To run your workloads in Oracle Cloud, you need a secure environment that you can operate efficiently. This reference architecture provides a Terraform-based landing zone template that meets the security guidance prescribed in the CIS Oracle Cloud Infrastructure Foundations Benchmark.
Landing Zone V2 brings in the ability of provisioning multiple VCNs, either in standalone mode or as constituent parts of a Hub and Spoke architecture. The VCNs can either follow a general purpose standard three-tier network topology or oriented towards specific topologies, like supporting Oracle Database Exadata Cloud Service deployments. They are out-of-box configured with the necessary routing, with their inbound and outbound interfaces properly secured.
The Landing Zone includes various preconfigured security services that can be deployed in tandem with the overall architecture for a strong security posture. These services are Oracle Cloud Guard, Flow Logs, Oracle Cloud Infrastructure Service Connector Hub, Vault with customer managed keys, Vulnerability Scanning, and Oracle Cloud Infrastructure Bastion service. Notifications are set using Topics and Events for alerting administrators about changes in the deployed resources.
The following diagram illustrates this reference architecture.
Description of the illustration oci-cis-landingzone.png
The architecture has the following components:
A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy.
An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy.
Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.The resources in this landing zone template are provisioned in the following compartments:
- A Network compartment for all the networking resources, including the required network gateways.
- A Security compartment for the logging, key management, and notifications resources.
- An AppDev compartment for the application-related services, including compute, storage, functions, streams, Kubernetes nodes, API gateway, and so on.
- A Database compartment for all database resources.
- An optional compartment for Exadata Cloud Service infrastructure.
The grayed out icons in the diagram indicate services that are not provisioned by the template.
This compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically separated among networking, security, application development, and database administrators.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
By default, the template deploys a general purpose standard three-tier VCN with one public subnet and two private subnets. A public subnet is used for the load balancers and bastion servers. The application and database tiers are attached to separate private subnets. The template can also create VCNs to support the deployment of specific workloads, like Oracle Database Exadata Cloud Service.
- Internet gateway
The internet gateway allows traffic between the public subnets in a VCN and the public internet.
- Dynamic routing gateway (DRG)
The DRG is a virtual router that provides a path for private network traffic between on-premises networks and VCNs and can also be used to route traffic between VCNs in the same region or across regions.
- NAT gateway
A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.
- Service gateway
The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.
- Oracle services network
The Oracle services network (OSN) is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. These services have public IP addresses that you can reach over the internet. Hosts outside Oracle Cloud can access the OSN privately by using Oracle Cloud Infrastructure FastConnect or VPN Connect. Hosts in your VCNs can access the OSN privately through a service gateway.
- Network security groups (NSGs)
NSGs act as virtual firewalls for your cloud resources. With the zero-trust security model of Oracle Cloud Infrastructure, all traffic is denied, and you can control the network traffic inside a VCN. An NSG consists of a set of ingress and egress security rules that apply to only a specified set of VNICs in a single VCN.
Oracle Cloud Infrastructure services emit events, which are structured messages that describe the changes in resources. Events are emitted for create, read, update, or delete (CRUD) operations, resource lifecycle state changes, and system events that affect cloud resources.
The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low latency, and durable messages for applications hosted on Oracle Cloud Infrastructure.
Oracle Cloud Infrastructure Vault enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud.
- LogsLogging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:
- Audit logs: Logs related to events emitted by the Audit service.
- Service logs: Logs emitted by individual services such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs.
- Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
- Service connectors
Oracle Cloud Infrastructure Service Connector Hub is a cloud message bus platform that orchestrates data movement between services in OCI. You can use it to move data between services in Oracle Cloud Infrastructure. Data is moved using service connectors. A service connector specifies the source service that contains the data to be moved, the tasks to perform on the data, and the target service to which the data must be delivered when the specified tasks are completed.
You can use Oracle Cloud Infrastructure Service Connector Hub to quickly build a logging aggregation framework for SIEM systems.
- Cloud Guard
Oracle Cloud Guard helps you achieve and maintain a strong security posture in Oracle Cloud by monitoring the tenancy for configuration settings and actions on resources that could pose a security problem.
You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.
- Vulnerability Scanning Service
Oracle Cloud Infrastructure Vulnerability Scanning Service helps improve the security posture in Oracle Cloud by routinely checking ports and hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.
- Bastion service
Oracle Cloud Infrastructure Bastion service provides restricted access from specific IP addresses to target OCI resources that do not have public endpoints using Identity-based, audited and time-bound Secure Shell (SSH) sessions.
- Object storage
Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.
Use the following recommendations as a starting point to design and configure security for your cloud environment. Your requirements might differ from the architecture described here.
- Network configuration
For the VCN, select a CIDR block that doesn't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.
- Monitoring security
Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.
- Secure resource provisioning
For resources that require maximum security, use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.
When implementing this reference architecture, consider the following factors:
- Access permissions
The Landing Zone template can provision resources as the tenancy administrator (any user that is a member of the Administrators group) or as a user with narrower permissions. See Explore More for "Deployment Modes for CIS OCI Landing Zone".
The Landing Zone includes policies to allow separate administrator groups to manage each compartment after the initial provisioning. The preconfigured policies are not exhaustive. When you add resources to the Terraform template, you must define the required additional policy statements.
The Landing Zone template provisions resources as the tenancy administrator (any user that is a member of the
Administratorsgroup), and it includes policies to allow separate administrator groups to manage each compartment after the initial provisioning. The preconfigured policies are not exhaustive. When you add resources to the Terraform template, you must define the required additional policy statements.
- Network Configuration
The Landing Zone network can be deployed in different ways: with one to multiple standalone VCNs or in a Hub & Spoke architecture with Oracle Cloud Infrastructure DRG V2 service. It is also possible to configure the network with no Internet connectivity. Although the Landing Zone allows for switching back and forth between standalone and Hub & Spoke, it is important to plan for a specific design, as manual actions might be needed when switching.
- Customizing the Landing Zone Template
The Terraform configuration has a single root module and individual modules to provision the resources. This modular pattern enables efficient and consistent code reuse. To add resources to the Terraform configuration (for example, compartments or VCNs), reuse the existing modules and add the necessary module calls, similar to the existing ones in the root module. Most modules accept a map of resource objects and new objects are just a new element in the map. For example, to add a new compartment, define a new object with the compartment information and add it to the existing compartment's map. To add objects to an existing container object (for example, to add a subnet to a VCN), add the subnet resources to the existing subnet's map.
The Terraform code for deploying this reference architecture is available in GitHub.
- Go to GitHub.
- Clone or download the repository to your local computer.
- Deploy the infrastructure by using Terraform, as described in
Note:The code that you download includes a script that you can use to check the security configuration of the resources in any tenancy. The script examines all the resource types referenced in the CIS Oracle Cloud Infrastructure Foundations Benchmark, and provides a summary compliance report. For more information about this script, including usage instructions, see
Learn more about setting up and operating a secure environment in Oracle Cloud.
- Best practices framework for Oracle Cloud Infrastructure
- Security checklist for Oracle Cloud Infrastructure
- CIS Oracle Cloud Infrastructure Foundations Benchmark
See the following blog posts about Landing Zone: