Get Started With Well-Architected OCI Landing Zones

OCI Landing Zones are well-architected and ready for various use cases. They provide blueprints with design guidance, best practices, pre-configured Terraform templates, and generic Terraform modules for any OCI deployment.

There are two OCI Landing Zones that you can choose from:

• Core Landing Zone

  The Core Landing Zone contains blueprints ready for various workloads and is suitable for centralized operations within your organization

• Operating Entities Landing Zone

  The Operating Entities Landing Zone contains blueprints to onboard your Operating Entities (OE), organizations, and partners and their workloads with distributed operations. There are three different blueprints available for different sizes: (M) One-OE, (L) - Multi-OE, and (XL) - Multi-Tenancy.

All OCI Landing Zone blueprints are ready to be used and can be deployed with one click, or you can use them as a reference to create your custom model. They are CIS-compliant, ready for add-ons and workloads, and cover all security, network, and observability cloud services. All of this is part of the OCI Landing Zone framework and is offered free of charge on GitHub.

In summary, OCI Landing Zones provide a robust deployment strategy for implementing the Well-architected framework for Oracle Cloud Infrastructure’s best practices, ensuring that organizations can reduce their onboarding efforts and accelerate time-to-production with secure cloud environments that are resilient, compliant, and cost-efficient from the very start.

About Landing Zones and the OCI Well-Architected Pillars

The OCI Well-Architected Framework focuses on four core pillars: Security and Compliance, Reliability and Resilience, Performance and Cost Optimization, and Operational Efficiency. By using the OCI landing zone blueprints—that include automation—you can ensure that your cloud architecture is designed and set up with these pillars in mind.

Security and Compliance

Security is one of the most critical concerns when building cloud architectures, and OCI Landing Zones are designed with security at the core.

The CIS OCI Benchmark is a key compliancy element with the OCI Landing Zones Framework, included in all the blueprints, workloads, and modules. The OCI Landing Zones provide the necessary automation for enforcing security best practices and can be verified against the CIS OCI Benchmark.

• Identity and Access Management

  Each blueprint sets its OCI Identity and Access Management (IAM), creating a comprehensible compartment structure, the related OCI groups that together with the policies provide segregation of duties. Identity domains are also created to isolate break-glass users from other types of users.

• Network Security

  Each blueprint sets up and deploys a hub & spoke network topology with network segregation using OCI virtual cloud networks (VCNs) and subnets. Different VCNs target different network areas. Security lists and network security groups (NSGs) are also created for each of these elements. The hub area contains shared network elements such as the dynamic routing gateway (DRG), network firewalls, load balancers, VPNs, OCI FastConnect, or private endpoints for connectivity. Gateways are also defined at the VCN level according to network areas, for secure OCI inbound or outbound communications.

  Zero Trust Packet Routing (ZPR) is also available at Terraform module level to setup your network security overlay.

• Encryption

  All sensitive data in the cloud should be encrypted. OCI Landing Zones automatically configure OCI’s encryption services, ensuring that data is encrypted at rest and in transit. The Terraform module ensures that encryption best practices are applied across all components, including block storage and databases, to mitigate security risks.

• Security Monitoring

  All Landing Zone blueprints are prepared and pre-configured with Oracle Cloud Guard and Oracle Security Zones. These services continuously assess the security posture of the environment, ensuring that any misconfigurations or vulnerabilities are detected and remediated automatically. By using these security monitoring tools, you can proactively manage security risks in real-time. OCI Events, OCI Logging, and OCI Notifications with alarms are also created so there is a day-two end-to-end observability.

• Operational Security

  Because the Terraform modules are generic, they are ready to receive any OCI configuration in the form of JSON or .tfvars files. This approach means configurations do not have code and code does not have configurations, which enables operational security where cloud operations do not touch code and coders do not touch cloud configurations. This approach also enables the use of versioned control operating models such as GitOps, where configurations are the source of truth of the infrastructure.

Reliability and Resilience

The Reliability and Resilience pillar focuses on ensuring that cloud applications and infrastructure can withstand failures, recover quickly, and continue to provide value to the organization. OCI Landing Zones help organizations meet OCI’s reliability best practices by establishing resilient cloud architectures.

• High Availability and Disaster Recovery

  Landing Zones set up some services that can leveraging multiple Availability Domains (ADs), and Landing Zones can be deployed across multiple regions. This multi-region setup helps ensure that if resources in one region experiences failure, another OCI Landing Zone is deployed in another region, ready to run with the mirrored resources.

• Fault Tolerance

  By setting up fault-tolerant network configurations and using features like load balancing, Landing Zones help ensure that services remain available even if individual instances or services fail.

Performance Efficiency and Cost Optimization

Performance Efficiency in OCI revolves around ensuring that cloud resources are optimally utilized to meet performance requirements. OCI Landing Zones incorporate performance-efficient practices by using automated scaling, right-sizing of resources, and performance monitoring.

Cost Optimization helps ensure that cloud environments are designed to use resources efficiently, reducing waste and avoiding unnecessary costs. OCI Landing Zones support this pillar by automating cost-effective practices and providing visibility into resource utilization.

• Performance Monitoring and Optimization

  OCI Landing Zones automatically integrate OCI Monitoring to provide real-time performance insights. With these tools, you can monitor your cloud environment for performance bottlenecks, optimize resource allocation, and make adjustments to maintain high application performance.

• Cost Controls

  OCI Landing Zones can automatically configure budgets and cost tracking to ensure that spending is kept within budget. This helps you to maintain visibility into your cloud costs, allowing you to avoid surprises and optimize resource usage.

• Resource Tagging and Cost Allocation

  The landing zone configures resource tagging for detailed cost allocation and visibility. Tags can be applied to different departments, applications, or projects, allowing you to track and manage costs more effectively.

Operational Efficiency

Operational Efficiency in OCI refers to the ability to continuously monitor, automate, and improve cloud operations to ensure that systems run smoothly and efficiently. OCI Landing Zones offer several features that align with this pillar by setting up a standardized, automated, and easily manageable environment.

• Infrastructure as Code (IaC)

  Landing Zones leverage Terraform, a widely-adopted tool for IaC. This approach ensures that all infrastructure is repeatable, version-controlled, and maintainable, reducing the risk of human error and ensuring consistency across multiple environments. There are also a comprehensible set of modules and as mentioned previously in the operational security topic, this approach also enables the use of highly scalable versioned control operating models such as GitOps, where configurations are the source of truth of the infrastructure.

• Automated Deployment

  Landing Zones support automated provisioning of a complete, secure, and compliant OCI environment, including network configuration, identity management, and governance. This eliminates the need for manual configuration, speeds up deployment, and reduces operational complexity.

• Monitoring and Logging

  Landing Zones will deploy OCI Monitoring and OCI Logging, enabling you to implement robust monitoring and logging automatically. By centralizing monitoring across cloud services, administrators can gain real-time insights into their infrastructure, detect issues early, and take corrective actions, improving operational excellence.

• Scalability and Flexibility

  Landing Zones can be adapted to suit various organizational needs, from small-scale environments to large enterprise systems. This flexibility allows organizations to maintain high operational standards, even as they scale.

Learn More

• Introducing the new standardized OCI Landing Zones framework for an even easier onboarding to OCI (blog)
• OCI Landing Zones Framework (GitHub)
• OCI Core Landing Zone (GitHub)
• OCI Operating Entities Landing Zone (GitHub)
• Quickly deploy the OCI Core Landing Zone. Go to .
• Quickly deploy the OCI Operating Entities Landing Zone. Go to .