|
| 1 | +# Microsoft Dynamics365 CRM Architecture on OCI |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) Identity Domain [Sign-on Policies](https://docs.oracle.com/en-us/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm) are a key element for managing access to applications deployed on Oracle Cloud Infrastructure (OCI). |
| 6 | + |
| 7 | +This tutorial is inspired by a customer use case and outlines how an ISV or an Application Services Provider can implement sign-on policies to allow authentication to the applications they deliver to end-users while preventing these from accessing the OCI console. |
| 8 | + |
| 9 | +For this tutorial, two applications are used: an Oracle Analytics Cloud application and an APEX application running on Autonomous Transaction Processing (ATP) service. |
| 10 | + |
| 11 | + |
| 12 | +### Before you Begin |
| 13 | + |
| 14 | +- Create and configure a compartment and Identity Domain for the applications. |
| 15 | +- Deploy one Oracle Analytics Cloud application and one APEX application using ATP. |
| 16 | +- Integrate these two applications with OCI IAM Identity Domains. |
| 17 | +- Configure Sign-On Policies to allow application access, while preventing application users from signing-on to the OCI Console. |
| 18 | + |
| 19 | +## Architecture |
| 20 | + |
| 21 | +### Diagram |
| 22 | + |
| 23 | +### Components |
| 24 | + |
| 25 | +TBD |
| 26 | + |
| 27 | +This architecture has the following components: |
| 28 | + |
| 29 | +- __Tenancy__ |
| 30 | + |
| 31 | +Oracle Autonomous Transaction Processing is a self-driving, self-securing, self-repairing database service that is optimized for transaction processing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database. |
| 32 | + |
| 33 | +- __Region__ |
| 34 | + |
| 35 | +An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents). |
| 36 | + |
| 37 | +- __Compartment__ |
| 38 | + |
| 39 | +Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.. |
| 40 | + |
| 41 | +- __Availability domains__ |
| 42 | + |
| 43 | +Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region. |
| 44 | + |
| 45 | +- __Fault domains__ |
| 46 | + |
| 47 | +A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain. |
| 48 | + |
| 49 | +- __Virtual cloud network (VCN) and subnets__ |
| 50 | + |
| 51 | +A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private. |
| 52 | + |
| 53 | +- __Load balancer__ |
| 54 | + |
| 55 | +The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end. |
| 56 | + |
| 57 | +The load balancer provides access to different applications. |
| 58 | + |
| 59 | +- __Security list__ |
| 60 | + |
| 61 | +For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet. |
| 62 | + |
| 63 | +- __NAT gateway__ |
| 64 | + |
| 65 | +The NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections. |
| 66 | + |
| 67 | +- __Service gateway__ |
| 68 | + |
| 69 | +The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet. |
| 70 | + |
| 71 | +- __Cloud Guard__ |
| 72 | + |
| 73 | +You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define. |
| 74 | + |
| 75 | +- __Security zone__ |
| 76 | + |
| 77 | +Security zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access to networks for an entire compartment. A security zone is associated with a compartment of the same name and includes security zone policies or a "recipe" that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment. |
| 78 | + |
| 79 | +- __Object storage__ |
| 80 | + |
| 81 | +Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access. |
| 82 | + |
| 83 | +- __FastConnect__ |
| 84 | + |
| 85 | +Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections. |
| 86 | + |
| 87 | +- __Local peering gateway (LPG)__ |
| 88 | + |
| 89 | +An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network. |
| 90 | + |
| 91 | +- __Component__ |
| 92 | + |
| 93 | +Description |
| 94 | + |
| 95 | + |
| 96 | +## Recommendations |
| 97 | + |
| 98 | +TBD |
| 99 | + |
| 100 | +Use the following recommendations as a starting point. Your requirements might differ. |
| 101 | + |
| 102 | +- __VCN__ |
| 103 | + |
| 104 | +When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space. |
| 105 | + |
| 106 | +Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections. |
| 107 | + |
| 108 | +After you create a VCN, you can change, add, and remove its CIDR blocks. |
| 109 | + |
| 110 | +When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary. |
| 111 | + |
| 112 | +Use regional subnets. |
| 113 | + |
| 114 | +- __Security__ |
| 115 | + |
| 116 | +Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure proactively. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define. |
| 117 | + |
| 118 | +For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies. |
| 119 | + |
| 120 | +- __Cloud Guard__ |
| 121 | +The following is an Oracle-recommended best practice. Don't remove it. |
| 122 | + |
| 123 | +Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public. |
| 124 | + |
| 125 | +Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations. |
| 126 | + |
| 127 | +You can also use the Managed List feature to apply certain configurations to detectors. |
| 128 | + |
| 129 | +- __Security zones__ |
| 130 | + |
| 131 | +Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public. |
| 132 | + |
| 133 | +Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations. |
| 134 | + |
| 135 | +You can also use the Managed List feature to apply certain configurations to detectors. |
| 136 | + |
| 137 | +- __Network security groups (NSGs)__ |
| 138 | + |
| 139 | +You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application. |
| 140 | + |
| 141 | +You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application. |
| 142 | + |
| 143 | +- __Load balancer bandwidth__ |
| 144 | + |
| 145 | +While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth, or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer. |
| 146 | + |
| 147 | +- __Component/Topic__ |
| 148 | + |
| 149 | +Description |
| 150 | + |
| 151 | + |
| 152 | +## Considerations |
| 153 | + |
| 154 | +TBD |
| 155 | + |
| 156 | +Consider the following points when deploying this reference architecture. |
| 157 | + |
| 158 | + |
| 159 | +- __Performance__ |
| 160 | + |
| 161 | +Description |
| 162 | + |
| 163 | +- __Security__ |
| 164 | + |
| 165 | +Description |
| 166 | + |
| 167 | +- __Availability__ |
| 168 | + |
| 169 | +Description |
| 170 | + |
| 171 | +- __Cost__ |
| 172 | + |
| 173 | +Description |
| 174 | + |
| 175 | +- __Factor__ |
| 176 | + |
| 177 | +Description |
| 178 | + |
| 179 | +## Explore More |
| 180 | + |
| 181 | +TBD |
| 182 | + |
| 183 | + |
| 184 | +## Acknowledgements |
| 185 | + |
| 186 | +TBD |
| 187 | + |
| 188 | + |
| 189 | +# License |
| 190 | + |
| 191 | +Copyright (c) 2023 Oracle and/or its affiliates. |
| 192 | + |
| 193 | +Licensed under the Universal Permissive License (UPL), Version 1.0. |
| 194 | + |
| 195 | +See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details. |
0 commit comments