Modernize Your Application Development with OCI-Managed PostgreSQL, Redis, and OpenSearch
Modernize your enterprise applications to meet the evolving demands of customers, suppliers, employees, and regulators by enhancing performance, scalability, resilience, security, and cost efficiency. This architecture illustrates application modernization using enterprise-grade open-source technologies, such as OCI managed PostgreSQL, OpenSearch, Redis, and Kubernetes.
Organizations seeking business flexibility, operational agility, service continuity, improved user experience, enhanced performance, reduced costs, and holistic platform governance are increasingly turning to application modernization to gain a competitive edge. Cloud-native applications and managed services are excellent levers to achieve application modernization.
The modernization strategies that include re-platforming, re-factoring, or re-architecting applications are facilitated by open-source and cloud-native technologies as they substantially reduce training cost and operational overhead.
This reference architecture illustrates the deployment of a modern application on Oracle Cloud Infrastructure (OCI) using OCI Kubernetes Engine for the application front end, Redis for caching, PostgreSQL for transactional data, and OpenSearch for advanced search, logs and traces analysis. This multi-database implementation is ideal for industries managing diverse data types like e-commerce, gaming, social media, and FinTech, where performance, scalability, resilience, ease of operation, security, and governance are critical.
Architecture
This architecture demonstrates a modern application deployment on OCI. Use this architecture to modernize applications through microservices and OCI-managed open-source databases, ensuring efficient data retrieval and robust analysis capabilities on a scalable and secure platform.
In this reference architecture, you will modernize your application by leveraging a microservices deployment coupled with OCI-managed, open-source technologies, such as OCI Kubernetes Engine (OKE) for orchestrating and scaling your application frontend, PostgreSQL for data persistence, Redis and Valkey as a cache layer for accelerated data retrieval, and OpenSearch for fast and accurate search and analysis capabilities. These services coupled with OCI's inherent scalability and comprehensive security features, provides a solid foundation for modernizing applications on OCI.
The following diagram illustrates this reference architecture.
Description of the illustration oke-architecture-diagram.png
oke-architecture-diagram-oracle.zip
The architecture has the following components:
- Managed service
A managed service provides specific functionality without requiring you to perform maintenance tasks related to optimizing performance, availability, scaling, security, or upgrading. A managed service enables you to focus on delivering features for your customers instead of worrying about the complexity of operations. A managed service provides a scalable and secure component for cloud-native development. Use managed services to develop and run your app and to store its data. You get best-in-class solutions without needing expertise in each domain to build and operate your app.
- Kubernetes Engine
Oracle Cloud Infrastructure Kubernetes Engine (OCI Kubernetes Engine or OKE) is a fully-managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Kubernetes Engine provisions them on Oracle Cloud Infrastructure in an existing tenancy. OKE uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.
- Cache with Redis
Oracle Cloud Infrastructure Cache with Redis is a comprehensive, managed-in-memory caching solution built on the foundation of open source Redis. This fully-managed service accelerates data reads and writes, significantly enhancing application response times and database performance to provide an improved customer experience.
- Database with PostgreSQL
Oracle Cloud Infrastructure Database with PostgreSQL is a managed PostgreSQL service that frees up your team from routine tasks, such as patching and backups. Its standout feature is OCI Database optimized storage, which boosts system resilience and performance. OCI Database with PostgreSQL allows you to independently scale compute and storage. Additionally, it provides enhanced data security with end-to-end encryption.
- Search with OpenSearch
OCI Search with OpenSearch is a managed service that you can use to build in-application search solutions based on OpenSearch to enable you to search large data sets and return results in milliseconds, without having to focus on managing your infrastructure. OpenSearch has observability features for metrics, traces, and log analysis.
- Bastion service
Oracle Cloud Infrastructure Bastion provides restricted and time-limited secure access to resources that don't have public endpoints and that require strict resource access controls, such as bare metal and virtual machines, Oracle MySQL Database Service, Autonomous Transaction Processing (ATP), Oracle Cloud Infrastructure Kubernetes Engine (OKE), and any other resource that allows Secure Shell Protocol (SSH) access. With OCI Bastion service, you can enable access to private hosts without deploying and maintaining a jump host. In addition, you gain improved security posture with identity-based permissions and a centralized, audited, and time-bound SSH session. OCI Bastion removes the need for a public IP for bastion access, eliminating the hassle and potential attack surface when providing remote access.
