Oracle Corporation
01/09/2025 | Press release | Distributed by Public on 01/08/2025 22:37
OCI well-architected framework: Best practices for secure and resilient cloud implementations
Oracle Cloud Infrastructure (OCI) provides a comprehensive suite of infrastructure and platform services for enterprises looking to leverage the power of the cloud. With its rich array of features and capabilities, organizations can design and operate cloud topologies that deliver maximum business value. To help organizations make the most of OCI, Oracle has developed a set of best practices called the well-architected framework for OCI. Through goals of security, reliability, performance-cost optimization, and operational efficiency, this framework enables organizations to design, deploy, and manage workloads on OCI effectively.
Well-architecture framework components: Security and compliance, reliability and resilience, performance and cost optimization, and operational efficiency.
Figure 1: OCI well-architected framework components
In each of these four key pillars, Oracle offers specific recommendations and guidelines to help organizations successful adopt the cloud and optimize their cloud environments. The framework covers a comprehensive series of best practices, from user authentication and authorization to data protection, fault-tolerant network architecture, and cost tracking and management. By adopting these best practices, organizations can maximize their investment in OCI and drive business success.
Security and compliance
Security and compliance help ensure that workloads on OCI are protected against threats, meet regulatory requirements, and adhere to best practices for confidentiality, integrity, and availability. This pillar describes the key principles and practices for designing secure and compliant workloads on OCI with the following methods:
User authentication and authorization: Utilize multifactor authentication (MFA), single sign-on (SSO), and OCI Identity and Access Management (IAM) policies to help ensure secure access to resources.
Resource isolation and access control: Compartments and virtual cloud networks (VCNs) provide logical and network-layer isolation.
Compute security: Harden log-in access to instances by disabling password-based and root login and using SSH keys and network security groups.
Database security: Control user and network access with strong passwords, private subnets, and regular security patches. Utilize database security tools for enhanced protection.
Data protection: Help ensure secure access to storage services, encrypt data at rest and in transit, and rotate encryption keys. Use OCI Vault for key management.
Network security: Implement security lists, network security groups, and secure load balancers. Establish nonoverlapping private network ranges and design secure network architecture.
Private access: Use OCI private endpoints or FastConnect for secure resource access without public exposure.
Application endpoint security: Monitor public endpoints with health checks and direct user traffic with traffic management steering policies.
Web application firewall (WAF): Protect web applications from common threats like SQL injection and cross-site scripting (XSS).
Host and application hardening: Regularly apply patches and updates and use OCI OS Management for automated patching.
Vulnerability Scanning: Detect and remediate vulnerabilities in Compute and container images using the OCI Vulnerability Scanning service.
Adaptive security: Continuously monitor and audit the environment with OCI Cloud Guard and integrate with SIEM platforms for enhanced security.
Logging and Monitoring: Enable OCI Logging and Monitoring services to collect and analyze logs and metrics for suspicious activity.
Reliability and resilience
Design systems that can withstand disruptions, recover quickly, and ensure business continuity. This pillar describes the services and workload architectures to achieve different levels of continuity and balance continuity requirements with cost, including the following examples:
Fault-tolerant network architecture: Establish redundant connections between on-premises environments and private resources in OCI. Deploy load balancers and distribute traffic across availability domains and regions to ensure fault tolerance and high availability.
Multiavailability domain architecture: Deploy resources across multiple availability domains (where applicable) or fault domains within a region to avoid single points of failure.
Multiregion deployment: Distribute workloads across multiple OCI regions to help ensure redundancy and geographic resilience. Use OCI Full Stack Disaster Recovery to design, test, and execute automated recovery of resources across infrastructure and platform services.
On the Database layer, implement a failover mechanism, such as Oracle Data Guard.
Enable OCI Block Storage cross-region replication.
Service limits and quotas: Understand the default service limits and compartment quotas and monitor and manage them to accommodate growth and expansion. Leave space for future expansion and factor in failover usage in your limits.
Data backup: Implement backup solutions for storage services, databases, and operating environments to meet recovery objectives. Utilize automated and manual backup options and validate backup integrity and security.
Enable OCI Autonomous Database backups or configure manual backups for other database services to restore to a specific time in case of data loss.
Scaling: Use autoscaling features provided by OCI to automatically adjust resource capacity based on demand. Consider horizontal scaling (scaling out) for stateless applications and vertical scaling (scaling up) for specific resource requirements.
Validate resilience process and policies by regularly testing failure scenarios.
Performance and cost optimization
Follow a structured approach to designing robust, scalable, and cost-efficient solutions on OCI. This pillar aligns cloud architecture with business objectives by emphasizing performance for reliable and efficient operations, scalability for seamless adaptation to dynamic workloads, and cost optimization to maximize the return on OCI investments by using the following features:
Compute resources: Select compute shapes, such as VM.Standard and VM.DenseIO, that align with workload requirements, ensuring proper sizing of CPU, memory, and storage.
Autoscaling: Use OCI autoscaling to adjust the number of Compute instances in a pool dynamically based on traffic and load.
Distributed architecture: Implement a distributed architecture using the OCI Load Balancing service to evenly distribute traffic across multiple servers or instances.
OCI Container services: Use Oracle Kubernetes Engine (OKE) for managing containerized workloads that can scale rapidly.
Database scalability: For databases, use OCI Autonomous Database, which includes automatic scaling, or deploy Oracle Real Application Clusters (RAC) for high availability and scalability.
Serverless: Use OCI Functions for event-driven serverless workloads that automatically scale with demand.
Managed Database services: Offload management to services like Autonomous Database or Exadata Database Service to focus on performance tuning.
