Set Up a Landing Zone Architecture with Oracle Integration
Architecture
Landing Zone architecture concepts play a key role when you need to create hybrid integrations and, usually, when you need to interact with systems available in private networks that are dependent on strict security guidelines.
Oracle Integration runs on Oracle Cloud Infrastructure (OCI), where it is managed by the Oracle Service Network (OSN). In some cases, Oracle Integration integrates only with cloud applications and systems (either Oracle SaaS applications or other vendors' applications), reachable through the public Internet. In these cases a hybrid integration architecture is not necessary.
Note:
Links to the following documents can be found in "Explore More", below.- Connectivity Agent: refer to "Connection Patterns for Hybrid Integrations" in Oracle Integration Generation 2 for details on its features and how to set it up.
- Private endpoint: refer to "Configure a Private Endpoint for an Instance" in Provisioning and Administering Oracle Integration 3 for details on its features and how to set it up. This documentation also explains main differences between a connectivity agent and a private endpoint.
For details about the differences between a connectivity agent and a private endpoit see Differences between private endpoints and the connectivity agent in the Oracle Integration 3 documentation.
Another option for integrating on-premises systems is to involve another Cloud service: API Gateway. Refer to the reference architecture, Deploy an Oracle API Gateway service in a hybrid environment to better understand this approach.
This topic describes the top-level architecture for each of these approaches.
Hybrid Architecture with Connectivity Agent
This architecture describes how to deploy the connectivity agent to handle hybrid integration:
Description of the illustration landingzone-wad-1.3-scenario2.png
hybrid-architecture-private-endpoint-oracle.zip
- Oracle Integration
Oracle Integration connects any application and data source to automate end-to-end processes and centralize management.
- Oracle Integration Connectivity Agent
Oracle Integration Connectivity Agent enables hybrid integrations and a method for exchanging messages between applications in private or on-premises networks and OIC.
- Identity Domain
Oracle Identity Domain provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.
Hybrid Architecture with Private Endpoint
This architecture describes how to handle hybrid integration by deploying a private endpoint.
Description of the illustration hybrid-architecture-private-endpoint.png
GUID-438A7CEF-1DA5-4B79-A70D-10E3E525BAC0
- Oracle Integration
Oracle Integration connects any application and data source to automate end-to-end processes and centralize management.
- Oracle Integration Private Endpoint
Oracle Integration Private Endpoint enables hybrid integrations and method for exchanging messages between applications in private networks and Oracle Integration. Private endpoint manages outbound traffic from Oracle Integration.
- Identity Domain
Oracle Identity Domain provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.
Hybrid Architecture with API Gateway
This architecture describes how to enable hybrid integration by using an Oracle API Gateway.
Description of the illustration landingzone-wad-1.3-scenario1.png
landingzone-wad-1.3-scenario1-oracle.zip
- Oracle Integration
Oracle Integration connects any application and data source to automate end-to-end processes and centralize management.
- Oracle API Gateway
Oracle API Gateway service enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose with public IP addresses.
- Identity Domain
Oracle Identity Domain provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.
Recommendations
- Deployment and security for hybrid integration
Deploy Oracle Integration 3 on an Oracle Self-Service Landing Zone, referenced at the beginning of this document (and accessible from "Explore More", below), provides guidelines for properly setting up the configuration of integration components from the security point of view. The following image shows how the above guidelines apply to the above mentioned integration components.
Description of the illustration int-deploy-security.png
int-deploy-security-oracle.zip
Specifically:- Oracle Integration is deployed to an Oracle Integration compartment.
- Any required connectivity agent is deployed in the Oracle Integration Compartment for Workload.
- Any required API gateway is deployed in the Oracle Integration Compartment for Workload. If you use a generic API gateway, you can use the one commonly deployed in the security compartment.
- The private endpoint belongs to network compartment.
-
Accessing private services exposed through APIs
If you need to access private services exposed through APIs, you can use:
- An API gateway, as it will route the connectivity to the right service.
- A connectivity agent through a SOAP/REST adapter.
- A private endpoint through a SOAP/REST adapter, but only if these services are running in OCI. This is because IPSec tunneling and FastConnect are not currently supported for use with private endpoints.
- Accessing private resources that need a specific adapter
If you need to access private resources that need a specific adapter, you can use:
- A connectivity agent through the specific adapter.
- A private endpoint through the specific adapter, but only
if:
- These services are running in Oracle Integration because IPSec tunneling and FastConnect are not currently supported for use with private endpoints; and
- Oracle Integration Private Endpoint supports the adapter.
Considerations
Consider the following points when deploying this reference architecture.
- Security
Both the connectivity agent and API gateway provide necessary security.
- Availability
You can use the connectivity agent in high availability environments with Oracle Integration. Just install it twice on different hosts, as described in "Use the Connectivity Agent in High Availability Environments" (which you can access from the "Explore More" section, below). By default, the API gateway provides high availability.
- CostWhen analyzing cost, consider the following:
- The Oracle Integration Connectivity Agent does not increase implementation cost. Its features are included in your Oracle Integration subscription (either Standard or Enterprise edition) and its cost is based on message packs.
- The API gateway is an additional OCI component and its specific cost is based on API calls, in millions, per month. A private endpoint does not incur any additional cost.
- The only the cost is for required compute resources.
Explore More
Learn more about setting up a landing zone architecture with Oracle Integration.
Review these additional resources: