The image shows the security architecture underlying an implementation of an enterprise-scale baseline landing zone. It shows a tenancy (root compartment), labeled Level 0 (zero). Within the tenancy is a Cloud Guard instance and an IAM instance. Level 1 contains a business unit and two level 2 compartments, one the common infrastructure, the other the application landing zone.

The business unit contains a Cloud Guard instance, an Auditing service, and an IAM instance.

Within the common infrastructure compartment are two level 3 compartments, one for security, the other the network compartment. Within the security compartment is an optional subcompartment for third-party security solutions, a key vault, and these additional components and services:
  • Cloud Guard
  • Two Service Connector Hubs
  • Vulnerability scanning
  • Storage buckets
  • Logging Analytics service
  • Logging service
The subcompartment for third-party security solutions contains these services and components:
  • A service connector hub
  • A streaming service
  • A VM
  • An autonomous database

The network compartment contains a virtual cloud network, access to which is through either an internet gateway, a NAT gateway, and a dynamic routing gateway, contains a bastion service

The landing zone application contains two level 3 compartments, one for front end applications, the other for back office apps. Each is protected within a maximum security zone.

The tenancy Cloud Guard instance communicates with all other Cloud Guard instances to provide data security across the architecture. The business unit (Level 1) Auditing service directs traffic through the Service Connector Hub in the security compartment, which passes it to the storage bucket. From there, user key data passed into the key vault. If an optional subcompartment for third-party security solutions is used, the business unit (Level 1) Auditing service also directs traffic through the subcompartment's Service Connector Hub to the streaming service, which pulls transactional date from the VM.

Data from the network compartment is passed to the Logging service, which the passes the appropriate data either back through the subcompartment for third-party security solutions' Service Connector Hub to its streaming service or, through the security compartment's Service Connector Hub on to the Logging Analytics service.