Oracle Enterprise Landing Zone v1 - Lite Implementation

Use Oracle Enterprise Landing Zone (OELZ) v1 - Lite to deploy a secure cloud environment that's ready for you to launch a workload in Oracle Cloud Infrastructure (OCI).

Important: This reference architecture provides a basic template for deployment that lets you specify preconfigured security settings for OCI Audit logs and protocols for the OCI Bastion service. See How Do I Decide Which Landing Zone to Use?


Before you launch OELZ v1 - Lite, prepare the following information.

  • Tag values for the CostCenter and GeoLocation tags. Every resource that is created by the landing zone stack is tagged with the values that you provide.

  • A name for the parent compartment. The parent compartment is the top-level organizational compartment that is created by the landing zone.

  • Names for one or more workload compartments under the parent compartment.

  • Email addresses for one or more break-glass users. Break-glass users have emergency access to all OCI resources.

  • CIDR block for the allowlist on the bastion.

  • CIDR blocks for the following subnets created within the virtual cloud network (VCN):

    • Shared
    • Bastion

How to Deploy

Install OELZ v1 - Lite from the Deploy a baseline landing zone Quickstarts card on the OCI Console home page.

The deployment process takes you through selecting a compartment for your tenancy and setting up security configurations for enabling logging and protocols for the Bastion service. Provide the following information:

  • Compartment: The compartment provides the compartment structure for OELZ v1 - Lite. When you select a compartment, this provides the parent compartment for security, networking, and workloads.

  • Advanced Logging: Lets you enable audit logs and VCN flow logs. The following options are available:

    • AUDIT_LOGS: Enables audit logs only.
    • FLOW_LOGS: Enables VCN flow logs only.
    • BOTH: Enables audit logs and VCN flow logs.
    • NONE: Do not enable advanced logging.

    Note: After you enable logging, you can't disable it.

  • Bastion Client CIDR Block Allow List: Select at least one CIDR block that can connect to the OCI Bastion service. A bastion is a secure method of connecting to the resources within the cloud environment.

After you start deployment, it takes about 7 to 9 minutes to provision fully. To view deployment progress, click Manage deployments.

When the landing zone is created, each template for deployment is listed as a stack in OCI Resource Manager. (Resource Manager is the service that builds the landing zone.) You can select each stack to view more details in the logs. For more information, see Managing Stacks and Jobs.

Audit Logs

When you enable audit logs, the Audit service automatically records calls to all supported OCI public API endpoints and logs them to the audit log. This includes all API calls made by the Console, CLI, software development kits (SDKs), and other OCI services.

After the audit log is created, you can manually enable write access logs to meet the Center for Internet Security (CIS) Oracle Cloud Infrastructure Benchmark.

VCN Flow Logs

When you enable VCN Flow Logs, details are provided about traffic that passes through your virtual cloud network (VCN). This information helps you audit traffic and troubleshoot your security risks.

Managing Your Landing Zone

OELZ v1 - Lite deploys resources into the root compartment of your tenancy. You can view and manage these resources in the relevant areas of the Console, such as Identity, Networking, and Governance.

Destroying the Stack

If you no longer need the OELZ v1 - Lite stack, destroy it by deleting it from the Stacks list in Resource Manager. For more information, see Managing Stacks and Jobs.