- Identity and Access Management
Oracle Cloud Infrastructure Identity and Access Management (IAM) provides user access control for Oracle Cloud Infrastructure (OCI) and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within them. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.
- Object storage
OCI Object Storage provides access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store data directly from the internet or from within the cloud platform. You can scale storage without experiencing any degradation in performance or service reliability.
Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.
- Key Vault
Oracle Key Vault securely stores encryption keys, Oracle Wallets, Java KeyStores, SSH key pairs, and other secrets in a scalable, fault-tolerant cluster that supports the OASIS KMIP standard and deploys in OCI, Microsoft Azure, Amazon AWS, and Google Cloud as well as on-premises on dedicated hardware or virtual machines.
- API Gateway
Oracle Cloud Infrastructure API Gateway enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose to the public internet if required. The endpoints support API validation, request and response transformation, CORS, authentication and authorization, and request limiting.
- Oracle Services Network
The Oracle Services Network (OSN) is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. These services have public IP addresses that you can reach over the internet. Hosts outside Oracle Cloud can access the OSN privately by using Oracle Cloud Infrastructure FastConnect or VPN Connect. Hosts in your VCNs can access the OSN privately through a service gateway.
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, hosting availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
- FastConnect
Oracle Cloud Infrastructure FastConnect creates a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.
- Dynamic routing gateway (DRG)
The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.
- Internet gateway
An internet gateway allows traffic between the public subnets in a VCN and the public internet.
- Service gateway
A service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and does not traverse the internet.
- Cloud Guard
You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for certain risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.
The following software is deployed in OKE:
- Service Mesh
Service mesh products manage network communication between services in a Kubernetes cluster, by adding a dedicated infrastructure layer (a "service mesh") to applications running on the cluster. You can use Istio, for example, which is an open-source, platform-independent service mesh that provides policy enforcement, and telemetry collection on top of traffic management.
- Metrics Server
Metrics Server is a cluster-wide aggregator of resource usage data, it provides essential data for monitoring the health and performance of your OKE cluster and applications. Metrics Server collects resource metrics from nodes and pods, such as CPU and memory utilization and makes them available to other Kubernetes components, such as the horizontal pod auto-scaler and the Kubernetes dashboard.
- Kubernetes Dashboard
Kubernetes Dashboard provide insights into the number of pods running, their health status, resource utilization, and other critical metrics. They also allow you to perform actions like scaling deployments, viewing logs, and deleting resources. You can also deploy alternatives such as K9s, Rancher, or others.
- Ingress controller
A Kubernetes ingress controller implements the rules and configuration options defined in a Kubernetes ingress to load balance and route incoming traffic to service pods running on worker nodes in a cluster. You can deploy the OCI-native ingress controller or a third-party ingress controller, such as the Nginx ingress controller.
- Cluster observability
For observability and, more specifically, application performance monitoring, Prometheus will be deployed to scrap and store the various metrics emitted by OKE. Grafana will be used for metrics visualization. Fluentbit will be deployed for log retrieval from the OKE cluster. The data will be forwarded to OCI Search with OpenSearch.
Recommendations
Application scalability
OCI provides the flexibility to adjust service sizing to your exact needs, both during provisioning and after deployment. With vertical resizing, you can increase or decrease the memory and CPU resources for cluster nodes. Horizontal resizing allows you to adjust the number of nodes. To minimize downtime, a blue-green deployments with block volume cloning enables significantly faster updates than industry standard rolling updates. Also, the separation of compute and storage allows independent scaling of both resources, with OCI's performant networking facilitating shard reallocation.
- Kubernetes Engine
Kubernetes can dynamically scale and reduce the number of instances of a service using the built-in horizontal pod autoscaler. If required, the Kubernetes Cluster Autoscaler can also be used to add and remove Kubernetes workers to "right size" the cluster to meet the current load without wasting compute resources through over provisioning.
- Cache with Redis and Valkey
You can size the memory per node according to your workload. You can add replica nodes to your cluster to ensure high availability and improve read operations bandwidth. As you can also deploy a sharded cluster and attach up to 99 nodes, you can achieve even better read performance by using nodes with smaller memory. In addition, this will speed up node recovery in case of failure.
- Database with PostgreSQL
You choose the exact amount of CPU and memory your cluster requires per node. The service uses OCI Database Optimized Storage (DBoS), which relies on regional block volumes to guarantee zero data loss even in the extreme event of total cluster failure. No sizing is necessary here as the allocated storage grows and shrinks based on the actual data in your database system.
- Search with OpenSearch
OpenSearch supports vertical and horizontal scaling. For further horizontal scaling, you can deploy additional clusters and interconnect them via the cross cluster connection, allowing you to effectively search data across all deployed clusters.
Table - Scalability options
| Kubernetes Engine | Cache with Redis and Valkey | Database with PostgreSQL | Search with OpenSearch | |
|---|---|---|---|---|
| Node - Scale up | Yes | Yes | Yes | Yes |
| Node - Scale down | Yes | Yes | Yes | Yes |
| Cluster - Scale out | Yes | Yes | Yes | Yes |
| Cluster - Scale in | Yes | Yes | Yes | No |
High availability
High availability is a core design characteristic of OCI-managed services. To ensure maximum up-time and accessibility, we recommend deploying production clusters with a minimum of three nodes: one master and two replicas. OCI automatically distributes these nodes across availability domains or fault domains in an OCI region to eliminate downtime arising from single-point failures. In the event of a node failure, OCI automatically provisions a replacement node to restore the cluster size. Services availability is further guaranteed through these automated actions:
- Kubernetes Engine
Kubernetes is designed around high availability, multiple instances of a service deployment are automatically spread across multiple workers ensuring that in the event of a problem that the service is available. Kubernetes will detect and restart failed instances of a service and has health monitoring capabilities which work in conjunction with service instances to identify those experiencing problems and restart them. To maintain continuous service availability during upgrades, Kubernetes supports rolling updates and rollbacks for service deployments. Additionally, the Kubernetes control plane inherent redundancy allows for rolling upgrades of Kubernetes itself.
- Cache with Redis and Valkey
A replica node automatically assumes the master role, and a replacement replica node is provisioned.
- Database with PostgreSQL
Similar to Cache, a replica node automatically assumes the master role, and a replacement replica node is provisioned. A database's optimized storage ensures zero data loss in the event of a node failure, as data is replicated across regional block storage and decoupled from compute nodes.
- Search with OpenSearch
A leader-eligible node is automatically promoted to leader to ensure service availability.
These automated failover processes target a zero recovery point objective (RPO) and provide regional high availability with unparalleled simplicity for users.
Description of the illustration ha-architecture-diagram.png
ha-architecture-diagram-oracle.zip
Disaster recovery
OCI-managed services provide robust disaster recovery capabilities to ensure business continuity. A disaster recovery strategy protects the service against a regional failure. OCI services enable you to achieve a zero recovery point objective (RPO) and under one minute recovery time objective (RTO) in a fail over region.
OCI simplifies inter-region connectivity with dynamic routing gateways (DRGs) and the OCI backbone. The OCI backbone is a dedicated, secure, and highly available network that interconnects OCI regions globally. By default, your inter-region public and private IP traffic within the same realm traverses the OCI backbone, not the internet.
Table - Disaster recovery options and available tools
| Kubernetes Engine | Database with PostgreSQL | Search with OpenSearch | |
|---|---|---|---|
| Cold standby | OCI Full Stack Disaster Recovery | Automatic backup and restore | Automatic snapshot API |
| Warm standby | pglogical, GoldenGate | Cross cluster replication (early access) |
The following diagram delves into cross region disaster recovery with a warm standby.
Description of the illustration dr-architecture-diagram.png
dr-architecture-diagram-oracle.zip
You can leverage the following components:
- Primary and standby region
Regions are grouped into realms. Your tenancy exists in a single realm and can access all regions that belong to that realm. Currently, Oracle Cloud Infrastructure has multiple realms, including commercial, government, and dedicated realms. Paris and Marseille are part the commercial (OC1) realm.
