diff --git a/others/customer-documentation/solution-definition-complete/files/Solution-Definition.docx b/others/customer-documentation/solution-definition-complete/files/Solution-Definition.docx new file mode 100644 index 000000000..17d94ab0c Binary files /dev/null and b/others/customer-documentation/solution-definition-complete/files/Solution-Definition.docx differ diff --git a/others/customer-documentation/solution-definition-complete/files/Solution-Definition.pdf b/others/customer-documentation/solution-definition-complete/files/Solution-Definition.pdf new file mode 100644 index 000000000..4dc4122aa Binary files /dev/null and b/others/customer-documentation/solution-definition-complete/files/Solution-Definition.pdf differ diff --git a/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-annex/images/OCIObservability.png b/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-annex/images/OCIObservability.png new file mode 100644 index 000000000..466c9c869 Binary files /dev/null and b/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-annex/images/OCIObservability.png differ diff --git a/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-sol-con/images/OCIArchitecture.png b/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-sol-con/images/OCIArchitecture.png new file mode 100644 index 000000000..2409f087e Binary files /dev/null and b/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-sol-con/images/OCIArchitecture.png differ diff --git a/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-sol-con/images/OMAreas.png b/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-sol-con/images/OMAreas.png new file mode 100644 index 000000000..0cf5e5384 Binary files /dev/null and b/others/customer-documentation/solution-definition-complete/files/snippets/observability-and-manageability/manageability-sol-con/images/OMAreas.png differ diff --git a/others/customer-documentation/solution-definition-mandatory/files/Solution-Definition_mandatory.docx b/others/customer-documentation/solution-definition-mandatory/files/Solution-Definition_mandatory.docx new file mode 100644 index 000000000..9068d7f07 Binary files /dev/null and b/others/customer-documentation/solution-definition-mandatory/files/Solution-Definition_mandatory.docx differ diff --git a/others/customer-documentation/solution-definition-mandatory/files/Solution-Definition_mandatory.pdf b/others/customer-documentation/solution-definition-mandatory/files/Solution-Definition_mandatory.pdf new file mode 100644 index 000000000..a5a866ade Binary files /dev/null and b/others/customer-documentation/solution-definition-mandatory/files/Solution-Definition_mandatory.pdf differ diff --git a/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-annex/images/OCIObservability.png b/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-annex/images/OCIObservability.png new file mode 100644 index 000000000..466c9c869 Binary files /dev/null and b/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-annex/images/OCIObservability.png differ diff --git a/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-sol-con/images/OCIArchitecture.png b/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-sol-con/images/OCIArchitecture.png new file mode 100644 index 000000000..2409f087e Binary files /dev/null and b/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-sol-con/images/OCIArchitecture.png differ diff --git a/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-sol-con/images/OMAreas.png b/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-sol-con/images/OMAreas.png new file mode 100644 index 000000000..0cf5e5384 Binary files /dev/null and b/others/customer-documentation/solution-definition-mandatory/files/snippets/observability-and-manageability/manageability-sol-con/images/OMAreas.png differ diff --git a/others/customer-documentation/solution-definition-mandatory/files/solution-definition_mandatory.md b/others/customer-documentation/solution-definition-mandatory/files/solution-definition_mandatory.md index 231ead11d..31d5b1d5d 100644 --- a/others/customer-documentation/solution-definition-mandatory/files/solution-definition_mandatory.md +++ b/others/customer-documentation/solution-definition-mandatory/files/solution-definition_mandatory.md @@ -19,12 +19,81 @@ *Example:* -| Version | Authors | Date | Comments | -|:--------|:-------------|:-------------------|:---------------------------------------------------------------------------------------------| -| 1.0 | Name Surname | 1st June 2023 | Created a new Solution Definition document. To be used for iterative review and improvement. | -| 1.1 | Name Surname | 1st July 2023 | Update Template per feedback. Added security-templated texts and annex. | -| 1.2 | Name Surname | 1st August 2023 | Update Template per feedback. As per Confluence. | -| 2.0 | Name Surname | 1st September 2023 | Added Networking Annex | + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
VersionAuthorsDateComments
1.0Base Template1st June 2023Created a new Solution Definition document. To be used for iterative review and improvement.
1.1Base Template1st July 2023Update Template per feedback. Added security-templated texts and annex.
1.2Base Template1st August 2023Update Template per feedback. As per Confluence.
2.0Base Template1st September 2023Added Networking Annex
2.1Base Template1st September 2023Updated LZ Snippet
+Added 'Base Template' to the version table instead of 'Name Surname'
2.2Base Template16th October 2023Upgraded the Logical Architecture as mandatory. It is now included in the 'Mandatory' template.
