About the Resources in a Stack

Learn about the compute, network, and other resources created by a stack in Oracle Cloud Infrastructure for a domain in Oracle WebLogic Server for Oracle Cloud Infrastructure.

To obtain a list of all resources created for a specific domain, see View the Cloud Resources for a Domain.

Compute Instances

Depending on the number of nodes you specify for your Oracle WebLogic Server for Oracle Cloud Infrastructure stack configuration, one or more compute instances are created for your domain.

Each WebLogic Server compute instance name has the following format:

servicename-wls-n

Where:

  • servicename is the resource name prefix you provided during stack creation
  • n is 0, 1, 2, and so on

For example, a domain with two nodes would have the following compute instances if the resource prefix is thestack:

  • thestack-wls-0
  • thestack-wls-1

The first compute instance (with the suffix -wls-0) runs the WebLogic Administration server thestack_adminserver and the first Managed Server thestack_server_1. The second compute instance (with the suffix -wls-1) runs the second Managed Server thestack_server_2, and so on.

If you specified a private subnet for your domain, a bastion instance is created, which is identified by:

servicename-bastion-instance

If you created a JRF-enabled domain, and WebLogic Server and the database are on different VCNs, then Domain Name Service (DNS) compute instances are created:

  • servicename-wlsdns-0 - DNS Forwarder in the WebLogic Server VCN
  • servicename-dbsystem-dns - DNS Forwarder in the database VCN

Network Resources

Several network resources for route tables, security lists, and gateways are created for your Oracle WebLogic Server for Oracle Cloud Infrastructure domain.

Additional network resources are created if you specify a new virtual cloud network (VCN) or new subnets for an existing VCN during domain stack creation.

Your domain configuration determines the type and number of network resources created. The names of all network resources begin with the resource name prefix you provided during stack creation. The following table provides a summary of the resources that can be created.

Resource Name Type
servicename-vcnname WebLogic VCN
servicename-wls-subnet WebLogic regional subnet
servicename-wls-subnet-adname WebLogic availability domain-specific subnet
servicename-bastion-subnet public subnet for the bastion compute instance
servicename-lb-subnet-1 load balancer regional subnet
servicename-lb-subnet-1-adname1 availability domain-specific subnet 1 for load balancer node 1
servicename-lb-subnet-1-adname2 availability domain-specific subnet 2 for load balancer node 2
servicename-wls-dns-subnet-adname public subnet for the DNS Forwarder in the WebLogic VCN, for local VCN peering
servicename-dbsystem-dns-subnet-adname public subnet for the DNS Forwarder in the database VCN, for local VCN peering
Default route table for servicename-vcnname default route table for the WebLogic VCN
servicename-public-routetable route table for a subnet
servicename-dbsystem-routetable database route table, for local VCN peering
servicename-internet-gateway internet gateway for the WebLogic VCN
servicename-service-gateway service gateway for the WebLogic VCN
servicename-wls-lpg local peering gateway in the WebLogic VCN
servicename-dbsystem-lpg local peering gateway in the database VCN
Default security list for servicename-vcnname default security list for the VCN
servicename-internal-security-list security list for the WebLogic subnet
servicename-bastion-security-list security list for the bastion subnet
servicename-wls-bastion-security-list security list for the bastion and WebLogic subnets
servicename-wls-ms-security-list security list for the WebLogic Managed Servers
servicename-lb-security-list security list for the load balancer regional subnet
servicename-wls-lb-security-list-1 security list for the load balancer node 1 and WebLogic subnets
servicename-wls-lb-security-list-2 security list for the load balancer node 2 and WebLogic subnets
servicename-wls_dns_security_list security list for the DNS subnet in the WebLogic VCN, for local VCN peering
servicename-dbsystem-dns-security-list security list for the DNS subnet in the database VCN, for local VCN peering
Default DHCP Options for servicename-vcnname default set of Dynamic Host Configuration Protocol (DHCP) options for a new VCN
servicename-dhcpOptions copy of the default DHCP options in the WebLogic VCN
servicename-wls-dns-dhcp-option custom DNS routing in the WebLogic VCN, for local VCN peering
servicename-dbsystem-dns-dhcp-option custom DNS routing in the database VCN, for local VCN peering

Load Balancer

If you chose to create a load balancer for your domain, it is accessible from a single IP address and it distributes traffic across the managed servers in the domain.

