Share a Private Network Across Isolated Partitions Within a Tenancy

You might have business and IT reasons to segment your cloud network between different internal business units or accounts. This document describes how you can create a centrally managed private network that's shared by multiple accounts, and how users in different business units can isolate their cloud resources while using a shared private network.

In the following example, an organization's IT department manages the shared private network. The HR department manages HR-related resources inside their partition of the network, and the Finance department manages finance-related resources within their partition of the network. There's also a shared subnet for use by HR and Finance, but not by Marketing.


Compartment structure and required policies

Configure

Complete the following steps in the Oracle Cloud Infrastructure web console:

  1. Create a compartment for the IT department (example: demo-IT).

    Create IT compartment

  2. Create a VCN in the demo-IT compartment.
  3. Define an IAM policy to give only the IT users permission to manage resources in the demo-IT compartment, as shown in the following example:

    Create policy for IT compartment

  4. Within the demo-IT compartment, create subcompartments for the business units that you need partitions for.
    Also, create a compartment for the resources that are shared across all the business units (example: demo-Shared).

    Create departmental compartments

  5. Create the following users, groups, and policies:
    • User demo-it-user, in group demo-it-users

      Policy:

      allow group demo-it-users to manage all-resources in compartment demo-IT
      allow group demo-it-users to manage all-resources in compartment demo-HR
      allow group demo-it-users to manage all-resources in compartment demo-Finance
      allow group demo-it-users to manage all-resources in compartment demo-shared
    • User demo-finance-user, in group demo-finance-users
      Policy:
      allow group demo-finance-users to read virtual-network-family in compartment demo-IT
      allow group demo-finance-users to manage all-resources in compartment demo-Finance
      allow group demo-finance-users to manage all-resources in compartment demo-Shared
    • User demo-hr-user, in group demo-hr-users
      Policy:
      allow group demo-hr-users to read virtual-network-family in compartment demo-IT
      allow group demo-hr-users to manage all-resources in compartment demo-HR
      allow group demo-hr-users to manage all-resources in compartment demo-Shared
    • User demo-marketing-user, in group demo-marketing-users
      Policy:
      allow group demo-marketing-users to read virtual-network-family in compartment demo-IT
      allow group demo-marketing-users to use all-resources in compartment demo-Marketing
  6. In the VCN that you created previously, create four subnets, one in each compartment:
    Subnet Compartment
    Subnet_Shared demo-Shared
    Subnet_Finance demo-Finance
    Subnet_HR demo-HR
    Subnet_Marketing demo-Marketing
You've now configured compartments, networks, and access policies that support the following actions:
  • IT users can access and manage all the subnets, the VCN, and related resources.
  • Finance users can attach resources to Subnet_Finance.
  • HR users can attach resources to Subnet_HR.
  • Marketing users can attach resources to Subnet_Marketing.
  • Finance and HR users can attach resources to Subnet_Shared; but Marketing users can't use the shared subnet.

Verify

Test the effect of the access policies that you defined.

  1. Sign in to the Oracle Cloud Infrastructure web console as demo-hr-user.
  2. Try to create a compute instance in the demo-HR compartment, using Subnet_HR.

    HR user creates an instance in the HR compartment

    The instance is created successfully.
    HR user created an instance in the HR compartment

  3. Try to create a compute instance in the demo-Shared compartment, using Subnet_Shared.

    HR user creates an instance in the shared compartment

    The instance is created successfully.
    HR user created an instance in the shared compartment

  4. Try to view the instances in the demo-Marketing compartment.

    HR user can't view instances in the marketing compartment

    You can't view the instances.
  5. Try to create an compute instance in the demo-Marketing compartment.

    HR user tries to create an instance in the marketing compartment

    You can't create the instance.
    HR user can't create instances in the marketing compartment

You've now created a shared private network in the cloud, and partitioned it among various accounts and users to achieve flexible policy control, while still allowing your IT organization to have management authority. You've also configured a shared subnet that can be used by multiple accounts.

You can repeat this pattern across multiple VCNs if you want to expand it further.