OCI Core Landing Zone

The landing zone architecture begins with the design of compartments for your tenancy, in addition to the creation of groups and policies to help ensure proper segregation of duties. It provisions compartments within a designated parent compartment for all your core infrastructure services, allowing your teams to more efficiently manage OCI resources. Each landing zone compartment is assigned a specific admin group, which is granted the necessary permissions to manage resources within the compartment and access resources in other compartments.

This design also supports the provisioning of multiple Virtual Cloud Networks (VCNs), either as standalone networks or as spokes in a hub and spoke architecture. The VCNs can be configured to deploy a hub VCN, up to a three-tier network VCN topology, or they can be tailored to specific use cases, such as supporting Oracle Exadata Database Service or Oracle Kubernetes Engine (OKE) deployments. Out of the box, the VCNs are preconfigured with the appropriate routing and secure inbound and outbound interfaces.

The OCI Core Landing Zone includes several preconfigured security services that support the CIS OCI Benchmarks which are deployed and integrated as part of the overall architecture, ensuring a robust security posture. These OCI native security services include Cloud Guard, Flow Logs, Connector Hub, Vault, Vulnerability Scanning Service, Bastion, and Security Zones. Administrators can set up notifications using topics and events to stay informed about changes in deployed resources.

The following diagram shows the OCI Core Landing Zone reference architecture.

The OCI Core Landing Zone is composed of a set of modules designed to be flexible, easy to use, and helpful in aligning customer deployments with the CIS OCI Foundations Benchmark recommendations.

OCI Identity and Access Management (IAM) is used to manage and control access to the cloud resources in your tenancy. The landing zone automatically creates IAM groups and policies to govern access to the resources provisioned in your environment and to support segregation of duties and Role-Based Access Control (RBAC) requirements. Additionally, you have the option to federate with your organization's Microsoft Active Directory for seamless integration with your existing third party identity provider (IdP). There are several IAM modules, including Compartments, Policies, Groups, Dynamic Groups, and Identity Domains. For more information, see the GitHub repository, OCI Landing Zones IAM Modules.

OCI IAM policies define who can access specific resources and the level of access they are granted. Access is managed at the group and compartment level, letting you create policies that assign a group specific permissions within a compartment or across the entire tenancy. Compartments are logical partitions within an OCI tenancy. They're used to organize resources, manage access, and enforce usage quotas. To control access to resources within a compartment, you create policies that specify which users or groups can access the resources and what actions they're allowed to perform. This compartment design follows a common organizational structure, where IT responsibilities are typically divided among networking, security, application development, and database administration teams.

The resources in this landing zone template are provisioned across the following compartments:

• Enclosing Compartment: A recommended parent compartment that contains all the other compartments listed below it.
• Network Compartment: Contains all networking resources, including necessary network gateways, workload VCNs, and a hub and spoke option.
• Security Compartment: Houses resources related to logging, key management, vulnerability scanning, bastion, and notifications.
• App Compartment: Includes application-related services such as compute, storage, functions, streams, Kubernetes nodes, API gateway, and more.
• Database Compartment: Dedicated to database resources.
• Exadata Compartment (Optional): A compartment for provisioning Oracle Exadata Database Service infrastructure.

You can configure the OCI Core Landing Zone to deploy the following network resources:

• VCN: A customizable, software-defined network in OCI that gives you full control over your network environment, similar to traditional data center networks. A VCN can have multiple non-overlapping CIDR blocks, which can be modified after creation. You can further segment a VCN into subnets, which can be scoped to a region or availability domain. Each subnet has a contiguous range of IP addresses that doesn't overlap with other subnets in the same VCN. The size of a subnet can be adjusted after creation, and subnets can be either public or private.

  The OCI Core Landing Zone can be configured to deploy up to 10 VCNs:

  • 3 three-tier VCNs
  • 3 Exadata Cloud Infrastructure VCNs
  • 3 OKE VCNs
  • 1 hub VCN

  These VCNs can be deployed as standalone or peered networks. By default, no VCNs are provisioned unless selected.

• Internet Gateway: Enables traffic between public subnets in a VCN and the public internet.

• Dynamic Routing Gateway (DRG): Virtual router that facilitates private network traffic between on-premises networks and VCNs. It can also route traffic between VCNs within the same region or across different regions.

• NAT Gateway: Allows private resources in a VCN to initiate outbound connections to the internet without exposing those resources to incoming internet traffic.

• Service Gateway: Provides access from a VCN to OCI services, such as Object Storage. Traffic from the VCN to these services flows over Oracle’s network fabric, avoiding the public internet.

• Oracle Services Network (OSN): Dedicated network within OCI for Oracle services, which have public IP addresses accessible over the internet. Hosts outside of OCI can access the OSN privately by way of OCI FastConnect or VPN Connect. Hosts within your VCN can reach the OSN privately through a service gateway.

• Network Security Groups (NSGs): Acts as a virtual firewall for your cloud resources. Following the zero-trust security model of OCI, all traffic is denied by default, and you can control traffic flow within a VCN. An NSG consists of a set of ingress and egress rules applied to a specific set of virtual network interface cards (VNICs) in a VCN.

• Zero Trust Packet Routing (ZPR): Prevents unauthorized data access by managing network security policy separately from the network architecture. ZPR uses a user-friendly intent-based policy language to define allowed access pathways for data. Any traffic patterns not explicitly defined by policy can't traverse the network, which simplifies data protection and prevents data exfiltration. By default, ZPR isn't enabled and requires configuration.

