Oracle Corporation
04/15/2025 | Press release | Distributed by Public on 04/14/2025 21:59
Firewall, FastConnect, and other security enhancements in the new OCI ...
At last year's Oracle CloudWorld event, we introduced the revamped, standardized OCI Landing Zones framework, which consolidated landing zone implementations across all the OCI field teams. This enables customers to leverage and extend a consistent set of modules and best-practice templates across their various use cases and deployment options. Whether your team prefers to use one of our preconfigured one-click templates like the OCI Core Landing Zone, or build your own landing zone template via JSON/YAML configuration with the Operating Entities Landing Zone-these all use a common set of Landing Zones base modules with built-in checks to help support compliance with the Center for Internet Security OCI Benchmark and other best practices.
Each module - from networking and identity to security, governance, and workloads - is designed to help users automate the deployment of OCI services with hardened configurations - in a standardized, secure, and repeatable manner. We continuously enhance the framework's modules and the landing zones templates that are built on top of them. Below are some of the exciting new capabilities that were released recently.
New capabilities in OCI Landing Zones:
OCI Network Firewall support:
The updated OCI Landing Zones framework now includes support for OCI Network Firewall as one of the configurable options. When deploying the OCI Core Landing Zone, customers can now choose between the OCI Network Firewall or third-party firewall solutions from the OCI Marketplace (such as Palo Alto Networks, Fortinet, and others). OCI Network Firewall is a next-generation, managed firewall and intrusion detection and prevention service, powered by Palo Alto Networks. It is highly available and scalable, so only one instance of the firewall is required, and it is deployed in the hub Virtual Cloud Network (VCN).
Customers using the updated Core Landing Zone have the option to deploy:
A public subnet for the Internet Gateway, routed through the Network Firewall to inspect north-south traffic.
A private subnet for the Network Firewall to manage east-west traffic between the spoke VCNs.
An optional private subnet for deploying a jump host, supporting OCI Bastion service and on-premises access via FastConnect.
Bastion Service Support
The OCI Bastion service provides restricted, time-limited secure access to resources without public endpoints and with strict access control requirements. This is a free service (limited to five bastions per region).
With the updated Bastion module, customers can deploy the Core Landing Zone in a hub-and-spoke network topology, along with a jump host built on Oracle Linux 8 in the jump host subnet of the hub VCN. The OCI Bastion service is enabled in the jump host to provide secure access to the three-tier VCNs, OCI Kubernetes Engine VCNs, and Exadata VCNs-all of which are peered through the Dynamic Routing Gateway (DRG) that routes traffic across all VCNs.
Custom Identity Domain Option
With the recent updates to the identity module, customers deploying the Core Landing Zone can now configure their tenancy to use a pre-existing custom identity domain instead of the default one or creating a new one. When choosing the custom identity domain option, its groups and dynamic groups will be used for the deployment. This enables customers to use Identity Domains to support a federated identity provider, create additional domains for specific environments (e.g., dev/test/prod), and follow other recommendations as outlined in this blog article: OCI Identity Domains Best Practices.
Remote Connectivity Network Enhancements
To improve the experience of deploying remote connectivity, we enhanced the framework's network module to support configurations for IPsec VPN and FastConnect services for connecting to on-premises data centers and simplifying hybrid cloud network deployment.
IPsec VPN Support
This new enhancement to the network module enables customers to configure the Core Landing Zone hub-and-spoke topology to create an IPsec VPN for on-premises connectivity. The connection is configured with Libreswan as the customer premises equipment, along with a three-tier VCN and an Exadata VCN, which are peered through the DRG. The DRG is configured to route traffic across all VCNs.
The base network module now exposes all the attributes to manage your IPsec tunnels, and you can define any number of IPsec connections (0, 1, or multiple) as well as the IPsec connection definitions.
FastConnect Support
When deploying the Core Landing Zone, customers can now configure the hub-and-spoke network with a FastConnect virtual circuit to connect back to on-premises data centers or a multi-cloud private network. It can set up a FastConnect Partner connection using the partner provider OCID and peer through the DRG to route traffic across all the workload VCNs.
The above architecture diagram denotes the Core Landing Zone network compartment and some of the recent features added, including OCI Network Firewall, Bastion, FastConnect and IPsec VPN services.
The above architecture diagram denotes the Core Landing Zone network compartment and some of the recent features added, including OCI Network Firewall, Bastion, FastConnect and IPsec VPN services.
Hit the cloud running with OCI Landing Zones today!
OCI Landing Zones support your cloud journey by deploying secure, best-practice-based environments that accelerate your onboarding and simplify expansion as your cloud footprint grows. All OCI Landing Zones templates and the underlying framework modules are free to use.
To learn more about the solution, you can deploy the Core Landing Zone or customize the modules to build your own templates - visit us on GitHub.
Join us for the upcoming webinar for a deep dive into the architecture of the Core Landing Zone, the capabilities of the new framework, and a live demo of the solution.