Use Oracle Integration to connect E-Business Suite with SOA to Financials Cloud

Most deployments of Oracle E-Business Suite are integrated with other commercial or bespoke applications so companies can run their processes with agility. Oracle software-oriented architecture (SOA) Suite is a popular choice to provide integration to EBS for its broad connectivity options and EBS Adapter capabilities.

When you move your applications to the cloud, there are more opportunities to modernize and integrate with other cloud services and SaaS applications. Oracle Integration takes integration and connectivity capabilities beyond yet reusing what is developed and running on SOA Suite.

This architecture presents the end state of moving an EBS instance to OCI along with the integration built with SOA Suite in a secure setup and the components needed to connect Oracle Integration with SOA Suite and EBS. This architecture also shows integration with Oracle Financials Cloud.

Architecture

This architecture shows the deployment of Oracle E-Business Suite in a single availability domain inside a single Oracle Cloud Infrastructure region, along with existing integrations built using Oracle SOA Suite. Oracle Integration connects to SOA using the Integration connectivity agent to provide reuse of integrations built with SOA and connectivity to other SaaS applications and cloud technologies.

The architecture includes two compartments, both of which have Cloud Guard enabled to provide maximum security based on Oracle's security best practices. In addition, the compartment where the database system and the autonomous database private endpoint are deployed is a security zone compartment.

Each compartment contains a virtual cloud network (VCN), which are connected through a local peering gateway, allowing network traffic between the two. Components are in different subnets and fault domains to provide high availability. The databases are accessed only through the bastion host and the application virtual machines (VMs) are accessed through the load balancers.

The database and the application instances that are deployed in their private subnets on OCI are backed up to OCI Object Storage by using a service gateway. A service gateway provides access to Object Storage without traversing the internet. You can use the automatic and on-demand database backups feature to back up applications and the database.

Use a network address translation (NAT) gateway to enable outbound connection from the application instances in the private subnets to the Internet to download patches and apply operating system and application updates. With a NAT gateway, the hosts in private subnet can initiate connections to the Internet and receive responses, but don't receive inbound connections initiated from the internet.

The following diagram illustrates this reference architecture.

Description of the illustration ebs_integration_erp_soa-1.png

The architecture has the following components:

• Customer premises equipment (CPE)

  CPE is the on-premises endpoint for the VPN Connect, or OCI FastConnect interconnection between the on-premises data center and the VCN in OCI.

• Region

  An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Availability domains

  Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

• Fault domains

  A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• Bastion host

  The bastion host is a compute instance that serves as a secure, controlled entry point to the topology from outside the cloud. The bastion host is provisioned typically in a demilitarized zone (DMZ). It enables you to protect sensitive resources by placing them in private networks that can't be accessed directly from outside the cloud. The topology has a single, known entry point that you can monitor and audit regularly. So, you can avoid exposing the more sensitive components of the topology without compromising access to them.

• Compartment

  Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

• Cloud Guard

  You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

• File storage

  The Oracle Cloud Infrastructure File Storage service provides a durable, scalable, secure, enterprise-grade network file system. You can connect to a File Storage service file system from any bare metal, virtual machine, or container instance in a VCN. You can also access a file system from outside the VCN by using Oracle Cloud Infrastructure FastConnect and IPSec VPN.

• Object storage

  Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• Load balancer

  The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

• VM DB System

  Oracle VM Database System is an Oracle Cloud Infrastructure (OCI) database service that enables you to build, scale, and manage full-featured Oracle databases on virtual machines. A VM database system uses OCI Block Volumes storage instead of local storage and can run Oracle Real Application Clusters (Oracle RAC) to improve availability.

• NAT gateway

  The NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

• Service gateway

  The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

• Internet gateway

  The internet gateway allows traffic between the public subnets in a VCN and the public internet.

• Local peering gateway (LPG)

  An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.

• Security zone

  Security zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access to networks for an entire compartment. A security zone is associated with a compartment of the same name and includes security zone policies or a "recipe" that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

• Integration

  Oracle Integration is a fully managed service that allows you to integrate your applications, automate processes, gain insight into your business processes, and create visual applications.

• Autonomous database

  Oracle Cloud Infrastructure autonomous databases are fully managed, preconfigured database environments that you can use for transaction processing and data warehousing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database.

• SOA with Service Bus and Oracle B2B

  Oracle Service Bus and Oracle B2B are service types of Oracle SOA Suite.

  Oracle Service Bus connects, mediates, and manages interactions between heterogeneous services, not just Web services, but also Java and .Net, messaging services and legacy endpoints.

  Oracle B2B is an e-commerce gateway that enables the secure and reliable exchange of business documents between an enterprise and its trading partners. Oracle B2B supports business-to-business document standards, security, transports, messaging services, and trading partner management. With Oracle B2B used as a binding component within an Oracle SOA Suite composite application, end-to-end business processes can be implemented. Oracle B2B with Oracle SOA Suite in the cloud doesn't support Health Level 7, which enables health care systems to communicate with each other. You can provision Oracle B2B with the SOA with Service Bus & B2B Cluster service type.

