Introducing the workload expansion for OCI landing zones

December 1, 2022 | 8 minute read
Farouk Khan
Senior Principal Product Manager - OCI Landing Zones
Text Size 100%:

Landing zones allow you to rapidly onboard into Oracle Cloud Infrastructure (OCI) by providing a templated deployment of multiple OCI services that contain all our best practice guidance. You can deploy landing zones in both the Quick Start and Oracle Resource Manager sections of the Oracle Cloud Console, allowing you to get up and running quickly within OCI.

Today, we’re delighted to highlight a recent and significant update to the enterprise landing zone that positively enhances your experience when making your move into OCI, known as the workload expansion. Following some excellent feedback, we have taken the workload components of the enterprise landing zone configuration and placed them into a separate stack that you can deploy after the creation of the baseline stack.

This expansion gives you the following benefits:

  • Control over migration: Separating the stack allows you to migrate workloads into the enterprise landing zone when ready and ensures that every necessary element of the stack is provisioned before doing so.

  • Consistent deployments: With this stack being repeatable, we have reduced the potential for configuration drift and afforded a consistent environment to deploy within for each of your workloads

  • Scalable growth: As you decide to migrate more workloads, simply deploy the stack again to make migration smoother over time.

What does the workload expansion deploy?

The workload expansion deploys the following resources into your OCI tenancy, on top of the enterprise landing zone.


The workload expansion adds the following Identity and Access Management (IAM) groups and policies to manage your workload.




Workload A compartment Common infra compartment This compartment houses your workload when you're ready to deploy into the landing zone.

IAM policies and groups

The workload expansion adds the following IAM groups and policies to manage your workload.


Policy name


workload-admins OCI-LZ-<WorkloadName>-WorkloadAdminPolicy Compute or workload administrators can manage all compute resources that host workloads. This ability includes creating instances, instance pools, autoscaling configurations, cluster networks, custom images, and images in the Partner Image catalog.
workload-users OCI-LZ-<WorkloadName>-WorkloadUserPolicy Compute or workload users can use all Compute instances for the workload. Workload users can also create Console connections, launch instances on dedicated virtual machine (VM) hosts, and create images in the partner image catalog. Workload users can't create custom images or use instance pools, autoscaling, or cluster networks.
workload-storage-admins OCI-LZ-<WorkloadName>-StorageAdminPolicy Storage administrators can manage storage requirements for the workload. The requirements include OCI Object Storage buckets and objects, File Storage resources, and Block Volume volumes and backups.
workload-storage-users OCI-LZ-<WorkloadName>-StorageUserPolicy Storage users can write and read from any Object Storage bucket in the associated workload compartment.
workload-database-admins OCI-LZ-<WorkloadName>-Database-Admin-Policy-Network Database admin users can manage databases, database storage, and networking.

Virtual cloud network (VCN)

The workload expansion adds the following IAM groups and policies to manage your workload.

Network Name



Workload A Private subnet Subnet for your workload to reside in that can be used for web and application servers depending on your workload type
Workload A - database Private subnet Subnet to deploy your database in that has no direct access to the internet for security purposes

Workload expansion architecture design

The following diagrams illustrate the workload expansion architecture:


The following diagram shows the workload compartments, which are now deployed in the Expansion stack. Each compartment—A, B, and C—are separate runs of the stack designed to house individual workloads.

A graphic that shows the workload compartments deployed by the expansion stack. Each compartment is a separate run of the stack designed to house individual workloads.

Identity and Access Management

The workload expansion defines the following policies, specific to workload personas within a typical enterprise tenancy.

A graphic depicting the workload expansion and persona-specific policies.


After the compartments have been deployed, more networks are also provisioned to house the workloads securely.

A graphic depicting the network compartment housing workloads.


A screenshot of the code output for a successful deployment of the expansion.

The workload expansion is not a standalone deployment and requires that you deploy the enterprise scale baseline landing zone. After you have deployed the baseline, collect the following information from the baseline stack outputs:

  • Tag values for the CostCenter and GeoLocation tags. Every resource created by the landing zone stack is tagged with the values that you provide.

  • The name of the new workload compartment and the OCID of the parent application compartment to attach the new workload compartment to

  • The name and OCID of the networking compartment in which the virtual cloud network (VCN) resides

  • The VCN and network address translation (NAT) gateways OCIDs to use when you create the workload subnets

  • CIDR blocks for the private and database subnets created within the VCN


Oracle Cloud Console

You can deploy the workload expansion stack by visiting Oracle Resource Manager and accessing the templates from the Architecture tab. When you have configured the related parameters, you can deploy the stack within 10–15 minutes.

A screenshot of the Create Stack page on the Stack Information and Architecture tabs.


The Terraform code for deploying this reference architecture is available in Github.

A screenshot of the code cloning option in GitHub.

  1. Clone the repository on your local machine.

  2. Create a terraform.tfvars file and populate with the required variables or override existing variables. An example tfvars file is included for reference. Using this file is the preferred way to run the stack from the command line because of the large number of variables to manage.

  3. For the following input variables, use the values collected from the prerequisites. These values allow you to use the networking and IAM resources from the base.

    • network_compartment_id

    • applications_compartment_id

    • network_compartment_name

    • nat_gateway_id

    • vcn_id

  4. After you supply the required variables in the terraform.tfvars file, run the following commands in the root of the repository:

    • terraform init

    • terraform plan

    • terraform apply

A screenshot of the resulting code from running the Terraform commands.

After you have followed either of these methods to deploy the stack, you can plan your migration of your first workload into OCI. Any subsequent workloads that you want to bring into your tenancy require more runs of the workload expansion stack so that each environment is provisioned ready for you to migrate into.

Get started

To get started today and begin deploying, use the following table to begin your journey into Oracle Cloud Infrastructure using landing zones:

To deploy this architecture Click
Enterprise landing zone Deploy to Oracle Cloud
Workload expansion Deploy to Oracle Cloud

For more information, see the following resources:

Farouk Khan

Senior Principal Product Manager - OCI Landing Zones

Farouk Khan is currently the Product Owner for OCI Landing Zones, defining the product direction and future strategy. Prior to this, Farouk has worked across multiple subject area within IT and Cloud, from sales to solution architecture and beyond. Farouk is passionate about the IT industry and the many ways it is helping to solve challenges for customers across the world.

Previous Post

Sequoia Combine accelerates solution development for Oracle National Security Regions

Steve Bell | 3 min read

Next Post

Zero Trust Security – Not a buzz word; but elixir of Cyber Security

Krithiga Gopalan | 5 min read