The image illustrates the architecture of an Oracle Integration 3 deployment on top
of a Oracle Self-Service Landing Zone. It shows a tenancy within which are a collection
of these management groups:
- SDDC admins
- Cred admins
- Announcement admins
- Auditors
- Identity and access management (IAM) admins, who administer policies
- Network admins, who can access the enclosing compartment
- Security admins, who administer Events and Cloud Guard instances
- AppDev admins
- Database admins
The included compartment are:
- Optional enclosing compartment
- Security compartment
- App compartment
- Database compartment
The network admins communicate with the optional enclosing compartment, which contains a
primary VCN, itself containing three subnets: a web subnet, an app subnet, and a
database subnet. Access to these subnets is controled by a security list. Each subnet
has a table that identifes a destination and the service through which it reaches that
target :
- For the web subnet:
- Destination: Internet; Target: internet gateway (IGW)
- Destination: AWS tenancy; Target: dynamic routing gateway (DRG)
- For the app subnet:
- Destination: Internet; Target: NAT gateway
- Destination: AWS tenancy; Target: DRG
- Destination: customer; Target: service gateway (SGW)
- For the database subnet
- Destination: AWS tenancy; Target: DRG
- Destination: Oracle Service Network (OSN); Target: SGW
The VCN also contains four network security groups: bastion network security
grooup; load balancer network security group; apps network security group; and database
network security group. Access each security group is controlled by a security list.
Also within the is an OAC VCN, which contains a provisioning subnet.
Security admins communicate with the security compartment, which contains these
services:
- Notifications
- Topic
- Vault/customer management key
- Logging
- Service connector hub
- Object storage buckets
- Bastion
AppDev admins communicate with the apps compartment, which contains these services
(note that some are disabled in this architecture):
- Object storage buckets
- Compute (disabled)
- Functions (disabled)
- Container engine for Kubernetes (disabled)
- Block storage (disabled)
- OCI streaming (disabled)
- File storage (disabled)
- API gateway (disabled)
- CCVS services with four DM instances:
Database admins communicate with the database compartment, which contains these
service, all of which are disabled in this architecture:
- Oracle autonomous transaction processing (ATP)
- Oracle autonomous data warehouse
- VM database
- Bare Metal database
- Exadata cloud service
Internet users communicate with the primary VCN through an Internet gateway, whereas the
primary VCN respnds through a NAT gateway. A customer data center uses a site-to-site
VPN or FastConnect to access either the primary VCN or OAC VCN through DRG, which then
passes traffic through DRG attachments to each VCN. Botht hese VCNS can then direct
traffic to OSN instances through service gateways.
