About the Resources in a Stack

Compute Instances

Depending on the number of nodes you specify for your Oracle WebLogic Server for OCI stack configuration, one or more compute instances are created for your domain.

Each WebLogic Server compute instance name has the following format:

servicename-wls-n

Where:

servicename is the resource name prefix you provided during stack creation
n is 0, 1, 2, and so on

For example, a domain with two nodes would have the following compute instances if the resource prefix is thestack:

thestack-wls-0
thestack-wls-1

The first compute instance (with the suffix -wls-0) runs the WebLogic Administration server thestack_adminserver and the first Managed Server thestack_server_1. The second compute instance (with the suffix -wls-1) runs the second Managed Server thestack_server_2, and so on.

If you specified a private subnet for your domain, a bastion instance is created, which is identified by:

servicename-bastion-instance

If you created a JRF-enabled domain, and WebLogic Server and the database are on different VCNs, then Domain Name Service (DNS) compute instances are created:

servicename-wlsdns-0 - DNS Forwarder in the WebLogic Server VCN
servicename-dbsystem-dns - DNS Forwarder in the database VCN

Network Resources

Several network resources for route tables, security lists, and gateways are created for your Oracle WebLogic Server for OCI domain.

Additional network resources are created if you specify a new virtual cloud network (VCN) or new subnets for an existing VCN during domain stack creation.

Your domain configuration determines the type and number of network resources created. The names of all network resources begin with the resource name prefix you provided during stack creation. The following table provides a summary of the resources that can be created.

Resource Name	Type
`servicename-vcnname`	WebLogic VCN
`servicename-wls-subnet`	WebLogic regional subnet
`servicename-wls-subnet-adname`	WebLogic availability domain-specific subnet
`servicename-bastion-subnet`	public subnet for the bastion compute instance
`servicename-lb-subnet-1`	load balancer regional subnet
`servicename-lb-subnet-1-adname1`	availability domain-specific subnet 1 for load balancer node 1
`servicename-lb-subnet-1-adname2`	availability domain-specific subnet 2 for load balancer node 2
`servicename-wls-dns-subnet-adname`	public subnet for the DNS Forwarder in the WebLogic VCN, for local VCN peering
`servicename-dbsystem-dns-subnet-adname`	public subnet for the DNS Forwarder in the database VCN, for local VCN peering
Default route table for `servicename-vcnname`	default route table for the WebLogic VCN
`servicename-public-routetable`	route table for a subnet
`servicename-dbsystem-routetable`	database route table, for local VCN peering
`servicename-internet-gateway`	internet gateway for the WebLogic VCN
`servicename-service-gateway`	service gateway for the WebLogic VCN
`servicename-wls-lpg`	local peering gateway in the WebLogic VCN
`servicename-dbsystem-lpg`	local peering gateway in the database VCN
Default security list for `servicename-vcnname`	default security list for the VCN
`servicename-internal-security-list`	security list for the WebLogic subnet
`servicename-bastion-security-list`	security list for the bastion subnet
`servicename-wls-bastion-security-list`	security list for the bastion and WebLogic subnets
`servicename-wls-ms-security-list`	security list for the WebLogic Managed Servers
`servicename-lb-security-list`	security list for the load balancer regional subnet
`servicename-wls-lb-security-list-1`	security list for the load balancer node 1 and WebLogic subnets
`servicename-wls-lb-security-list-2`	security list for the load balancer node 2 and WebLogic subnets
`servicename-wls_dns_security_list`	security list for the DNS subnet in the WebLogic VCN, for local VCN peering
`servicename-dbsystem-dns-security-list`	security list for the DNS subnet in the database VCN, for local VCN peering
Default DHCP Options for `servicename-vcnname`	default set of Dynamic Host Configuration Protocol (DHCP) options for a new VCN
`servicename-dhcpOptions`	copy of the default DHCP options in the WebLogic VCN
`servicename-wls-dns-dhcp-option`	custom DNS routing in the WebLogic VCN, for local VCN peering
`servicename-dbsystem-dns-dhcp-option`	custom DNS routing in the database VCN, for local VCN peering

Load Balancer

If you chose to create a load balancer for your domain, it is accessible from a single IP address and it distributes traffic across the managed servers in the domain.

The name of the load balancer resource has the following format:

servicename-lb

Where servicename is the resource name prefix you provided during stack creation.

The backend resource (which configures the load balancing policy) is identified by the name:

servicename-lb-backendset

The default listener is named https and it handles traffic on port 443. Attached to the listener are the following:

The rule set created with the name SSLHeaders. The rule set has the header rules WL-Proxy-SSL (value is true) and is_ssl (value is ssl).
The certificate demo_cert.

Oracle recommends you add your own SSL certificate.

See Managing SSL Certificates in the Oracle Cloud Infrastructure documentation and Add a Certificate to the Load Balancer.

Identity Resources for Dynamic Group and Root Policy

Oracle WebLogic Server for OCI creates a dynamic group and a single policy for your domain if the OCI Policies check box remains selected during stack creation.

The dynamic group and root-level (tenancy) policy allow compute instances in the domain to access:

Launch compute instances and manage block storage volumes.
Keys and secrets in Oracle Cloud Infrastructure Vault
Load balancer resources
The database wallet if you're using an Oracle Autonomous Database to contain the required infrastructure schemas for a JRF-enabled domain
The database if you're using Oracle Cloud Infrastructure Database (DB System) to contain the required infrastructure schemas for a JRF-enabled domain

The name of the dynamic group and the root-level policy is:

servicename-wlsc-principal-group (dynamic group)
servicename-oci-policy

Where servicename is the resource name prefix you provided during stack creation.

For a single compartment, the matching rule created in the dynamic group is:

instance.compartment.id='ocid1.compartment.oc1..alongstring'

The rule states that all instances created in the compartment (identified by the compartment OCID) are members of the dynamic group.

The service policy has the following statements:

Allow dynamic-group servicename-wlsc-principal-group to read secret-bundles in tenancy where target.secret.id=<OCID of the secret>.

The OCID of the secret can be the Administrator password, the Database password, Autonomous Database (ATP) password, the Application Database password, and the IDCS client secret password.
Allow dynamic-group servicename-wlsc-instance-principal-group to manage virtual-network-family in compartment where target.vcn.id=<OCID of the existing_VCN_ID>.

The following policies grants the OS Management service:
Allow dynamic-group servicename-wlsc-instance-principal-group to read instance-family in tenancy
Allow dynamic-group servicename-wlsc-instance-principal-group to use osms-managed-instances in compartment

The following policy is created if you provision a load balancer:
Allow dynamic-group servicename-wlsc-instance-principal-group to use load balancers in compartment

The following policy is created if you provision a JRF stack using an autonomous database:
Allow dynamic-group servicename-wlsc-principal-group to use autonomous-transaction-processing-family in tenancy

Identity Resources for Oracle Identity Cloud Service

If you configure your domain to use Oracle Identity Cloud Service for authentication, Oracle WebLogic Server for OCI provisions additional resources in Oracle Identity Cloud Service to support the domain.

These resources are not components of the stack, and so they are not visible in Resource Manager. In addition, they are not deleted automatically when you destroy the stack.

The names of the Oracle Identity Cloud Service resources have the following formats:

servicename_confidential_idcs_app_timestamp - Confidential Application
servicename_enterprise_idcs_app_timestamp - Enterprise Application
servicename_app_gateway_timestamp - App Gateway

Where:

servicename is the resource name prefix you provided during stack creation.
timestamp is the date and time on which the stack was created. For example, 2019-09-24T21:46:21.288662