VAF·SA — OCI Cloud Reference

← Cloud Reference Layer

VAF·SA — Cloud Reference · Oracle Cloud Infrastructure

VENDOR REFERENCE
VAFSA-CRL-OCI · v1.0

ORACLE CLOUD
INFRASTRUCTURE

Architecture Principles · Landing-Zone Patterns · Tenancy and Compartments · Cloud Guard · Security Zones

OCI Architecture Principles Landing Zone Cloud Guard Security Zones

Overview

OCI Architecture Guidance

How Oracle structures its architecture and adoption guidance for enterprise customers.

Oracle Cloud Infrastructure (OCI) provides architecture guidance through its Architecture Center — a collection of reference architectures, best-practice documentation, and landing-zone patterns. OCI does not publish a branded Well-Architected Framework under that name, but its architecture principles address equivalent workload quality concerns: availability, performance, security, cost, and operational effectiveness.

OCI's governance model is built on tenancy → compartments. Unlike other clouds that use separate accounts or subscriptions for isolation, OCI achieves logical isolation through compartments within a single tenancy. This structure — and the IAM and policy model that governs it — is the foundation on which all workload placement and governance decisions are built.

Many OCI enterprise engagements involve Oracle workloads — EBS, E-Business Suite, Database, Fusion — migrated from on-premises or other clouds. The architecture decisions for these workloads often intersect with Oracle licensing, support terms, and dedicated infrastructure options (Dedicated Region, Exadata Cloud@Customer) that have no direct equivalent on other platforms.

OCI engagements frequently surface confusion between what the tenancy policy model theoretically allows and what the IAM configuration actually enforces. Module 02 (Intelligence) is the instrument for establishing the real governance posture — not the intended one.

OCI Architecture Principles

Core Design Principles

The architecture considerations that apply across all OCI workloads.

High availability

OCI regions contain multiple Availability Domains (ADs) and Fault Domains (FDs). Workload resilience is designed through placement across ADs and FDs, combined with load balancing, health checks, and automated failover patterns.

Security by design

Security is integrated into every layer — network, compute, storage, identity. OCI's security model is built on compartments, IAM policies, Security Zones, and Cloud Guard. Security is not an add-on to the architecture — it is structural.

Cost efficiency

OCI pricing model differs from other clouds — costs are predictable and typically volume-based rather than egress-heavy. Cost architecture decisions include Universal Credits, Reserved Capacity, and Dedicated VM Hosts for licensing efficiency.

Operational effectiveness

Automation through OCI Resource Manager (Terraform-based), Events, and Notifications. Monitoring through OCI Monitoring and Logging. Operations design is a first-class architecture concern.

Performance

Flexible Shapes for compute allow precise resource allocation. High-throughput storage (Block Volume, File Storage). Low-latency networking through FastConnect and OCI's physical network architecture. Oracle workloads often have specific performance requirements that drive placement and shape selection.

OCI Landing-Zone Patterns

Enterprise Foundation

Tenancy design, compartments, IAM, network baseline, and security controls.

Tenancy and compartments

The tenancy is the root of the OCI resource hierarchy. Compartments provide logical isolation within the tenancy — analogous to accounts (AWS), subscriptions (Azure), or projects (Google Cloud). A standard compartment hierarchy separates Security, Network, Shared Services, Workload, and Sandbox compartments. Compartment design is a foundational decision — it determines policy inheritance and audit scope.

IAM and identity domains

OCI Identity Domains manage users, groups, and credentials. IAM Policies grant permissions to groups or dynamic groups on specific resources in specific compartments. Policy design is based on verb-resource-compartment structure. Identity federation with external identity providers (SAML 2.0, SCIM) for enterprise SSO. Dynamic Groups for instance-principal-based access.

Network baseline

Virtual Cloud Networks (VCNs) provide the network boundary. Hub-and-spoke model using a hub VCN for centralised connectivity and inspection, with spoke VCNs attached via Local Peering Gateways (LPG) or DRG. FastConnect for dedicated on-premises connectivity. OCI Network Firewall or equivalent for centralised traffic inspection.

Security baseline

Security controls applied across the landing zone: Security Lists and Network Security Groups for traffic control, OCI Vault for secrets management, Key Management Service for encryption key governance, OS Management Hub for instance patching, and Bastion Service for privileged access to compute instances.

Cloud Guard and Security Zones

Cloud Guard continuously monitors the OCI tenancy for security risks — misconfigurations, anomalous activity, and policy violations — and can automatically remediate issues through Responders. Security Zones enforce a set of security policies on designated compartments, preventing non-compliant resource configurations from being deployed.

Logging and monitoring

OCI Audit Service captures all API calls across the tenancy. OCI Logging aggregates service logs, audit logs, and custom application logs. OCI Monitoring provides metrics and alerting. Service Connector Hub routes logs to archival storage, analytics, or external SIEM systems. Log retention and access controls are governance decisions.

Workload placement notes

Oracle workload placement decisions must account for: Oracle licensing terms and the impact of CPU architecture on licence compliance; Dedicated Region or Cloud@Customer options for data sovereignty; Exadata Cloud Service for Oracle Database performance requirements; and the separation of Oracle-managed PaaS services from customer-managed IaaS workloads in the compartment hierarchy.

VAF·SA Usage Notes

Applying VAF·SA in OCI Engagements

Where the practitioner method adds value in an OCI environment.

VAF·SA Practitioner Notes — OCI

Compartment design decisions are rarely documented. The compartment hierarchy is often built iteratively without a recorded rationale. Module 04 (Artefacts) produces a compartment design ADR — capturing what hierarchy was chosen, what alternatives were considered, and what constraints drove the decision. This record is essential when the hierarchy needs to evolve as workloads scale.
IAM policy complexity is a recurring governance problem. OCI IAM policies accumulate over time. Module 02 (Intelligence) surfaces who can do what in which compartment — identifying policy statements that are broader than intended, inherited policies that are no longer appropriate, and dynamic group memberships that have not been reviewed.
Oracle licensing is an architecture constraint. In Oracle workload migrations, licensing terms — particularly around processor core counts and virtualisation entitlements — constrain compute shape selection. Module 01 (Orientation) establishes what licensing constraints apply before any workload placement design begins.
Cloud Guard findings as evidence. Where Cloud Guard is deployed, its detector findings provide an objective baseline of the current security posture — useful in Module 02 (Intelligence) and the Heat Map artefact in Module 04 (Artefacts).
Security Zones as governance instruments. Security Zone policies are architectural decisions — they determine what resource configurations are permanently prohibited in designated compartments. Module 04 (Artefacts) records Security Zone policy decisions as ADRs, with clear rationale for each enforced control and the process for requesting exceptions.

Official References

Oracle Documentation

Official vendor sources — not affiliated with Oracle Corporation.

Architecture

OCI Architecture Center — reference architectures and best practices

docs.oracle.com/iaas/Content/architecture/

Landing Zone

OCI Landing Zone — CIS OCI Foundations Benchmark implementation

docs.oracle.com/en/solutions/cis-oci-benchmark/

Cloud Guard

OCI Cloud Guard — security monitoring and remediation

docs.oracle.com/iaas/cloud-guard/

Security Zones

OCI Security Zones — compartment policy enforcement

docs.oracle.com/iaas/security-zone/

IAM

OCI Identity and Access Management overview

docs.oracle.com/iaas/Content/Identity/Concepts/overview.htm

← Google Cloud Reference Landing Zone Blueprint →