closely resembles a traditional network, with firewall rules and specific types of communication gateways that you can choose to use. A VCN resides in a single Oracle Cloud Infrastructure region and covers one or more CIDR blocks.

You can segment a VCN into subnets, which can be scoped across a region (recommended) or to a single availability domain. Each subnet consists of a contiguous range of addresses that do not overlap with other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be either public or private.

Internet gateway An optional virtual router that you can add to a virtual cloud network (VCN). It provides a path for network traffic between the VCN and the internet.
Dynamic routing gateway (DRG)

An optional virtual router that you can add to a virtual cloud network (VCN) to provide a path for private network traffic between the VCN and an on-premises network.

DRGs can also be used to route traffic between VCNs.

NAT gateway An optional virtual router that you can add to your virtual cloud network (VCN) to perform Network Address Translation (NAT). A NAT gateway gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections.
Service gateway An optional virtual router that you can add to your virtual cloud network (VCN). The gateway enables on-premises hosts or VCN hosts to privately access Oracle services (such as Object Storage and Autonomous Database) without exposing the resources to the public internet.
Oracle Services Network A conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. These services have public IP addresses that you typically reach over the internet. However, you can access the Oracle Services Network without the traffic going over the internet. Hosts in your on-premises network can access the Oracle Services Network by using FastConnect or Site-to-Site VPN. Hosts in your VCN can access the Oracle Services Network privately through a service gateway.
Network security group (NSG) Virtual firewalls for your cloud resources. An NSG consists of a set of ingress and egress security rules that apply only to a set of VNICs of your choice in a single VCN. With the zero trust security model of Oracle Cloud Infrastructure, all traffic is denied, and you can control the network traffic inside a VCN.
Events Structured messages that indicate changes in resources. An event could be a create, read, update, or delete (CRUD) operation, a resource lifecycle state change, or a system event that impacts a resource.
Notifications Oracle Cloud Infrastructure Notifications broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low latency and durable messages for applications hosted on Oracle Cloud Infrastructure and externally. Use Notifications to get messages whenever alarms, service connectors, and event rules are triggered.
Vault The Oracle Cloud Infrastructure Vault service helps you centrally manage the encryption keys that protect your data and the secret credentials that you use to access resources.

Oracle Cloud Infrastructure Logging is a highly scalable and fully managed service that provides access to logs from your resources in the cloud. Logging lets you enable, view, and manage all the logs in your tenancy, and provides access to logs from Oracle Cloud Infrastructure resources. These logs include critical diagnostic information that describes how resources are performing and being accessed.

The following types of logs are available:

  • Audit logs: Logs related to events emitted by the Oracle Cloud Infrastructure Audit service.
  • Service logs: Emitted by OCI native services, such as API Gateway, Events, OCI Functions, Load Balancing, Object Storage, and VCN flow logs.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
Service Connector Hub

Oracle Cloud Infrastructure Service Connector Hub is a cloud message bus platform that offers a single pane of glass for describing, running, and monitoring interactions when moving data between Oracle Cloud Infrastructure services.

Service Connector Hub orchestrates data movement between services in Oracle Cloud Infrastructure.

Use Service Connector Hub to quickly build a logging aggregation framework for security information and event monitoring (SIEM) systems.

Cloud Guard Oracle Cloud Guard is a cloud native service that helps customers monitor, identify, achieve, and maintain a strong security posture on Oracle Cloud. Use the service to examine your Oracle Cloud Infrastructure resources for security weakness related to configuration, and your Oracle Cloud Infrastructure operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.
Vulnerability Scanning Oracle Vulnerability Scanning Service helps improve your security posture by routinely checking your cloud resources for potential security risks. The service generates reports with metrics and details about these vulnerabilities.
Bastion Oracle Cloud Infrastructure Bastion provides secured, session-based access to resources without public endpoints.
Object Storage

Oracle Cloud Infrastructure Object Storage helps you manage data as objects stored in containers.

Object Storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. Scale storage without experiencing degradation in performance or service reliability. Use Standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use Archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

Block Volume

Oracle Cloud Infrastructure Block Volume helps you dynamically provision and manage block storage volumes.

You can create, attach, connect, and move volumes, as well as change volume performance, as needed, to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without the loss of data.

Autonomous Database

Oracle Cloud Infrastructure's Autonomous Database is a fully managed, preconfigured database environment.

Autonomous Database runs natively on Oracle Cloud Infrastructure while providing workload-optimized cloud services for transaction processing and data warehousing. Autonomous Database reduces operational costs with a multi-model converged database and machine learning-based automation for full lifecycle management.

Landing Zone Architecture

The Self-Service Landing Zone provides a baseline architecture and best practices for you to deploy new projects and workloads quickly and securely in Oracle Cloud Infrastructure.

The Self-Service Landing Zone architecture starts with a compartment design for your tenancy, with IAM groups and policies for the separation of duties. Each landing zone compartment is assigned an IAM group with the appropriate permissions to manage resources in the compartment and to access required resources in other compartments.

You can provision multiple VCNs, either as a standalone network or as constituent parts of a hub-and-spoke architecture. Depending on your use case, you can provision VCNs to follow a general-purpose, standard three-tier network topology, or to support the deployment of specific workloads, such as Exadata Cloud Service. The VCNs are preconfigured with the necessary routing, with inbound and outbound interfaces properly secured.

For a strong security posture, the Self-Service Landing Zone includes preconfigured security services that you can deploy with the overall architecture. These Oracle Cloud Infrastructure services include Bastion, Cloud Guard, Logging, Service Connector Hub, Vault, and Vulnerability Scanning. Notifications are configured to alert administrators about changes in the deployed resources.