Deploy an Internet Sales Portal With a Secure Landing Zone on Oracle Cloud

To help federal, state, and local government agencies configure and secure their workloads in the cloud, Mythics has deployed a secure landing zone on Oracle Cloud Infrastructure (OCI) that meets the Center for Internet Security (CIS) benchmarks.

Using the secure landing zone Terraform, Mythics can quickly customize, configure, and secure any environment within a few hours of creating the instance.

In its own OCI tenancy, Mythics deployed an internet sales portal that supports its marketing, sales, contracts, legal, accounting, and operations groups. Using APEX forms and wizards and a data warehouse that integrates with Oracle NetSuite, Mythics is now able to track and route internal approvals from each of these departments, generating hundreds of thousands of sales transactions and email workflow approval transactions each month.

By deploying its internet sales portal using the CIS-compliant landing zone Terraform on OCI, Mythics has:

• Increased performance and availability: Mythics is now able to quickly process transactions by using multiple compute cores, and also maintain high availability by using load balancers. Leveraging their disaster recovery capabilities, Mythics can quickly scale in or out on demand, even during seasonal bursts, such as a month-, quarter-, or year-end close.
• Automated complex security configurations: Mythics is able to quickly customize, configure, and secure its environment within a few hours of creating the instance.
• Created customizable security postures: Mythics can also reuse and modify the CIS-compliant landing zone templates and apply them to any public sector or commercial customer environment, running whatever type of workload on OCI.

Architecture

Mythics deployed a CIS-compliant landing zone to secure the environment for its internet sales portal.

Using the Landing Zone Terraform template, Mythics automatically created a virtual cloud network (VCN), as well as multiple subnets, and compartments. The subnets were created with network isolation and segmentation, security lists, route tables, and network security groups (NSGs):

• appdev-pvt: A private subnet for application resources
• mgmt-pvt: A private subnet for management resources
• db-pvt: A private subnet for databases resources
• bastion-pvt: A private subnet for bastion host access
• bastion-pub: A public subnet for bastion host access

Mythics used compartments to group and control access to resources. Mythics implementing a least privilege access model by creating groups and policies and then assigning the appropriate permissions to control who can access the resources. The landing zone, by default, creates five compartments:

• megprod-network-cmpt: A compartment for network resources
• megprod-security-cmpt: A compartment for security resources that include, notifications, cloud guard, and logs
• megprod-appdev-cmpt: A compartment for APEX and application servers
• megprod-database-cmpt: A compartment for database servers
• megprod-mgmt-cmpt: A compartment for management resources

Mythics also used the secure landing zone Terraform to automatically deploy security tools, such as Oracle Cloud Guard for security posture management, logging to consolidate logs, and notifications. Mythics then layers in their components, which include:

• APEX for low code application development of forms, wizards, and work flows
• Two virtual machine (VM) instances for the application processes, load balanced for high availability
• Oracle Database Cloud Service running on virtual machines and a data warehouse for storing more than 200,000 current and historical sales transactions
• An Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) cluster to automate resource management
• Tools such as Jenkins, Git repository, and Oracle Linux Automation Manager (OLAM) into their OKE cluster to automate software development, testing, deployment, and management
• Bastion hosts that provide access from a private subnet through the on-premises network and from a public subnet that's accessible from the Internet

Users access the internet sales portal by using an Internet gateway. Mythics developers and administrators manage the environment from an on-premises location by using Tailscale for added security. The on-premises network is connected by using VPN IPSec tunnels with the customer's on-premises equipment (CPE) connected to Dynamic Routing Gateways (DRG). From the Internet, Mythics developers access the environment by using Tailscale, which is a VPN service that secures devices and applications that are accessible anywhere. In addition to using groups, policies, and network rules, Tailscale allows Mythics to control edge network access, and thereby to fine-tune the exact level of access they grant. For example, Mythics developers can access the OKE cluster and application, while administrators can only access the application server instances, creating an additional security layer in the zero-trust access network.

NAT gateways are used for integrations with Oracle NetSuite. Oracle NetSuite CRM/ERP is updated every 15 minutes and is mined daily by a series of APEX dashboard and ad hoc reports. REST APIs are used as automation points, and push changes to NetSuite from the database. Additional integration points allow Mythics to use the application as a License Orchestrator to manage large contracts through an Unlimited License Agreement (ULA).

For disaster recovery, the application is deployed in an active-passive configuration. US East Region-Ashburn is the primary region and US West Region-Phoenix is the disaster recovery (DR) site. The two regions are connected by using remote peering between the two DRGs. The load balancers redirect users to the DR site in case there is a failure in Ashburn. The database is replicated using Oracle Data Guard from Ashburn to Phoenix. File storage services and object storage are replicated from Ashburn to Phoenix. OCI native backup services are used to back up the infrastructure.

