OCI Open LZ – One-OE Blueprint – One-Stack Deployment
OPERATION | One-Stack Deployment with CIS Level 1 Security Controls | One-Stack Deployment with CIS Level 2 Security Controls |
USE | We recommend this option when: - CIS Level 1 Security Controls satisfies your security requirements. - You are becoming familiar and testing the configurations and you need to deploy/destroy quickly to test changes or Landing Zone deployment. - You are creating a PoC enviroment. |
We recommend this option when: - Your security requirements need to satisfy CIS Level 2 Security Controls (like deploying a Vault to manage your encryption keys and force the encryption of all your data with them, block storage, object storage, etc.). |
TARGET RESOURCES |
This operation creates a One-OE Landing Zone in one execution with the following resources: - One Landing Zone Environment (production). - Network Hub A, no cost version. - Two Workload Environments (prod, preprod) and related Spoke Networks. - Setups a strong security posture with Security Zones and Cloud Guard based on CIS Security Controls Level 1. - Setups monitoring with Events, Alarms, Logging, and Notifications based on CIS Security Controls Level 1. - One sample Project per workload environment and a sample Platform areas. For more details on the resources being created refer to the documentation and the drawio. |
This operation creates a One-OE Landing Zone in one execution with the following resources: - One Landing Zone Environment (production). - Network Hub A, no cost version. - Two Workload Environments (prod, preprod) and related Spoke Networks. - Setups a strong security posture with Security Zones and Cloud Guard based on CIS Security Controls Level 2. - Setups monitoring with Events, Alarms, Logging, and Notifications based on CIS Security Controls Level 2. - One sample Project per workload environment and a sample Platform areas. For more details on the resources being created refer to the documentation and the drawio. |
DEPLOYMENT DIAGRAM | ||
INPUT CONFIGURATIONS + |
IAM Configuration as input to the OCI Landing Zone IAM module. Network Configuration as input to the OCI Landing Zone Network module. Security Configuration as input to the OCI Landing Zone Security module. Observability Configuration as input to the OCI Landing Zone Observability module. |
IAM Configuration as input to the OCI Landing Zone IAM module. Network Configuration as input to the OCI Landing Zone Network module. Security Configuration as input to the OCI Landing Zone Security module. Observability Configuration as input to the OCI Landing Zone Observability module. |
DEPLOY WITH ORM - STEP #1 |
And follow these steps: 1. Accept terms, wait for the configuration to load. 2. Set the working directory to “rms-facade”. 3. Set the stack name you prefer. 4. Set the terraform version to 1.5.x. Click Next. 5. Accept the default files. Click Next. Optionally, replace with your json/yaml config files. 6. Un-check run apply. Click Create. |
And follow these steps: 1. Accept terms, wait for the configuration to load. 2. Set the working directory to “rms-facade”. 3. Set the stack name you prefer. 4. Set the terraform version to 1.5.x. Click Next. 5. Accept the default files. Click Next. Optionally, replace with your json/yaml config files. 6. Un-check run apply. Click Create. |
POST DEPLOYMENT - STEP #2 |
This is an optional step to be executed once Step 1 Stack and all landing zone elements are created. This step requires the update the previous ORM stack json configuration files in order to complete the Networking routing, add extra Security Zones Recipes (3, 4, and 5), and Network Flow Logs. This update can be executed in one step by replacing both files as described below. Network routing: Optionally, you can deploy a "dummy VM" as a firewall and complete the routing with the following steps: a. Deploy a dummy FW VM for the DMZ and Internal FWs following these steps How to create a dummy FW VM. b. Identify the Private IP OCID of your firewalls following these steps How to identify the Private IP OCID of a VM VNIC. c. Update the POST network JSON configuration oci_open_lz_hub_a_network_light_post.auto.tfvars.json and replace the "DMZ FW PRIVATE IP OCID" with the OCID of the Public DMZ Firewall Private IP OCID identified in the previous steps. You can use the find & replace of the IDE of your choice. d. Update the network JSON configuration and replace the "INT FW PRIVATE IP OCID" with the OCID of the Private Internal Firewall