By default, the OCI Core Landing Zone is configured to deploy the following cloud native security services to support the CIS OCI Benchmark and provide a robust security posture.

• Cloud Guard: Cloud-native service designed to help you monitor, identify, and maintain a strong security posture in Oracle Cloud. The service continuously examines your OCI resources for security weaknesses related to configuration and monitors operators and users for risky activities. Using customizable detector recipes, Cloud Guard identifies misconfigurations and potential security threats, and, when detected, it can recommend corrective actions or assist in implementing them through predefined responder recipes. This lets you proactively manage the security of your resources and maintain compliance with best practices.
• Security Zone: Associated with one or more compartments and a security zone recipe. When resources are created or modified within a security zone, OCI validates the operation against the security policies defined in the zones recipe. If any policy is violated, the operation is denied. Security zones help ensure that your OCI resources comply with your organization's security requirements across services such as Compute, Networking, Object Storage, Block Volume, and Database.
• Vulnerability Scanning Service: Helps enhance security by regularly scanning ports and hosts for vulnerabilities. The service generates detailed reports, including metrics and insights into identified vulnerabilities, helping you proactively address security risks.
• Vault: Lets you centrally manage encryption keys that protect your data, in addition to secret credentials used to secure access to your cloud resources. With the Vault service, you can create and manage vaults, encryption keys, and secrets.
• Bastion: Provides secure, controlled access to OCI resources that don't have public endpoints. It allows SSH sessions based on identity, with specific IP address restrictions and time-bound access. All activities are audited, ensuring secure and traceable remote access to critical resources.

The OCI Core Landing Zone is configured to use the following OCI services for observability:

• Logging: Highly scalable, fully managed service that provides access to logs from your cloud resources. It enables you to view, manage, and analyze logs across your tenancy, including critical diagnostic information about resource performance and access. The service supports the following types of logs:
  • Audit Logs: Records of events emitted by the OCI Audit service.
  • Service Logs: Logs generated by OCI native services such as API Gateway, Events, Functions, Load Balancer, Object Storage, and VCN flow logs.
  • Custom Logs: Logs from custom applications, third-party cloud providers, or on-premises environments, providing additional diagnostic details.
• Events: Structured messages emitted by OCI services that describe changes in resources. These events can correspond to create, read, update, or delete (CRUD) operations, resource lifecycle state changes, or system events that impact cloud resources.
• Notifications: Broadcasts secure, highly reliable, low-latency, and durable messages to distributed components using a publish-subscribe pattern. It delivers messages for applications hosted on OCI and externally, and can be used to notify you when alarms, service connectors, or event rules are triggered.
• Connector Hub: Cloud-based message bus platform that orchestrates data movement between services in the cloud. It provides a single pane of glass for defining, running, and monitoring data transfers, letting you move data from a source service to a target service. Additionally, Connector Hub lets you specify tasks, such as invoking a function, to process the data before delivery to the target service. This makes it easy to build a logging aggregation framework for Security Information and Event Monitoring (SIEM) systems.
• Object Storage: Lets you manage data as objects within containers, providing quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich media such as images and videos. You can securely store and retrieve data both from the internet and within the cloud platform, with the ability to scale storage without sacrificing performance or reliability. Use Standard Storage for frequently accessed "hot" data that requires quick and immediate retrieval, and Archive Storage for "cold" data that is rarely accessed but retained for long-term storage.

How to Deploy the OCI Core Landing Zone

Use the following guidelines as a foundation to design and configure security for your cloud environment. Consider that your specific requirements might differ from the architecture outlined here.

• Network Configuration: When selecting a CIDR block for your VCN, ensure it doesn't overlap with any other networks (whether in OCI, your on-premises data center, or another cloud provider) to which you plan to establish private connections.
• Monitoring Security: Use Cloud Guard to monitor and maintain the security of your resources in OCI. Cloud Guard employs customizable detector recipes to identify security weaknesses in your resources and track risky activities by operators and users. When a misconfiguration or security issue is detected, Cloud Guard provides recommendations for corrective actions and can assist with implementing them using predefined responder recipes.
• Secure Resource Provisioning: For resources requiring the highest level of security, use security zones. A security zone is a compartment associated with an Oracle-defined policy set based on security best practices. For example, resources in a security zone must be inaccessible from the public internet and must be encrypted with customer-managed keys. OCI validates resource creation and updates within a security zone against these policies, automatically denying any operations that violate them.

When implementing the OCI Core Landing Zone, consider the following information:

• Access permissions: During initial provisioning, the landing zone can create resources with tenancy administrator privileges. It includes preconfigured policies that let separate administrator groups manage each compartment after the initial setup. However, these policies are limited to the resources deployed by the template and don't cover all potential cloud resources. If you add new resources to the Terraform template, you need to define additional policy statements to grant the necessary access permissions.
• Network Configuration: The landing zone network can be deployed in different ways: with one to multiple standalone VCNs or in a hub and spoke architecture. It's also possible to configure the network with no Internet connectivity.
• Deployment Guide: The OCI Core Landing Zone Deployment Guide in GitHub provides detailed guidance on how to configure the OCI Core Landing Zone. It includes deployment scenarios and steps on how to customize the Landing Zone.

The Terraform code for this solution is available on GitHub. You can import the code into OCI Resource Manager with a single click, create the stack, and deploy the landing zone. Alternatively, you can download the code to your local machine, customize it, and deploy the architecture with the Terraform CLI.