Pricing models: Choose between Pay As You Go (PAYG)and commitment-based plans based on usage patterns. Commitment models can offer discounts but require careful planning to avoid overpaying.
Compartments and tags: Use compartments to organize resources and allocate costs. Cost-tracking tags provide granular control, allowing flexible cost tracking across multiple compartments.
Budgets and alerts: Set budgets to monitor spending and receive alerts when limits are exceeded. This step helps you stay within budget and quickly identify potential cost overruns.
Compute optimization: Select the right Compute shape for your workload. Flexible shapes allow customization of OCPUs and memory, helping ensure optimal performance and cost efficiency.
Billing and cost management: Understand billing criteria and use OCI tools like the FinOps Hub for cost optimization. Familiarize yourself with billing to avoid surprises.
Remove unused resources: Implement processes to identify and delete or stop unused resources, especially in development and testing environments, to avoid unnecessary charges.
Automation and optimization: Adopt infrastructure as code (IaC) methodology to automate resource deployment and management, reducing human error and improving efficiency. Use tools like Terraform and the OCI CLI for infrastructure automation.
Consider network and storage cost optimization (based on data lifecycle).
Cost analysis and reports: Utilize OCI's cost analysis tools and reports for detailed insights into resource usage and spending. Filter costs by various parameters to identify areas for optimization.
By following these cost optimization strategies, you can make informed decisions about your OCI resource usage, reduce unnecessary spending, and ensure that your cloud deployments are cost-effective and aligned with their business goals.
Operational efficiency
Ensure that workloads are managed effectively with proper oversight, streamlined operations, and automated processes. This pillar focuses on aligning IT resources with business objectives, enforcing compliance, and optimizing operational performance with the following features:
Observability and management: Collect and analyze metrics to monitor the health and performance of your workloads. Set up alarms and notifications for critical events.
Comprehensive logging: Enable OCI Logging for centralized log collection and analysis across all resources.
Monitor resource health: Use OCI Monitoring for real-time metrics and OCI Alarms for proactive incident handling.
Audit trails: Activate OCI Audit to maintain a complete log of API activities for compliance and accountability.
Apply policies to enforce naming conventions, tagging standards, and specific compliance requirements.
Workload monitoring: Identify key performance indicators (KPIs) and monitor them regularly. Enable service logging and create alarms for relevant metrics to detect issues early.
Use tools like OCI Notifications to keep teams informed of key events or changes.
OS Management: Keep operating systems up to date with security patches and enhancements. Automate OS management using tools like Oracle OS Management Hub and Oracle Ksplice to reduce manual effort and ensure compliance.
Resource lifecycle management: Understand the lifecycle of resources and manage them effectively. Delete or stop unused resources to optimize costs and improve efficiency.
Support: Establish a clear process for interacting with Oracle support. Train the operations team to handle support interactions and provide them with access to Oracle's training resources.
Continuously educate teams on OCI best practices through Oracle University and other training resources.
By following these best practices, organizations can design and operate their cloud deployments in a secure, reliable, and cost-effective manner, maximizing the business value of OCI.
Why the well-architected framework is important
The best practices described in the well-architected framework for OCI are important to customers because they provide a comprehensive framework for designing, deploying, and operating cloud solutions effectively and securely. By following its guidelines, you can improve workload resilience, optimize resource usage, and reduce operational risks, enabling you to achieve your business objectives and drive innovation effectively.
The OCI well-architected framework and the Oracle Cloud Adoption Framework
The following table compares the well-architected framework with the Oracle Cloud Adoption Framework:
OCI well-architected framework
Oracle Cloud Adoption Framework
Focus
Provides specific recommendations and guidelines for designing, deploying, and operating cloud solutions effectively. It covers areas such as security, reliability, performance, and operational efficiency.
Provides a structured approach and strategic guidance for organizations embarking on their cloud journey. It helps organizations plan and process their cloud adoption initiatives effectively.
Scope
Focuses on individual workloads, ensuring performance, security, and reliability.
Covers the entire organization's transformation, including governance, culture, and operations.
Key areas
Pillars: Performance, security, reliability, cost optimization, governance, and operations.
Domains: Business strategy, organization and governance, security, architecture, and migration
Audience
Cloud architects, developers, and operational teams managing OCI workloads.
Executives, IT leaders, and teams planning and managing cloud adoption.
Stage
Most useful during the implementation and operation stages of the cloud journey. They help organizations make the right design choices and optimize their cloud deployments once they have adopted cloud services.
The framework is most useful during the planning and early stages of cloud adoption. It helps organizations establish a solid foundation for their cloud journey and ensure a successful transition to the cloud.
The OCI well-architected framework and the Cloud Adoption Framework are complementary tools that work together to help organizations succeed in the cloud. The Cloud Adoption Framework provides a strategic roadmap for organizations to plan their cloud adoption journey, while the well-architected framework offers detailed guidance for designing and operating cloud solutions effectively. By utilizing both resources, organizations can ensure a smooth and successful transition to the cloud, maximizing the benefits of Oracle Cloud Infrastructure.
The OCI Well-Architected Framework provides essential best practices for secure, reliable, and cost-effective cloud implementations. By adopting its principles across security, reliability, performance, and operational efficiency, organizations can optimize their cloud deployments and drive business success. This framework, when combined with the Oracle Cloud Adoption Framework, ensures a comprehensive approach to cloud strategy and operations, empowering organizations to achieve their goals with maximum efficiency and minimal risk.
Ready to optimize your cloud journey? Visit our Well-Architected Framework for OCI and Cloud Adoption Framework to unlock the full potential of your OCI investment today!