2.3Base Template16th January 2024Added comment for workload snippets
+Updates Acronyms
2.4Base Template26th February 2024Added the network firewall in the requirement, the solution considerations, and in the Annex.
2.5Base Template8th April 2024Added 'manageability' in the requirement, the solution considerations, and in the Annex.
## Team @@ -34,10 +103,10 @@ *Example:* -| Name | Email | Role | Company | -|:-------------|:--------------------|:-------------------------|:--------| -| Name Surname | example@example.com | Tech Solution Specialist | Oracle | -| Ada Lovelace | example@example.com | Account Cloud Engineer | Oracle | +| Name | Email | Role | Company | +|:--------------|:--------------------|:-------------------------|:--------| +| ${doc.author} | example@example.com | Tech Solution Specialist | Oracle | +| Ada Lovelace | example@example.com | Account Cloud Engineer | Oracle | ## Document Purpose @@ -47,11 +116,11 @@ *Example:* -This document provides a high-level solution definition for the Oracle solution and aims at describing the current state, and to-be state as well as a potential high-level project scope and timeline for \. +This document provides a high-level solution definition for the Oracle solution and aims at describing the current state, and to-be state as well as a potential high-level project scope and timeline for ${doc.config.impl.type}. The document may refer to a ‘Workload’, which summarizes the full technical solution for a customer (You) during a single engagement. The Workload is described in the chapter [Workload Requirements and Architecture](#workload-requirements-and-architecture). -This is a living document, additional sections will be added as the engagement progresses resulting in a final Document to be handed over to the \. +This is a living document, additional sections will be added as the engagement progresses resulting in a final Document to be handed over to the ${doc.config.impl.type}. # Business Context @@ -113,11 +182,11 @@ In addition to these requirements, the [CIS Oracle Cloud Infrastructure Foundati Example: -| Name | Size of Prod | Location | DR | Scope | -|:-----------|:-------------|:---------|:----|:--------------------------------| -| Production | 100% | Malaga | Yes | Not in Scope / On-prem | -| DR | 50% | Sevilla | No | Workload | -| Dev & Test | 25% | Sevilla | No | Workload - \ | +| Name | Size of Prod | Location | DR | Scope | +|:-----------|:-------------|:---------|:----|:-----------------------------------| +| Production | 100% | Malaga | Yes | Not in Scope / On-prem | +| DR | 50% | Sevilla | No | Workload | +| Dev & Test | 25% | Sevilla | No | Workload - ${doc.config.impl.type} | ### High Availability and Disaster Recovery Requirements @@ -160,10 +229,45 @@ At the time of this document creation, no Security requirements have been specif *Capture the Non-Functional Requirements for networking-related topics. You can use the networking questions in the [Annex](#networking-requirement-considerations)* +*As businesses increasingly rely on Cloud Infrastructure to store, process, and transmit sensitive data, the need for comprehensive security solutions has never been more important. Potential customers evaluating network security solutions typically prioritize the following requirements: Some of the broader category considerations are below.* + +- *Data Protection: Safeguarding sensitive information against unauthorized access, theft, or modification is a primary concern for any organization and industry today.* + - *Threat Prevention: Advanced capabilities like IDPS and malware detection for blocking threats.* + - *Data Loss Prevention (DLP): Monitoring and controlling sensitive data transmission.* + - *Encryption and Decryption: Inspecting encrypted traffic without compromising privacy.* +- *Threat Prevention: Proactively identifying and mitigating security threats is essential for maintaining the integrity of network infrastructure. * + - *Intrusion Detection and Prevention: Monitoring for suspicious or malicious activity.* + - *Application Control: Granular control over specific applications or services.* + - *URL Filtering: Controlling access to permitted URLs.* +- *Security compliance: Does your organization have network security requirements based on industry or organization compliance? For example - SAMA (Saudi Arabia Monetary Authority), HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), SWIFT, etc.* + *Example:* At the time of this document creation, no Networking requirements have been specified. +### Management and Monitoring + +*Guide:* + +*This subsection helps you capture any requirements for customer management and monitoring needs - e.g. system monitoring, systems management, log analysis, etc.* + +*When you move or start an OCI project, you have a choice to use the tools you are familiar with (should they support modern application architectures), replace them with OCI native Observability services, or use a combination to improve your visibility. When contemplating how to proceed, here are some general questions that will guide you:* + +- *Does the tool manage across hybrid and multi-cloud environments?* +- *What is the cost of integrating the existing tool with OCI?* +- *Is my current monitor tool enabling you to prevent issues versus reacting to them?