1. Deploy .NET applications on Oracle Cloud Infrastructure
  2. Deploy .NET Applications on Oracle Cloud Infrastructure

Deploy .NET Applications on Oracle Cloud Infrastructure

Application containers provide many advantages because they are immutable, they provide a portable infrastructure, and can scale easily. Organizations running .NET applications can take advantage of such benefits, containerizing and deploying their .NET applications on Oracle Cloud Infrastructure (OCI) .

The .NET applications need to be ported from .NET Framework to .NET to run on Linux containers. In this architecture, an Oracle database is the application’s underlying database. If the existing .NET application is using a different database, you can use certain tools and migration methods to migrate such databases to Oracle database in OCI.

Architecture

This architecture underlies the infrastructure necessary to deploy .NET applications on OCI.

The following diagram illustrates this reference architecture.

Description of deploy-net-oci-arch.png follows
Description of the illustration deploy-net-oci-arch.png

deploy-net-oci-arch-oracle.zip

This architecture has the following components:
  • Tenancy

    When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for your company. A tenancy is a secure and isolated partition within Oracle Cloud Infrastructure wherein you can create, organize, and administer your cloud resources.

  • Region

    An OCI region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Compartment

    Compartments are cross-region logical partitions within an OCI tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

  • Availability domains

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Fault domains

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an OCI region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Load balancer

    The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end. The load balancer provides access to different applications.

  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Internet gateway

    The Internet Gateway is an optional virtual router you can add to your VCN to enable direct connectivity to the internet.

  • Container registry

    Oracle Cloud Infrastructure Registry (also known as Container Registry) is an Oracle-managed registry that enables you to simplify your development to production workflow. Container Registry makes it easy for you as a developer to store, share, and manage container images (such as Docker images). And the highly available and scalable architecture of OCI ensures you can reliably deploy your applications, so you don't have to worry about operational issues or scaling the underlying infrastructure.

  • Cloud Guard

    You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

  • Security zone

    Security zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access to networks for an entire compartment. A security zone is associated with a compartment of the same name and includes security zone policies or a "recipe" that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

  • Object storage

    Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

  • Container Engine for Kubernetes

    Oracle Container Engine for Kubernetes (OKE) is an Oracle-managed container orchestration service that can reduce the time and cost to build modern cloud native applications. DevOps engineers can use unmodified, open source Kubernetes for application workload portability and to simplify operations with automatic updates and patching.

  • Oracle Database Cloud Service

    Oracle Database Cloud Service lets you easily build, scale, and secure Oracle databases in the cloud. You create databases on DB Systems, as a virtual machines with block volumes, both of which provide high performance and cost-efficient pricing. The service also enables support for 'cloud-first' Oracle RAC implementation on virtual machine servers at the virtual cloud network layer.

Recommendations

Use the following recommendations as a starting point when deploying .NET applications on OCI.Your requirements might differ from the architecture described here.
  • VCN

    When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

    Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

    After you create a VCN, you can change, add, and remove its CIDR blocks.

    When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

    Use regional subnets.

  • Security

    Use Oracle Cloud Guard to monitor and maintain the security of your resources in OCI proactively. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

    For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, OCI validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

  • Cloud Guard

    Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

    Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

    You can also use the Managed List feature to apply certain configurations to detectors.

  • Security zones

    Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.

    A security zone is associated with a compartment and a security zone recipe. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.

  • Network security groups (NSGs)

    You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application. You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

  • Load balancer bandwidth

    While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth, or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer.

Considerations

Consider the following points when deploying this reference architecture.

  • Application Porting

    .NET Applications needs to be ported from .NET Framework to .NET.

  • Accessibility

    The proposed architecture will not use a CDN by default, however it can be extended when needed to incorporate a CDN in OCI.

  • State Management

    The database will be deployed outside the container to better manage its state availability.

  • Availability

    The Architecture uses an OCI load balancer instead of Kubernetes ingress.

Deploy

To deploy this architecture, follow the instructions here:

Deploy Oracle Container Engine for Kubernetes

Explore More

Learn more about deploying .NET applications on Oracle Cloud Infrastructure.

Review these additional resources:

Acknowledgements

  • Author: Maher Al Dabbas
  • Contributor: Dawn Tyler (Illustrator)