Private IP OCID identified in the previous steps. e. Edit the ORM stack and replace the original Network JSON configuration file with the new one oci_open_lz_hub_a_network_light_post.auto.tfvars.json. NOTE: To upgrade your light version to the complete one, remove the dummy FW VMs, deploy the firewalls by using the Network Configuration of the complete version, and update the routing as described previously. Security Zones: - Use the configuration oci_open_lz_one-oe_security_cisl1_addon_sz345.auto.tfvars.json to extend the base configuration with additional Security Zone targets to apply Recipes in the shared network compartment, the production shared network compartment, and project 1 example. As the compartment hierarchy goes deeper the Security Zones are more restrictive. - Note that this update action is not in the base stack red due to limitations with terraform dependency grapth while creating these resources. These will be merged once these limitations are solved. Observability - Flow Logs: - Use the configuration oci_open_lz_one-oe_observability_cisl1_addon_flowlogs.auto.tfvars.json to create the VCN and Subnets flow logs. - Note that by default, the VCN and Subnet flows logs are not deployed. The first 10 gigabytes of log storage are free every month. The configuration creates a log group for the shared network and each shared network environment, where it would create logs for every VCN and subnet within the VCNs. It would depend on how much traffic is generated in your VCNs/Subnets to overpass the free log storage that you get every month. |
This is an optional step to be executed once Step 1 Stack and all landing zone elements are created. This step requires the update the previous ORM stack json configuration files in order to complete the Network routing, add extra Security Zones Recipes (3, 4, and 5), and Network Flow Logs. This update can be executed in one step by replacing both files as described below. Network routing: Optionally, you can deploy a "dummy VM" as a firewall and complete the routing with the following steps: a. Deploy a dummy FW VM for the DMZ and Internal FWs following these steps How to create a dummy FW VM. b. Identify the Private IP OCID of your firewalls following these steps How to identify the Private IP OCID of a VM VNIC. c. Update the POST network JSON configuration oci_open_lz_hub_a_network_light_post.auto.tfvars.json and replace the "DMZ FW PRIVATE IP OCID" with the OCID of the Public DMZ Firewall Private IP OCID identified in the previous steps. You can use the find & replace of the IDE of your choice. d. Update the network JSON configuration and replace the "INT FW PRIVATE IP OCID" with the OCID of the Private Internal Firewall Private IP OCID identified in the previous steps. e. Edit the ORM stack and replace the original Network JSON configuration file with the new one oci_open_lz_hub_a_network_light_post.auto.tfvars.json. NOTE: To upgrade your light version to the complete one, remove the dummy FW VMs, deploy the firewalls by using the Network Configuration of the complete version, and update the routing as described previously. Security Zones: - Use the configuration oci_open_lz_one-oe_security_cisl2_addon_sz345.auto.tfvars.json to extend the base configuration with additional Security Zone targets to apply Recipes in the shared network compartment, the production shared network compartment, and project 1 example. As the compartment hierarchy goes deeper the Security Zones are more restrictive. - Note that this update action is not in the base stack red due to limitations with terraform dependency grapth while creating these resources. These will be merged once these limitations are solved. Observability - Flow Logs: - Use the configuration oci_open_lz_one-oe_observability_cisl2_addon_flowlogs.auto.tfvars.json to create the VCN and Subnets flow logs. - Note that by default, the VCN and Subnet flows logs are not deployed. The first 10 gigabytes of log storage are free every month. The configuration creates a log group for the shared network and each shared network environment, where it would create logs for every VCN and subnet within the VCNs. It would depend on how much traffic is generated in your VCNs/Subnets to overpass the free log storage that you get every month. |
Review the known issues for any difficulties and feel free to contact us.
Copyright (c) 2025 Oracle and/or its affiliates.
Licensed under the Universal Permissive License (UPL), Version 1.0.
See LICENSE for more details.