Understand the Design Principles

Prioritize Security

Security first, always! Landing Zones follow the Oracle Cloud principles for security, meaning that security is an utmost priority in each and every design produced. Oracle will not compromise on security as it is the most fundamental and crucial aspect of designing a scalable and repeatable architecture within a Landing Zone, and as such will enforce security in as many ways as possible within each Landing Zone, through use of OCI cloud native solutions throughout the architecture.

Understand Landing Zone Modules

The enterprise scale baseline landing zone is composed of multiple Terraform modules. Each module is written to work together in a stack.

Module

Description

Compartments

Contains submodules for creating the compartment structure for the enterprise scale baseline landing zone. These compartments include the parent compartment and compartments for security, networking, and workloads.

Budget

Builds a compartment-level budget alarm based on a threshold that you define. The budget is valid for everything that resides under the parent compartment. This module is optional.

Virtual cloud network (VCN)

Builds and configures all network-related resources, including a VCN, subnets, gateways, security lists, and routing rules. This module also configures optional dynamic routing gateways (DRGs), by using either Site-to-Site VPN or FastConnect.

Identity and access management (IAM)

Creates nearly all required policies and groups. A submodule creates accounts for emergency access, called break-glass users.In some cases, if permissions are related to a specific feature, an IAM policy might be created in a different module. For example, if Cloud Guard is used, the related IAM policies are created in the Cloud Guard submodule.

Security

Implements VCN flow logs, Cloud Guard, Audit logs, and the Bastion service.

Use Non-Breaking Changes

The Enterprise Scale Baseline Landing Zone provides updates over time, which relate to bug fixes and feature releases to ensure that value is continuously added to customers deployments. To ensure these updates are non-disruptive, the Landing Zones release process is agile, so that when updates are released, they won't disrupt new or existing deployments.

Use Workload Expansion

Workload expansion is an additional stack that contains all the configuration needed to prepare the Landing Zone for a workload deployment. This means that once you have deployed the Enterprise Baseline Landing Zone stack, you will be able to deploy this expansion on top of the baseline, to allow you to then migrate your workload when ready.

The expansion stack is stackable meaning that once the first workload is deployed, the stack can be re-run to allow you to deploy additional workloads into the Landing Zone.

You can also go directly to the GitHub repository and access the code for the Enterprise Scale Baseline Landing Zone (refer to the Deploy article, elsewhere in this playbook).

Workload Expansion Architecture Compartments

Workload Expansion creates separate Workload compartments each time you run the stack, allowing you to segment your workloads based on department, team, and so on. Each compartment is built within the Applications compartment already deployed by the Baseline.

Description of elz-we-compartment.png follows
Description of the illustration elz-we-compartment.png

elz-we-compartment-oracle.zip

Networking

Workload Expansion also provisions additional private subnets so you can securely isolate your workloads from one another.

Description of elz-we-vcn.png follows
Description of the illustration elz-we-vcn.png

elz-we-vcn-oracle.zip

Identity

Workload Expansion provisions both a Workload-Admin with permissions to manage resources in the compartment and a Workload-Storage-User to use instances created within the compartment.

Description of elz-we-iam.png follows
Description of the illustration elz-we-iam.png

elz-we-iam-oracle.zip

Migrate Your Workloads (Call to Action)

Once you have completed the steps for deployment, you are now ready to plan your migration of workloads into your Landing Zone, assured that you have created a solid, secure foundation for to begin your OCI journey.