1. Set up a landing zone architecture with Oracle Integration
  2. Set Up a Landing Zone Architecture with Oracle Integration

Set Up a Landing Zone Architecture with Oracle Integration

To run integrations in Oracle Cloud, you need a secure environment that you can operate efficiently. Oracle Integration is a Cloud Native service designed to address your security requirements. This reference architecture describes the components and concepts that enable you to build hybrid integrations.These components conform to the landing zone template and concepts that meet the security guidance prescribed for Oracle Cloud Infrastructure's CIS Foundation Benchmark. This reference architecture generally refers to all concepts described in the reference architecture, Deploy a secure landing zone that meets the CIS Foundations Benchmark for Oracle Cloud. You should also review Deploy Oracle Integration 3 on an Oracle Self-Service Landing Zone, which describes how to set up Oracle Integration instances for development, test, and production, while focusing on a deployment's security aspects. You can access both of these documents from the "Explore More" topic at the end of this article.

Architecture

Landing Zone architecture concepts play a key role when you need to create hybrid integrations and, usually, when you need to interact with systems available in private networks that are dependent on strict security guidelines.

Oracle Integration runs on Oracle Cloud Infrastructure (OCI), where it is managed by the Oracle Service Network (OSN). In some cases, Oracle Integration integrates only with cloud applications and systems (either Oracle SaaS applications or other vendors' applications), reachable through the public Internet. In these cases a hybrid integration architecture is not necessary.

When hybrid integration is required, Oracle Integration enables it and provides two methods for integrating systems that are on-premises and in private networks:

Note:

Links to the following documents can be found in "Explore More", below.
  • Connectivity Agent: refer to "Connection Patterns for Hybrid Integrations" in Oracle Integration Generation 2 for details on its features and how to set it up.
  • Private endpoint: refer to "Configure a Private Endpoint for an Instance" in Provisioning and Administering Oracle Integration 3 for details on its features and how to set it up. This documentation also explains main differences between a connectivity agent and a private endpoint.

For details about the differences between a connectivity agent and a private endpoit see Differences between private endpoints and the connectivity agent in the Oracle Integration 3 documentation.

Another option for integrating on-premises systems is to involve another Cloud service: API Gateway. Refer to the reference architecture, Deploy an Oracle API Gateway service in a hybrid environment to better understand this approach.

This topic describes the top-level architecture for each of these approaches.

Hybrid Architecture with Connectivity Agent

This architecture describes how to deploy the connectivity agent to handle hybrid integration:


Description of landingzone-wad-1.3-scenario2.png follows
Description of the illustration landingzone-wad-1.3-scenario2.png

hybrid-architecture-private-endpoint-oracle.zip

This architecture contains these components:
  • Oracle Integration

    Oracle Integration connects any application and data source to automate end-to-end processes and centralize management.

  • Oracle Integration Connectivity Agent

    Oracle Integration Connectivity Agent enables hybrid integrations and a method for exchanging messages between applications in private or on-premises networks and OIC.

  • Identity Domain

    Oracle Identity Domain provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.

In this document, the Oracle Integration Connectivity Agent is placed in Oracle Integration. There are many ways to position the Oracle Integration Connectivity Agent in the overall customer architecture. The option referred in the above architecture is described in "Connection Patterns for Hybrid Integrations" in Using Integrations in Oracle Integration Generation 2. The same document describes the different options you can use to deploy connectivity agents. You can find a link to "Connection Patterns for Hybrid Integrations" in the "Explore More" topic.

Hybrid Architecture with Private Endpoint

This architecture describes how to handle hybrid integration by deploying a private endpoint.


Description of hybrid-architecture-private-endpoint.png follows
Description of the illustration hybrid-architecture-private-endpoint.png

GUID-438A7CEF-1DA5-4B79-A70D-10E3E525BAC0

This architecture contains these components:
  • Oracle Integration

    Oracle Integration connects any application and data source to automate end-to-end processes and centralize management.

  • Oracle Integration Private Endpoint

    Oracle Integration Private Endpoint enables hybrid integrations and method for exchanging messages between applications in private networks and Oracle Integration. Private endpoint manages outbound traffic from Oracle Integration.

  • Identity Domain

    Oracle Identity Domain provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.

Hybrid Architecture with API Gateway

This architecture describes how to enable hybrid integration by using an Oracle API Gateway.


Description of landingzone-wad-1.3-scenario1.png follows
Description of the illustration landingzone-wad-1.3-scenario1.png

landingzone-wad-1.3-scenario1-oracle.zip

This architecture is based on the following components:
  • Oracle Integration

    Oracle Integration connects any application and data source to automate end-to-end processes and centralize management.

  • Oracle API Gateway

    Oracle API Gateway service enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose with public IP addresses.

  • Identity Domain

    Oracle Identity Domain provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.

You can combine these three architectures; for example, a solution can choose to use both a connectivity agent and an API gateway to reach on-premise/private networks.

Recommendations

You can see that hybrid integration can be achieved by using different components, either through recurring standard Oracle Integration components or through other components (for example, an API Gateway). Use the following recommendations to drive your choice of which component to use.
  • Deployment and security for hybrid integration

    Deploy Oracle Integration 3 on an Oracle Self-Service Landing Zone, referenced at the beginning of this document (and accessible from "Explore More", below), provides guidelines for properly setting up the configuration of integration components from the security point of view. The following image shows how the above guidelines apply to the above mentioned integration components.


    Description of int-deploy-security.png follows
    Description of the illustration int-deploy-security.png

    int-deploy-security-oracle.zip

    Specifically:
    • Oracle Integration is deployed to an Oracle Integration compartment.
    • Any required connectivity agent is deployed in the Oracle Integration Compartment for Workload.
    • Any required API gateway is deployed in the Oracle Integration Compartment for Workload. If you use a generic API gateway, you can use the one commonly deployed in the security compartment.
    • The private endpoint belongs to network compartment.
  • Accessing private services exposed through APIs

    If you need to access private services exposed through APIs, you can use:

    • An API gateway, as it will route the connectivity to the right service.
    • A connectivity agent through a SOAP/REST adapter.
    • A private endpoint through a SOAP/REST adapter, but only if these services are running in OCI. This is because IPSec tunneling and FastConnect are not currently supported for use with private endpoints.
  • Accessing private resources that need a specific adapter

    If you need to access private resources that need a specific adapter, you can use:

    • A connectivity agent through the specific adapter.
    • A private endpoint through the specific adapter, but only if:
      • These services are running in Oracle Integration because IPSec tunneling and FastConnect are not currently supported for use with private endpoints; and
      • Oracle Integration Private Endpoint supports the adapter.

Considerations

Consider the following points when deploying this reference architecture.

  • Security

    Both the connectivity agent and API gateway provide necessary security.

  • Availability

    You can use the connectivity agent in high availability environments with Oracle Integration. Just install it twice on different hosts, as described in "Use the Connectivity Agent in High Availability Environments" (which you can access from the "Explore More" section, below). By default, the API gateway provides high availability.

  • Cost
    When analyzing cost, consider the following:
    • The Oracle Integration Connectivity Agent does not increase implementation cost. Its features are included in your Oracle Integration subscription (either Standard or Enterprise edition) and its cost is based on message packs.
    • The API gateway is an additional OCI component and its specific cost is based on API calls, in millions, per month. A private endpoint does not incur any additional cost.
    • The only the cost is for required compute resources.

Deploy

You can deploy this reference architecture on OCI by performing below steps:

  1. Sign in to OCI console with your Oracle Cloud credentials
  2. If you want to use the Connectivity Agent:
    1. Depending on the desired agent architecture, set up the required networking infrastructure, as shown in the architecture diagram; this includes these components: VCN, Subnet, DRG, Security List, Routing Table, Service Gateway, FastConnect/VPN, and CPE.
    2. Go to the OIC Console and create an agent group.
    3. Follow the instructions for downloading and runnning the connectivity agent installer.
    4. From the OCI console, select compute shapes with minimum of 8 GB RAM to install the connectivity agent.
    Refer to links in "Explore More" for more details on Connectivity Agent installation
  3. If you want to use a Private Endpoint, configure it as explained in "Configure a Private Endpoint for an Instance" (see "Explore More" for a link to this procedure).
  4. If you want to use an API Gateway, set up the required networking infrastructure as shown in the architecture diagram; this includes these components: VCNSubnet, DRG, Security List, Routing Table, Service Gateway, FastConnect/VPN, and CPE. You can find instructions in "Creating an API gateway" in the OCI documentation (see "Explore More" for a link to this procedure).

Explore More

Learn more about setting up a landing zone architecture with Oracle Integration.

Review these additional resources:

Acknowledgments

  • Author: Giovanni Conte
  • Contributors: Jacco Steur