The name of the load balancer resource has the following format:

servicename-lb

Where servicename is the resource name prefix you provided during stack creation.

The backend resource (which configures the load balancing policy) is identified by the name:

servicename-lb-backendset

The default listener is named https and it handles traffic on port 443. Attached to the listener are the following:

  • The rule set created with the name SSLHeaders. The rule set has the header rules WL-Proxy-SSL (value is true) and is_ssl (value is ssl).

  • The certificate demo_cert.

    Oracle recommends you add your own SSL certificate.

    See Managing SSL Certificates in the Oracle Cloud Infrastructure documentation and Add a Certificate to the Load Balancer.

Identity Resources for Dynamic Group and Root Policies

Oracle WebLogic Server for Oracle Cloud Infrastructure creates a dynamic group and one or more policies for your domain if the OCI Policies check box remains selected during stack creation.

The dynamic group and root-level (tenancy) policies allow compute instances in the domain to access:

  • Launch compute instances and manage block storage volumes.
  • Keys and secrets in Oracle Cloud Infrastructure Vault
  • Load balancer resources
  • The database wallet if you're using an Oracle Autonomous Transaction Processing (ATP) database to contain the required infrastructure schemas for a JRF-enabled domain
  • The database if you're using Oracle Cloud Infrastructure Database (DB System) to contain the required infrastructure schemas for a JRF-enabled domain

The names of the dynamic group and root-level policies are:

  • servicename-wlsc-principal-group (dynamic group)
  • servicename-osms-instance-principal-group
  • servicename-secrets-policy
  • servicename-lb-policy
  • servicename-atp-policy
  • servicename-db-network-policy

Where servicename is the resource name prefix you provided during stack creation.

For a single compartment, the matching rule created in the dynamic group is:

instance.compartment.id='ocid1.compartment.oc1..alongstring'

The rule states that all instances created in the compartment (identified by the compartment OCID) are members of the dynamic group.

The secrets policy has the following statements:

Allow dynamic-group servicename-wlsc-principal-group to read secret-bundles in tenancy

Where, target.secret.id is the OCID of the secret.

The required polices are created depending on the secrets used for the specified stack. For example: For a JRF stack, two separate policies are created, one for weblogic password and another for DB password.

The service policy has the following statements:
  • Allow dynamic-group servicename-wlsc-instance-principal-group to manage volume-family in tenancy
  • Allow dynamic-group servicename-wlsc-instance-principal-group to manage instance-family in tenancy

The osms policy has the following statement:

Allow dynamic-group servicename-osms-instance-principal-group to use osms-managed-instances in tenancy

The lb policy has the following statement:

Allow dynamic-group servicename-wlsc-principal-group to manage virtual-network-family in tenancy

The atp policy has this statement:

Allow dynamic-group servicename-wlsc-principal-group to manage autonomous-transaction-processing-family in tenancy

The db-network policy has this statement:

Allow dynamic-group servicename-wlsc-principal-group to manage virtual-network-family in compartment id ocid1.compartment.oc1..alongstring

Identity Resources for Oracle Identity Cloud Service

If you configure your domain to use Oracle Identity Cloud Service for authentication, Oracle WebLogic Server for Oracle Cloud Infrastructure provisions additional resources in Oracle Identity Cloud Service to support the domain.

These resources are not components of the stack, and so they are not visible in Resource Manager. In addition, they are not deleted automatically when you destroy the stack.

The names of the Oracle Identity Cloud Service resources have the following formats:

  • servicename_confidential_idcs_app_timestamp - Confidential Application
  • servicename_enterprise_idcs_app_timestamp - Enterprise Application
  • servicename_app_gateway_timestamp - App Gateway

Where:

  • servicename is the resource name prefix you provided during stack creation.
  • timestamp is the date and time on which the stack was created. For example, 2019-09-24T21:46:21.288662