X

Best Practices from Oracle Development's A‑Team

Governance: The Key Ingredient to Success: Part-2

Kiran Thakkar
Consulting Solutions Architect

Resource Organization

Organizing resources is a fundamental discipline in designing the foundation of an effective governance model.  Whether a single application is being provisioned or many, organizing those resources in a manner that allows for growth, flexibility, and accountability is essential in maintaining control in the tenancy.

Resource Identifier

A fundamental principal in OCI is what is known as the OCID (Oracle Cloud Identifier), which is a unique identifier of a particular resource.  That resource is an instance of a service or a principal, either being a user/group or instance/service, is a component of the full OCID of a particular resource.

The following is a breakdown of the components that make up an OCID:

OCID syntax: ocid1.<RESOURCE TYPE>.<REALM>.[REGION][.FUTURE USE].<UNIQUE ID>

OCID1: The literal string indicating the version of the OCID.

Resource Type:The type of resource ex: instance, vcn, user. Group etc.

Realm: A realm is a set of regions that share entities. Ex: oc1 for commercial realm, oc2 for government cloud, oc3 for the federal government

Region: The region the resource is in ex: phx, iad, etc.

Future use: Reserved for future use

Unique ID: The unique portion of the ID

Tenancy Structure

Each resource in the tenancy belongs to a compartment (with few exceptions) which allows for those resources to be logically grouped and managed to conform to the governance model set in place.  Generally speaking, a resource is anything provisioned in the tenancy related to IaaS, PaaS, and infrastructure components, such as but not limited to VCNs, subnets, security rules, and routing rules.

Core Resources

Most of the resources belong to a compartment within the tenancy. However, there are core resources that are global and live outside of compartments.  The diagram below depicts how these core resources are positioned in the tenancy in relation to compartments.

Compartment

OCI Compartments are a logical grouping of resources to enforce access control and cost management. They provide a global logical namespace where policies can be enforced, like folders in a file system, similar to a tree-like structure.

Below are several benefits of well-designed compartments:

  • Controlling access by developing correctly written security policies>
  • Delegating administrative privileges to compartment administrators to manage their respective resources
  • Developing a charge-back model by departments based on their respective compartments.
  • Defining quotas and budges based on compartments

Designing a compartment structure is generally a recipe specific to each organization. Certainly, pre-defined templates are available which provide a foundation upon which an organization's structure can be based upon.  Such a template is the OCI CIS Benchmark Landing Zone, which provides a broad compartment structure, covering Network, Security, Applications, and Database resources.  You can extend the compartment structure to add separate child compartments to various applications or for different life cycle environments (Dev, Test, Prod).

Hierarchical Compartments Model

Root-Level

Level-1

Level-2

Comments, sample resource

Root

 

 

IAM Policies

 

Network

 

Network Family

 

 

Prod

Prod VCN and Prod Subnets

 

 

Non-Prod

 

Shared-Security

 

KMS, Logging, Notifications, Vaults

 

 

Prod

 

 

 

Non-Prod>

 

 

App-Dev

 

OS buckets, Boot and Block Volume, FSS

 

 

Prod

Prod OAC, OIC, FAW

 

 

Non-Prod

 

 

 

Prototype

 All Prototype Services

 

Database

Prod

Prod ADW

 

 

Non-Prod

Non-prod ADW

Developing an effective compartment design is essential in building a governance model, however, compartment design can be altered at any time to align with business or process changes implemented in your organization.  In addition, resources provisioned in OCI can be moved from one compartment to another as needs dictate.

Resource Isolation

Aside from organizing resources into logical boundaries with compartments, developing resource isolation is another way of controlling how resources are provisioned in the tenancy. It is essential to understand that compartments do not provide any resource isolation. Resources are isolated by networking controls. Prescribing security policies to control where and how resources can be provisioned within a VCN or region is another way of ensuring resources abiding by the guard rails.

Availability and Fault domains are designed to provide high availability for applications by removing single points of failure based on physical constraints.  Outside of an automated governance model, these domains need to be considered when provisioning resources within regions to ensure they are architected to maximize availability where possible.

This is the second blog in a series of four blogs on the governance model. Links to other blogs are

  1. Overview
  2. Resource Governance
  3. Observe and Monitor

References

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha