Learn About Setting Up a Secure Multitier Topology

Building and maintaining a multitier topology can be a complex project. To manage a secure, multitier topology in Oracle Cloud efficiently, encode the required resources in Terraform modules that you maintain in a source-controlled repository, and then apply the configuration. When you want to adjust the infrastructure, version the appropriate modules, update the resource definitions, and then apply the revised configuration. When necessary, you can roll back to a previous version of the infrastructure easily. Essentially, you can develop, deploy, and operate your infrastructure in the cloud by using simple code.

Use the Terraform building blocks provided in this solution to implement the basic structure of a secure network topology that supports a multitier, multi-user environment. By creating this basic topology and then tuning it for your business requirements, you save significant time and effort.

Before You Begin

Learn more about designing a multitier topology in the cloud. See Learn about designing a secure multitier topology in the cloud.

Architecture

The architecture of this solution organizes the resources in separate compartments, depending on the user group that manages the resources.

Description of the illustration multitier-network-architecture.png

The following are the resources in this architecture. Customize the architecture for your specific needs.

• The virtual cloud network (VCN) and the gateways are in the Networks compartment. You can create the subnets in the compartments that contain the resources that use the subnets.
  • The resources that you attach to a public subnet, such as a bastion host, can be accessed from the public internet through the internet gateway. If a network security issue occurs, such as a distributed denial of service (DDoS) attack, you can block all traffic to the VCN by terminating the gateway.
  • The resources in a private subnet can access the public internet through the NAT Gateway. For example, a compute instance in a private subnet can get patches from an external site through the NAT gateway.
• The Shared Services compartment contains the resources that are shared across the topology.
• The bastion hosts are in the Admin compartment.
• The Business Logic compartment holds the web servers, application servers, and load balancers.
• The databases are in the Database compartment.

Policies that you define, not shown in the architecture diagram, govern the level of access that each user group has to the resources in a compartment.

Note:

• The resources in this architecture are distributed across three availability domains (AD). In a region that has a single AD, you can distribute the compute instances across the fault domains within the AD for high availability.
• All the compartments in this architecture are peers, but you can set up a hierarchy of compartments.
• For simplicity, the architecture diagram shows only one region. Compartments span all the regions.

About Required Services and Roles

The following services and permissions are required:

You need an Oracle Cloud Infrastructure subscription.

To create the required resources, you need credentials that fulfill the following conditions:

• You must be in the Administrators group or in any group that has permission to create compartments.

• If you want to create your resources in existing compartments, then you must be in a group that has permission to define a policy for those compartments and manage VCNs in them.

• If you want to create authentication tokens and API keys, then you must be a local user; that is, a user created by an administrator in Oracle Cloud Infrastructure Identity and Access Management. Alternatively, you must be a synchronized user created automatically by a federated identity provider.

See Learn how to get Oracle Cloud services for Oracle Solutions to get the services you need.