Landing Zones Overview

OCI Landing Zones accelerate cloud onboarding with an optimal foundation that's secure, compliant, and resilient. OCI Landing Zones are Terraform templates that are prescriptive and hardened for one-click automated provisioning of the base tenancy and key cloud services from standard to complex use cases. The solutions are architected and pre-configured to adhere to best practices, conform to Center for Internet Security (CIS) Benchmarks and optimized configurations to provide you with a foundation that’s standardized, compliant, resilient, scalable, cost-effective, and ready for business critical workloads.

Landing zones are opinionated, hardened Terraform-based templates for one-click automated provisioning of the base tenancy and key cloud services. A landing zone includes the identity, network, security, monitoring, and governance services needed to support applications and workloads. You can deploy landing zones directly from GitHub or from OCI Resource Manager, building an environment in minutes.

All OCI landing zone templates are comprised of the OCI Landing Zones framework and its modules, providing the building blocks required for building your cloud architecture. The framework converges multiple disparate initiatives, including CIS Landing Zone, _OCI Enterprise Landing Zone (OELZ), and EMEA Operating Entities Landing Zones_ for consistent messaging.

The following diagram outlines components of the OCI Landing Zones framework.

Landing zone blueprints are pre-built solutions that provide prescriptive solutions to support common and specific requirements. The framework provides a common set of generic Terraform modules that provide infrastructure as code (IaC) capabilities to all landing zones. Extensions are pluggable elements that augment a blueprint, such as custom hub and spoke configurations and multicloud connectivity.

Workloads are also plugabble elements designed to simplify the onboarding of specific application workloads and platform as a service (PaaS) solutions, such as OCI Kubernetes Engine (OKE), Exadata Cloud Service(ExaCS), E-Business Suite (EBS), Oracle Cloud VMware Solution (OCVS), AI services, and so on. All landing zone components, such as blueprint, modules, extensions, and workloads are pre-configured by default to enforce the CIS OCI Foundations Benchmark.

To accelerate onboarding to the cloud, OCI provides curated landing zone blueprints for common use cases and tenancy best-practices that provide single-click deployment or leverage the framework to build-your-own landing zone. This is your ideal starting point in OCI. If you're more experienced with landing zones, you can customize the landing zones or create new ones using the framework’s modules to support unique requirements.

At its core, OCI Landing Zones include the following OCI service components and modules:

• Identity and Access Management (IAM) Module: Use this module to establish an identity strategy. You can set up IAM roles, groups, policies, and compartments to control access to cloud resources. The module helps enforce principles of least privilege and implements authentication and authorization mechanisms to help ensure only authorized users and systems can access the cloud environment.
• Networking Module: Helps you configure and deploy a secure and resilient network architecture. This includes creating virtual cloud networks (VCNs), subnets, routing tables, and security groups to enable secure communication between cloud resources and on-premises systems or third party cloud service providers. There are options to deploy an OCI native firewall or third party firewall. The module helps establish connectivity options such as VPN or FastConnect to hybrid or multicloud networks.
• Security Module: Use this module to help implement security controls and support for governance frameworks. All OCI Landing Zone blueprints and components are designed to be secure and support the CIS OCI Foundations Benchmark. This involves defining and deploying security policies, encryption strategies, vulnerability and threat detection, and logging and monitoring solutions. By integrating OCI native security tooling and following the CIS OCI Foundations Benchmark, you can help ensure your cloud environment meets security policy requirements and protects sensitive data.
• Observability and Monitoring Module: Establishes event monitoring, alerting, and logging, which are crucial for operational management. This includes integrating with monitoring tools and enabling the automation of incident management processes. Use of landing zones helps you set up best practices to proactively manage cloud environments to enable high availability and performance.
• Governance Module: Implements tags and budgets to help organize and manage cloud resources. This includes creating resource groups, applying tags, and budgets which can provide alerts based on defined budget rules. Use of landing zones supports proper resource organization, simplifies management, and enables cost allocation and governance by using compartments to provide a logical structure for managing costs. This helps your organization gain visibility into cloud spending and optimize cloud resource utilization.
• Workloads Module: Provisions the OCI PaaS components such as Compute, Block Volume, File Storage Service (FSS), OKE, Object Storage, and Oracle Database to support your workload environments.

The following information describes the key OCI Landing Zones. Choose the one most applicable to your use case.

• OCI Core Landing Zone: Provides a generic blueprint provisioning the services needed for a secure, scalable, and resilient OCI tenancy to get started. The OCI Core Landing Zone is CIS-compliant, provides support for complex architectures such as multitenancy and multicloud, in addition to third party integrations such as firewall and security information and event management (SIEM).

  The OCI Core Landing Zone unifies the previous CIS Landing Zone and OCI Enterprise Landing Zone (OELZ) in a single, standardized solution.

• Secure Cloud Computing Architecture (SCCA) Landing Zone: Supports SCCA for the U.S. Department of Defense. You can choose Mission Owner or Managed SCCA Broker landing zone options.

OCI landing zones provide a solid foundation for you to start the cloud journey and onboard your workloads to OCI. Use the landing zones to establish a scalable, secure, and cost-effective cloud presence while adhering to governance and compliance requirements. By leveraging landing zones as part of your cloud strategy, you can accelerate cloud adoption, help reduce risks, and lay the groundwork for successful cloud deployments.