Future enhancements for Mythics include:

• Taking advantage of more Platform-as-a-Service (PaaS) options
• Migrating the database from Oracle Database Cloud Service running on virtual machines to Oracle Autonomous Database to relieve the Mythics teams from database operations and maintenance

The following diagram illustrates the networking and disaster recovery architecture:

Description of the illustration mythics-oci-architecture.png

mythics-oci-architecture-oracle.zip

The architecture has the following components:

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

• Region

  An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Compartment

  Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

• Availability domain

  Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

• Fault domain

  A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• Route table

  Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.

• Security list

  For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

• Site-to-Site VPN

  Site-to-Site VPN provides IPSec VPN connectivity between your on-premises network and VCNs in Oracle Cloud Infrastructure. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.

• Internet gateway

  The internet gateway allows traffic between the public subnets in a VCN and the public internet.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

• Network address translation (NAT) gateway

  A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

• Service gateway

  The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

• Remote peering

  Remote peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. Remote peering eliminates the need for an internet gateway and public IP addresses for the instances that need to communicate with another VCN in a different region.

• Load balancer

  The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

• VM DB System

  Oracle VM Database System is an Oracle Cloud Infrastructure (OCI) database service that enables you to build, scale, and manage full-featured Oracle databases on virtual machines. A VM database system uses OCI Block Volumes storage instead of local storage and can run Oracle Real Application Clusters (Oracle RAC) to improve availability.

• Data Guard

  Oracle Data Guard provides a comprehensive set of services that create, maintain, manage, and monitor one or more standby databases to enable production Oracle databases to remain available without interruption. Oracle Data Guard maintains these standby databases as copies of the production database. Then, if the production database becomes unavailable because of a planned or an unplanned outage, Oracle Data Guard can switch any standby database to the production role, minimizing the downtime associated with the outage.

• Cloud Guard

  You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

• APEX Service

  Oracle APEX Application Development (APEX) is a low-code development platform that enables you to build scalable, feature-rich, secure, enterprise apps that can be deployed anywhere that Oracle Database is installed. You don't need to be an expert in a vast array of technologies to deliver sophisticated solutions. APEX Service includes built-in features such as user interface themes, navigational controls, form handlers, and flexible reports that accelerate the application development process.

• Notifications

  The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low latency, and durable messages for applications hosted on Oracle Cloud Infrastructure.

• Logging
  Logging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:

  • Audit logs: Logs related to events emitted by the Audit service.
  • Service logs: Logs emitted by individual services such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
• Container Engine for Kubernetes

  Oracle Cloud Infrastructure Container Engine for Kubernetes is a fully managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Container Engine for Kubernetes provisions them on Oracle Cloud Infrastructure in an existing tenancy. Container Engine for Kubernetes uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.

• Object storage

  Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• File storage

  The Oracle Cloud Infrastructure File Storage service provides a durable, scalable, secure, enterprise-grade network file system. You can connect to a File Storage service file system from any bare metal, virtual machine, or container instance in a VCN. You can also access a file system from outside the VCN by using Oracle Cloud Infrastructure FastConnect and IPSec VPN.

• DNS

  Oracle Cloud Infrastructure Domain Name System (DNS) service is a highly scalable, global anycast domain name system (DNS) network that offers enhanced DNS performance, resiliency, and scalability, so that end users connect to customers’ application as quickly as possible, from wherever they are.

• Registry

  Oracle Cloud Infrastructure Registry is an Oracle-managed registry that enables you to simplify your development-to-production workflow. Registry makes it easy for you to store, share, and manage development artifacts, like Docker images. The highly available and scalable architecture of Oracle Cloud Infrastructure ensures that you can deploy and manage your applications reliably.

Get Featured in Built and Deployed

Want to show off what you built on Oracle Cloud Infrastructure? Care to share your lessons learned, best practices, and reference architectures with our global community of cloud architects? Let us help you get started.

1. Download the template (PPTX)

   Illustrate your own reference architecture by dragging and dropping the icons into the sample wireframe.

2. Watch the architecture tutorial

   Get step by step instructions on how to create a reference architecture.

3. Submit your diagram

   Send us an email with your diagram. Our cloud architects will review your diagram and contact you to discuss your architecture.

Explore More

Learn more about the features of this architecture and about related architectures.

• Deploy a secure landing zone that meets the CIS Foundations Benchmark for Oracle Cloud

• Security checklist for Oracle Cloud Infrastructure

• CIS Oracle Cloud Infrastructure Foundations Benchmark

• Best practices framework for Oracle Cloud Infrastructure

• Oracle Cloud Infrastructure Documentation

• Oracle Cloud Cost Estimator

See the following blog posts about secure landing zone:

• OCI Secure Landing Zone Quick Start Template, Version 2

• OCI Secure Landing Zone Deployment Modes

Acknowledgments

• Authors: Robert Huie, Sasha Banks-Louie
• Contributors: Robert Lies