This image shows an Oracle Cloud Infrastructure tenancy with compartments, management groups and some other resources in the Root compartment, like Policies, Events and Cloud Guard. An optional enclosing compartment can be used to contain the Landing Zone compartments: Network, Security, AppDev, Database, and Exadata. The dashed arrows at the top indicate overall admin permissions granted to management groups over resources across the compartments.
  • The Network compartment has the Virtual Cloud Networks (VCNs). By default, the template deploys a standard three-tier VCN with one regional public subnet and two regional private subnets. VCNs for supporting Exadata Cloud Service (ExaCS) can also be deployed. The ExaCS VCNs are comprised of two regional private subnets, client and backup.

    The Landing Zone VCNs can be deployed in standalone modes or peered in a Hub and Spoke architecture using a Dynamic Routing Gateway (DRG) and connected to an on-premises network.

    • The type of VCN drives which gateways are attached to them. The standard three-tier VCNs can have all VCN gateways, while ExaCS VCNs are attached to DRG and Service Gateway:
      • An internet gateway for connectivity to the public internet.
      • A NAT gateway for one-way connectivity from resources in the private subnets to the public internet.
      • A dynamic routing gateway (DRG) for private connectivity to the on-premises network.
      • Service gateway for connectivity to the Oracle services network (OSN).
    • Network access to the resources in each of the subnets is controlled by separate NSGs.
    • The public subnet's route table contains rules to direct traffic destined for the public internet through the internet gateway and traffic bound for the on-premises network through the DRG.
    • The route tables of the private subnets contain a rule to direct traffic destined for the OSN through the service gateway. The route table of the App subnet has an additional rule to direct traffic bound for the public internet through the NAT gateway.
    • The route tables of Client and Backup subnets in the Exadata VCN do not provide any ingress or egress connectivity to the internet.
  • The Security compartment has the Events, Notifications, Vault, Logs, Topics, Vulnerability Scanning and Bastion resources.
  • The AppDev compartment has Object Storage buckets, and any other application-related resources you might need, such as compute instances, serverless functions, Kubernetes clusters, block volumes, file storage, and so on.
  • The Database compartment is for any database resources that you want to provision.
  • The optional Exadata compartment is for ExaCS resources, including the infrastructure, VM clusters and database systems. Alternatively, these resources can be deployed in the Database compartment and managed by Database administrators.