1. Deploy the Enterprise Baseline Landing Zone
  2. Understand the Enterprise Baseline Landing Zone Architecture

Understand the Enterprise Baseline Landing Zone Architecture

The basic architectural structure of the Enterprise Baseline Landing Zone is based on compartments, as shown in this diagram:

Description of elz-compartment.png follows
Description of the illustration elz-compartment.png

elz-compartment-oracle.zip

Understand the Architecture Components

This architecture comprises these components:
  • Tenancy

    A tenancy is your account. It contains all resources you choose to build within a given region around the world. You may subscribe to multiple regions and, if needed, can deploy Landing Zones in each new region.

  • Compartments

    Compartments are logical groupings of resources within your tenancy wherein you can structure your environment and create a layer of logical separation, manage access to resources, and also, from a budgeting perspective, report against.

Within the Landing Zone we deploy the following compartments:
  • Parent Compartment

    The Parent compartment lives within your root compartment and contains all of the related Landing Zones resources. This allows you to easily manage additional resources specific to the Landing Zone and report against this resources for smoother operational management.

  • Common Infra Compartment

    The Common Infra compartment contains resources related to network and security. When you are ready to migrate onto OCI, an additional common infra compartment contains workload related resources that you deploy through the workload expansion stack..

  • Network Compartment

    Resources for networking and connectivity are created in this compartment. These resources include the virtual cloud network (VCN), subnets, gateways, and other related components.

  • Security Compartment

    All resources related to security and monitoring are created in this compartment. Resources related to governance, such as logging, notifications, and events, are also created in this compartment.

Understand Identity and Access Management Policies

Identity policies define who in your organization has control and access to resources within OCI. In addition to the policies defined, you can also provide federated access to your on-premises users by using Active Directory.

This diagram illustrates the distribution of IAM policies across the baseline Enterprise Landing Zone architecture:Description of elz-identity.png follows
Description of the illustration elz-identity.png

elz-identity-oracle.zip

Understand Virtual Cloud Networks

A virtual cloud network (VCN) is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN.

This diagram illustrates a VCN within a compartment topology and how those VCNs are divided into subnets:

Description of elz-vcn.png follows
Description of the illustration elz-vcn.png

elz-vcn-oracle.zip

The Internet Gateway is a virtual router that connects the edge of the VCN to the internet to allow direct connectivity to the internet. The Enterprise Scale Baseline Landing Zone creates an internet gateway and, along it, the following components:
  • Route Table

    Route tables are used to map the traffic of a VCN from subnets through gateways to external destinations. The Enterprise Scale Baseline Landing Zone creates a route table that is associated with the internet gateway. You must create rules in the route table to allow necessary traffic to go to the internet gateway. The rules will depend on your workloads.

  • Network Address Translation (NAT) gateway

    A NAT gateway gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections. The Enterprise Scale Baseline Landing Zone creates a NAT gateway for the landing zone deployment. It also creates a route table and route rules to route traffic from each of your workload compartments. The actual route rules depend on your workloads. Create the rules when you move your workloads to OCI.

Understand Subnets

You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
The Enterprise Scale Baseline Landing Zone creates a single VCN with multiple subnets designed for different purposes:
  • Subnet-Public

    A public subnet hosts all internet-facing servers and resources, including load balancers. You must secure this subnet with the correct Cloud Guard recipes and other security features, as described in Security.

  • Subnet-Shared Services

    A private subnet hosts all common or shared services that your organization uses. Depending on your applications, you must create security lists to allow the network traffic between servers in your cloud tenancy (east/west traffic) to enter and exit this subnet. Create security lists during the deployment of your workloads.

  • Subnet Bastion Service

    A private subnet to host the Bastion service. Bastion provides restricted and time-limited access to target resources that don't have public endpoints. Configuring bastions is important to ensure that your organization's cloud administrators can access resources that reside in private subnets.

Federate Your Landing Zone with Microsoft Active Directory

You have the option to federate the Enterprise Scale Baseline Landing Zone with Microsoft Active Directory.

Use the same group names in OCI that you use for Active Directory. To do this, pass the Active Directory group names as variables to the Enterprise Scale Baseline Landing Zone Terraform module. The groups will be created by the landing zone and mapped to your Active Directory groups.

The following diagram shows the Microsoft Active Directory federation supported by the Enterprise Scale Baseline Landing Zone.

Description of elz-adfs.png follows
Description of the illustration elz-adfs.png

elz-adfs-oracle.zip

Understand Security

Security in this architecture is provided by employing a bastion, Cloud Guard, a Vulnerability Scanning Service (VSS), and security lists.

This diagram shows the topology of the security implementation for the Enterprise Baseline Landing Zone.

Description of elz-security.png follows
Description of the illustration elz-security.png

elz-security-oracle.zip

The main security components are:
  • Bastion

    Bastion provides secured, session-based access to resources without public endpoints. Bastions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions.

  • Cloud Guard

    Cloud Guard is a cloud-native service that helps customers monitor, identify, achieve, and maintain a strong security posture on Oracle Cloud.

    When you provision Cloud Guard resources by using the Enterprise Scale Baseline Landing Zone stack, the target is all resources within the parent compartment. The Enterprise Scale Baseline Landing Zone includes two Oracle-managed recipes: OCI Configuration Detector Recipe and OCI Activity Detector Recipe. These detector recipes perform checks and identify potential security problems on your resources.

  • Vulnerability Scanning Service (VSS)

    Vulnerability Scanning helps improve your security posture by routinely checking your cloud resources for potential vulnerabilities.

  • Security lists

    Security lists are virtual firewalls that let you control ingress and egress traffic. The Enterprise Scale Baseline Landing Zone creates a security list associated with the internet gateway. The actual ingress and egress rules will depend on your workloads and the traffic that you want to allow. Configure the ingress and egress rules when you move your workloads to OCI.