Best Practices from Oracle Development's A‑Team

CIS OCI Landing Zone Quick Start Template Version 2


On December 10, 2020 we released the CIS OCI Landing Zone Quick Start Template to help answer the customer question "How do we automate the creation of a secure tenancy?".  Since then we have added support for additional services like Vulnerability Scanning Service and Service Connector Hub for logging consolidation.   As customers adopted the Landing Zone, they had new requirements and recommendations for supporting more complex production deployments.  These requirements fell into two main categories IAM and networking.  To meet these new requirements and enhance the flexibility of the Landing Zone to support larger production deployments we are releasing CIS OCI Landing Zone Version 2 (V2)! 

V2 is a milestone release.  To support the additional flexibility for IAM and networking we had to redesign the Terraform modules that drive IAM and networking resource provisioning.  This means it is not recommended to directly upgrade your OCI CIS Landing Zone Version 1 (V1) to V2. This is because the redesigned module will cause some resources created by V1 to be destroyed and new resources for V2 will be created.  If you have an existing Landing Zone V1 and want to move to Landing Zone V2 we recommend you simply provision a clean V2 with a different service_label then move the resources into V2.

V1 which is currently represented by the branch stable-1.1.1 is still available if required.  There will be no enhancements to branch or backporting of features. 

Now let’s see what the enhancements are!

IAM enhancements:

Typically, the user provisioning the Landing Zone V1 was a member of the Administrators group. That has changed. The Landing Zone can now be provisioned by a user with narrower permissions. To accomplish this there are some prerequisite IAM policies needed. These policies are created using the new pre-config module and by a user with IAM administration permissions in the tenancy. 

Now you can provision the Landing Zone within an enclosing (parent) compartment at any level in the compartment hierarchy.  This means you no longer must create the compartments for the Landing Zone in the Root compartment and you can even select which compartment you want to put the enclosing compartment in.

Many customers have created OCI IAM groups with users or IDP groups mapped to them that they would like to use for the Landing Zone policies.  V2 supports using existing IAM groups for the Landing Zone groups so now you can decide which of our existing IAM groups will be aligned to the policies created by the Landing Zones. 

To learn about these IAM enhancements checkout Deployment Modes for CIS OCI Landing Zone and Tenancy Pre Configuration for Deploying CIS OCI Landing Zone as a non-Administrator.

Networking Enhancements:

Landing Zone V1 created a single VCN (Virtual Cloud Network) with three subnets, network security groups and an optional DRG (Dynamic Routing Gateway) for on-premises connectivity.  

Now you can create multiple of these VCNs which can be deployed stand alone or in one of the below hub and spoke architectures:

  • Access to multiple VCNs in the same region: This scenario enables communication between an on-premises network and multiple VCNs in the same region over a single FastConnect private virtual circuit or Site-to-Site VPN and uses a DRG as the hub.
  • Access between multiple networks through a single DRG with a firewall between networks: This scenario connects several VCNs to a single DRG, with all routing configured to send packets through a firewall in a hub VCN before they can be sent to another network.

In addition to the above architectures, you can choose if want to allow the creation of Internet Gateways and NAT Gateways to provide a more isolated network. Lastly, we have also added support for most network variables to take lists of CIDR ranges instead of a single CIDR range.

Next Steps

To learn more about how provision CIS OCI Landing Zone Version 2 (V2) in your tenancy. We recommend the following steps:


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content