- OCI Full Stack Disaster Recovery
OCI Full Stack Disaster Recovery (FSDR) is an Oracle Cloud Infrastructure disaster recovery orchestration and management service that provides comprehensive disaster recovery capabilities for all layers of an application stack, including infrastructure, middleware, database, and application. The FSDR service works with OKE and the underlying OCI resources to replicate the application data in databases, file storage, and block volumes to a different region. For Kubernetes, it will replicate the OKE configuration and details of manifests (for example, services, deployments, and config maps) to another remote region. This replicated data and configuration can be used in the highly unlikely event of a disaster that takes an entire region down to bring up the service in another OCI region.
- Replication tools
Replicate data into the standby region. The standby can be downsized given the implementation of automatic scaling in the event of a fail over.
- OCI Database with PostgreSQL provides automated backups to create a copy of the database data and store remotely so that it can be used to restore back to the original state if needed, such as after a regional data center failure. PostgreSQL also offers logical replication options such as pglogical extension, which provides logical streaming replication for PostgreSQL, using a publish/subscribe model and Oracle GoldenGate which provides real-time data integration, data replication, transactional change data capture, data transformations, etc.
- OCI Search with OpenSearch cross cluster replication allows you to replicate indexes, mappings, and metadata from one OpenSearch cluster to another, including in a different OCI region.
- CI/CD
Oracle DevOps service provides a continuous integration and deployment (CI/CD) platform for developers. You can use the DevOps service to easily build, test, and deploy software and applications on Oracle Cloud. DevOps build and deployment pipelines reduce change-driven errors and decrease the time customers spend on building and deploying releases.
The service also provides private Git repositories to store your code and it supports connections to external code repositories. Whether you're migrating workloads to OCI—from on-premises or other clouds—or developing new applications on OCI, you can use the DevOps service to simplify your software delivery lifecycle.
- Version upgrade
Minor version upgrades are handled by OCI as patches applied on a rolling basis to guarantee service continuity. While major upgrades requires the migration path process.
- Security
Use Oracle Cloud Guard to monitor and maintain the security of your resources in OCI proactively. Oracle Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Oracle Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.
For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, OCI validates the operations against the policies in the security-zone recipe and denies operations that violate any of the policies.
- Security zones
Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.
Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.
You can also use the Managed List feature to apply certain configurations to detectors.
- Network security groups
You can use network security gruops (NSGs) to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.
- Load balancer bandwidth
While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer.
Considerations
Consider the following points when deploying this reference architecture.
- Workload observability
Managed services metrics, traces, and logs are captured and monitored out-of-the-box by OCI. You can explore those in the OCI console or integrate the observability data in tools of your choices (for example, Prometheus, OpenSearch, Grafana, Jaeger, OCI Application Performance Monitoring).
- Governance
The OCI Cloud Adoption Framework can empower your organization to improve business agility and promote innovative solutions. To get the most from the cloud, your organization should follow a strategy that leverages experience-based recommendations for people, processes, and technology, with a phased approach to cloud transformation. The OCI Cloud Adoption Framework provides best practices and a structured approach to help your organization successfully adopt the cloud.
- Cost optimization
OCI offers consistent pricing across the globe along with predictable cost. OCI provides various billing and cost management tools that make it easy to manage your service costs. You can estimate costs, create budgets to set spending thresholds, view usage, and visualize your spending with charts and reports.
Right-sizing your environment based on current needs is crucial to guarantee cost control. When required, you can always use the scalability features of OCI services to adapt your infrastructure to your workload at any point in time. We also recommend you delete unused services and automatically stop non-production environment instances outside of office hours.
Explore More
Learn more about the features of this architecture and the best practices to get the best out of your OCI-based application modernization project.
Review these additional resources:
- Well-architected framework for Oracle Cloud Infrastructure
- Kubernetes Engine in Oracle Cloud Infrastructure Documentation
- Search with OpenSearch in Oracle Cloud Infrastructure Documentation
- OCI Cache in Oracle Cloud Infrastructure Documentation
- OCI Database with PostgreSQL in Oracle Cloud Infrastructure Documentation
- Cloud Adoption Framework
- Oracle Cloud Infrastructure Documentation
- Oracle Cloud Cost Estimator
- Modern App Development