• Integration agent with SOA adapter

  The Integration connectivity agent deployed in a virtual machine connects Integration with resources in a private subnet. The SOA adapter brings the capability of reusing existing services built with SOA Suite so new integrations can call them using Oracle Integration. The Oracle SOA Suite adapter enables you to create an Oracle Integration that invokes REST and SOAP services in Oracle SOA Suite on Marketplace in OCI.

• Financials Cloud

  Financials Cloud application exposes web services, APIs, business objects, and publish events. The Oracle ERP Cloud adapter included with Oracle Integration provides connectivity to Financials without having to know about the specific details involved in the integration.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ.

• VCN

  When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

  Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

  After you create a VCN, you can change, add, and remove its CIDR blocks.

  When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

• Network security groups (NSGs)

  You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

• Security Zones

  For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

• Cloud Guard

  Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

  Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

  You can also use the Managed List feature to apply certain configurations to detectors.

Considerations

Consider the following points when deploying this reference architecture.

• Scalability

  Application Tier: You can scale the SOA application server vertically by changing the shape of the compute instance. A shape with a higher core count provides more memory and network bandwidth as well. If more storage is required, increase the size of the block volumes attached to the SOA application server.

  Database Tier: You can scale the Autonomous database vertically by enabling more cores for the database. Both the cores and storage can be scaled up without any database downtime.

• Scalability

  When creating Oracle Integration instances, administrators specify the number of message packs they plan to use for per instance.

• Resource limits

  Consider the best practices, limits by service, and compartment quotas for your tenancy.

• Security

  Use OCI Identity and Access Management (IAM) policies to control who can access your cloud resources and what operations can be performed. To protect the database passwords or any other secrets, consider using the OCI Vault service.

• Performance and cost

  OCI offers Compute shapes that cater to a wide range of applications and use cases. Choose the shapes for your compute instances carefully. Select shapes that provide optimal performance for your load at the lowest cost. If you need more performance, memory, or network bandwidth, you can change to a larger shape.

• Availability

  Consider using a high-availability option based on your deployment requirements and your region. The options include distributing resources across multiple availability domains in a region and distributing resources across the fault domains within an availability domain.

  Fault domains provide the best resilience for workloads deployed within a single availability domain. For high availability in the application tier, deploy the application servers in different fault domains, and use a load balancer to distribute client traffic across the application servers.

• Monitoring and alerts

  Set up monitoring and alerts on CPU and memory usage for your nodes, so that you can scale the shape up or down as needed.

Deploy

With Oracle SOA Suite on Marketplace, you can provision SOA with Oracle Service Bus & Oracle B2B Service cluster, Oracle Managed File Transfer Cloud Service cluster, and Oracle Business Activity Monitoring cluster in the cloud using the stacks available in Oracle Cloud Marketplace.

1. Provision SOA Suite from Oracle Cloud Marketplace.
2. You can deploy Oracle E-Business Suite from the Oracle Cloud Marketplace image. Go to Oracle Cloud Marketplace.
   1. Click Get App.
   2. Follow the on-screen prompts.
3. To deploy Oracle Integration, first configure users and groups in OCI and set up access permissions in Oracle Identity Cloud Service.
   Follow the instructions in Setting Up Users and Groups in Oracle Integration Generation 2 of Oracle Integration Documentation.
4. Create your Oracle Integration Generation 2 instance. Use the same compartment as E-Business Suite.
   Follow the instructions in Provisioning and Administering Oracle Integration and Oracle Integration for SaaS, Generation 2, and go to section Creating and Editing Oracle Integration Generation 2 Instances.
5. After the Oracle Integration instance is provisioned, you can install the Integration Connectivity Agent. Go to Integration and create an agent group. Select computing shapes with minimum of 8-GB RAM.
   Follow the instructions in Using Integrations in Oracle Integration, and go to section Download and Run the Connectivity Agent Installer.
   Oracle Integration connects to Oracle Financials Cloud using the Oracle ERP Cloud adapter.

An Oracle LiveLabs workshop is available for you to run a demo in your tenancy or you can launch a free trial workshop. To access the workshop, see Migrate SOA Applications to OCI Workshop.

Explore More

Learn more about deploying Oracle SOA Cloud Service and Oracle E-Business Suite on Oracle Cloud Infrastructure and integrating applications with Oracle Integration.

Review these additional resources:

• Best practices framework for Oracle Cloud Infrastructure
• Learn about deploying Oracle E-Business Suite on Oracle Cloud Infrastructure
• Oracle E-Business Suite
• Oracle Integration
• Migrate to Oracle SOA Suite in the cloud using a stack from Oracle Cloud Marketplace