This image shows an Oracle Cloud
Infrastructure Tenancy with compartments, Management Groups, and the following resources in the
Tenancy (Root Compartment): Budget, Policies, IAM Events, Cloud Guard, Budget Events,
Notifications, and Topic. Budget Events, Notifications, and Topic appear in a box with
a dotted line. The following are in Management Groups: Cost Admins, Storage Admins, Cred
Admins, Auditors, IAM Admins, Network Admins, Security Admins, App Admins, Database
Admins, and Exadata Admins.
An Enclosing Compartment is located inside the Tenancy (Root Compartment)
and contains Policies and the Security Zone. The following compartments reside within
the Enclosing Compartment: Network, Security, App, Database, and Exadata. The template
provisions Alarms, Events, Notifications, Topic, and Subscriber resources inside the
Network, Security, App, Database, and Exadata compartments.
The Network compartment has two Virtual Cloud Networks (VCNs): A VCN and an
Exadata VCN. By default, the template deploys a standard three-tier VCN with one
regional public subnet and two regional private subnets. The VCN has a Web Subnet, App
Subnet, and Database Subnet. The Exadata VCN has two regional private subnets: a Client
Subnet and a Backup Subnet. It also has Alarms, Events, Notifications, Topic, and
Subscriber
resources.
- The type of VCN drives which gateways are attached to them. The
standard three-tier VCNs can have all VCN gateways, while Exadata VCNs are
attached to Dynamic Routing Gateway (DRG) and Service Gateway:
- An internet gateway for connectivity to the public
internet.
- A NAT gateway for one-way connectivity from resources in the
private subnets to the public internet.
- A DRG for private connectivity to the on-premises network in
the Customer Data Center.
- Service gateway for connectivity to the Oracle services
network (OSN).
- Network access to the resources in each of the subnets is
controlled by separate network security groups. The VCN has a Bastion Network
Security Group, a Load Balancer (LBR) Network Security Group, and an Apps
Network Security Group. The Exadata VCN has a Client Network Security Group, and
a Backup Network Security Group.
- The public subnet's route table contains rules to direct traffic
destined for the public internet through the internet gateway and traffic bound
for the on-premises network through the DRG.
- The route tables of the private subnets contain a rule to direct
traffic destined for the OSN through the service gateway. The route table of the
App subnet has an additional rule to direct traffic bound for the public
internet through the NAT gateway.
- The route tables of Client and Backup subnets in the Exadata VCN do
not provide any ingress or egress connectivity to the internet.
The Security compartment is provisioned with Vault and Keys, Vulnerability
Scanning, Logging, Service Connector Hub, Bastion, Object Storage Buckets, Alarms,
Events, Notifications, Subscriber, and Topic resources.
The App Compartment is provisioned with Object Storage buckets, Alarms,
Events, Notifications, Subscriber, and Topic resources. The App Compartment can contain
other application-related resources that you might need in addition to those provisioned
by the template. For example, the template does not provision the following resources:
Functions, Container Engine for Kubernetes clusters, Compute instances, Block Storage,
Streaming, and File Storage.
The Database Compartment is for any database resources that you want to
provision. It is provisioned with Object Storage buckets, Alarms, Events, Notifications,
Subscriber, and Topic resources. The template does not provision the databases,
including Oracle Autonomous Transaction Processing (ATP), Oracle Autonomous Data
Warehouse, VM Database, and Exadata Cloud Service.
Exadata Compartment is for Exadata resources, including the infrastructure, VM clusters
and database systems. It is provisioned with Object Storage buckets, Alarms, Events,
Notifications, Subscriber, and Topic resources. The template does not provision the
Exadata System. Alternatively, these resources can be deployed in the Database
compartment and managed by Database administrators.
The arrows at the top indicate overall admin permissions granted to management groups
over resources across the compartments, as follows:
- Cost Admins send data to Budget and Budget Events in the Root Compartment.
- IAM Admins send data to the Budget Events, Notifications, Topic, and Policies in
the Root Compartment and Policies in the Enclosing Compartment. IAM Admins also
send data to Network Admins.
- Network Admins send data to the Network Compartment.
- Security Admins send data to IAM Events and Cloud Guard in the Root Compartment
and the Security Zone in the Network Compartment. Security Admins send data to
the Security Compartment.
- App Admins send data to the App Compartment.
- Database Admins send data to the Database Compartment.
- Exadata Admins send data to the Exadata Compartment.
- Network Admins send data to the Network Compartment.