The OCI Core Landing Zone provisions the base tenancy and key required cloud services- providing the optimal, CIS-compliant foundation in the cloud for subsequent deployments of application workloads. For day-0 setup, when onboarding OCI, it’s common practice for a single tenancy administrator to deploy the OCI Core Landing Zone, which assigns resources like Identity, Network, and others, to different Admin groups.
Once this groundwork is laid, the initial tenancy admin account is often disabled to further tighten security, leaving ongoing management of cloud resources to the corresponding admin groups. For example, Security admins would manage IAM access and security zones, whereas Network admins will be managing firewalls, VCNs and other resources.
This sets the stage for a secure, compliant environment that can be shared across multiple business applications or workloads. Each team can be granted the appropriate level of responsibility and access for their operational boundaries, supporting separation of duties requirements.
Simplifying Day-2 separation of duties and workload expansions
We’re excited to share that we’ve just introduced two new Network and IAM Extensions to OCI Landing Zones that help streamline on-going management and extensibility of separation of duties and continued workload expansion.
What are landing zone extensions:
Extensions are part of the OCI Landing Zone framework, enabling customers to easily add services or customize the Core Landing Zone blueprint after its initial deployment– while enhancing governance and operational boundaries between teams.
Extensions, like workload templates, are deployed after the Core landing zone has executed. Like all landing zones, extensions can also be deployed using OCI Resource Manager Service (RMS) or the Terraform CLI.
IAM Extension:
The initial deployment of the Core landing zone already enables customers to provision environments for a 3-tier application, OKE, or Exadata workloads – along with the corresponding IAM security groups.
The IAM Extension enables customers to add compartments, groups, and policies to enforce segregation of duties as additional workloads need to be deployed – using the IAM structure already created by the Core Landing Zone deployment.
Network Extension:
Similarly, the Network Extension extends the network structure created by the Core Landing Zone with additional compartments, groups, and policies to support segregation of duties for new application workloads to be deployed. Once the network extension has been deployed, network admin can configure the Security Lists and Network Security Groups (NSGs) according to their network architecture policies.
Deployment sequence when using landing zone extensions:
Commonly, the extensions would be deployed in the following sequence:
- Core landing zone – deployed by the tenancy admin to set up the initial cloud environment.
As customers expand to additional workloads, or if customizations are needed to the initial tenancy configuration to accommodate specific application requirements:
- The IAM admin would deploy the IAM extension
- Network extension will be deployed by the Network admin to add VCNs, NSGs and Security Lists
- Workload template deployment- managed by the Workload admin/application owner.
This scalable, role-based progressive deployment sequence aligns with best practices and establishes the base tenancy, IAM and network configurations before introducing workload-specific resources. The sequence can be repeated to easily add multiple workloads or apply granular management policies across the environment to support the necessary segregation of functions (e.g. have different network admin groups to manage different workloads).
Simplify Day-2 and beyond:
Ultimately, these enhancements empower organizations to simplify ongoing expansion and management of complex workloads, while help maintaining a secure and compliant environment with segregation of duties – as their operational needs and tenancy continue to evolve.
Whether you’re managing infrastructure, security, or application deployment, these extensions give you greater flexibility and control – making it easier to build and maintain a well-structured, enterprise-grade cloud environment.
To deploy the OCI Core landing zone or try these new extensions, visit GitHub:
https://github.com/oci-landing-zones/terraform-oci-core-landingzone
https://github.com/oci-landing-zones/terraform-oci-core-landingzone/tree/main/extensions