This image shows a tenancy (root compartment) containing management groups and an enclosing compartment, which is optional to this architecture). The tenancy also contains Policies, Events, and Cloud Guard services.

The management group contains auditors and these administrators:
  • Identity and Access Management (IAM)
  • Cred
  • Announcement
  • Network
  • Security
  • Application development
  • Database
  • Exadata
The enclosing compartment contains:
  • Network compartment
  • Security compartment
  • Application development compartment
  • Database compartment
It also contains, external to any of these compartments, Policies and Events services.
Within the Network compartment are five virtual cloud networks (VCNs):
  • A DMZ VCN containing indoor and outdoor subnets, a management subnet, a high-availability subnet, and a diagnostic subnet. The indoor subnet is protected by firewalls
  • A primary VCN, containing a web subnet, an app subnet, a database subnet and network security groups for the bastion, a load balancer, applications, and the database.
  • VCN 2, containing a web subnet, an app subnet, a database subnet and network security groups for the bastion, a load balancer, applications, and the database.
  • Exadata VCN 1, containing a client subnet and a backup subnet along with network security groups for both.
  • Exadata VCN 2, containing a client subnet and a backup subnet along with network security groups for both.
The Network compartment is connected to the public internet via an internet gateway and a NAT gateway on the DMZ VCN. The VCNs within the Network compartment are securely connected by dynamic routing gateways, as is the customer data center, which resides outside the tenancy. All of the VCNs within the Network compartment also communicate bidirectionally with the Oracle Services Network (OSN) through service gateways.

The security compartment contains these components: notifications, topics, vulnerability scanning, logs, service connector hubs, and object storage buckets.

The application development compartment contains these components: object storage buckets, Compute, Functions, Oracle Container Engine for Kubernetes (OKE), Block Storage, File Storage, Streams, and an API Gateway.

The database compartment contains these components: Autonomous Data Warehouse, VM database, Bare Metal database, and an Exadata database.

The Exadata compartment, which is optional, contains the Exadata system.

Traffic flows from the IAM admins to the policy and the events services, directly to the greater management group and to the policies service within the enclosing compartment.

Traffic flows from the Network admins to the Network compartment.

Traffic flows from security admins to the events and Cloud Guard services and to an events service within the enclosing compartment and to the Security compartment.

Traffic allows flows from:
  • Application development admins to the Application Development compartment.
  • Database admins to the Database compartment.
  • Exadata admins to the Exadata compartment.