* +- *Does the tool tell you how much impact there has been on users or just that there was an impact like something is down or unavailable? * +- *Does the tool provide the full vision of applications and their infrastructure or just a piece of them or specific technology?* + +*Example:* + +| Task | Target | Location | New | Notes | +|:-----------------------|:---------------|:----------------|:----|:------| +| Application Monitoring | All targets | On-Prem and OCI | No | | +| Monitoring | All targets | OCI (Migration) | No | | +| Log Management | All targets | OCI (Migration) | No | | +| Insight | All Oracle DBs | OCI (Migration) | No | | + ## Future State Architecture *Guide:* @@ -180,15 +284,15 @@ At the time of this document creation, no Networking requirements have been spec *Use this text for every engagement. Do not change. Aligned with the Cloud Adoption Framework* -The safety of the \'s Oracle Cloud Infrastructure (OCI) environment and data is the \’s priority. +The safety of the ${doc.customer.name}'s Oracle Cloud Infrastructure (OCI) environment and data is the ${doc.customer.name}’s priority. -To following table of OCI Security Best Practices lists the recommended topics to provide a secure foundation for every OCI implementation. It applies to new and existing tenancies and should be implemented before the Workload defined in this document will be implemented. +The following table of OCI Security Best Practices lists the recommended topics to provide a secure foundation for every OCI implementation. It applies to new and existing tenancies and should be implemented before the Workload defined in this document will be implemented. Workload-related security requirements and settings like tenancy structure, groups, and permissions are defined in the respective chapters. -Any deviations from these recommendations needed for the scope of this document will be documented in the chapters below. They must be approved by \. +Any deviations from these recommendations needed for the scope of this document will be documented in the chapters below. They must be approved by ${doc.customer.name}. -\ is responsible for implementing, managing, and maintaining all listed topics. +${doc.customer.name} is responsible for implementing, managing, and maintaining all listed topics. @@ -276,292 +380,150 @@ Any deviations from these recommendations needed for the scope of this document
-### OCI Secure Landing Zone Architecture +### Naming Conventions *Guide:* -*This chapter describes landing zone best practices and usually does not require any changes. If changes are required please refer to [Landing Zone GitHub](https://github.com/oracle-devrel/technology-engineering/tree/main/landing-zones). The full landing zone needs to be described in the Solution Design by the service provider.* +*This chapter describes naming convention best practices and usually does not require any changes. If changes are required please refer to [Landing Zone GitHub](https://github.com/oracle-devrel/technology-engineering/tree/main/landing-zones). The naming convention zone needs to be described in the Solution Design by the service provider.* *Use this template ONLY for new cloud deployments and remove it for brownfield deployments.* -The design considerations for an OCI Cloud Landing Zone have to do with OCI and industry architecture best practices, along with \ specific architecture requirements that reflect the Cloud Strategy (hybrid, multi-cloud, etc.). An OCI Cloud Landing zone involves a variety of fundamental aspects that have a broad level of sophistication. A good summary of a Cloud Landing Zone has been published in the [OCI User Guide](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/landing-zone.htm). - -#### Naming Convention +A naming convention is an important part of any deployment to ensure consistency, governance, and security within your tenancy. Find [here](https://github.com/oracle-devrel/technology-engineering/blob/main/landing-zones/commons/resource_naming_conventions.md) Oracle's recommended best practices. -A naming convention is an important part of any deployment to ensure consistency as well as security within your tenancy. Hence we jointly agree on a naming convention, that matches Oracle's best practices and \ requirements. +### OCI Landing Zone Solution Definition -Oracle recommends the following Resource Naming Convention: - -- The name segments are separated by “-“ -- Within a name segment avoid using ``{=html} and “.” -- Where possible intuitive/standard abbreviations should be considered (e.g. “shared“ compared to "shared.cloud.team”) -- When referring to the compartment full path, use “:” as a separator, e.g. cmp-shared:cmp-security - -Some examples of naming are given below: - -- cmp-shared -- cmp-\ -- cmp-networking - -The patterns used are these: - -- \-\-\-\ -- \-\-\-\-\ -- \-\-\-\-\-\ -- \-\-\-\ - -Abbreviations per resource type are listed below. This list may not be complete. - -| Resource Type | Abbreviation | Example | -|------------------------------------|--------------------|-------------------------------------------------------------| -| Bastion Service | bst | bst-\-\ | -| Block Volume | blk | blk-\-\-\ | -| Compartment | cmp | cmp-shared, cmp-shared-security | -| Customer Premise Equipment | cpe | cpe-\-\ | -| DNS Endpoint Forwarder | dnsepf | dnsepf-\ | -| DNS Endpoint Listener | dnsepl | dnsepl-\ | -| Dynamic Group | dgp | dpg-security-functions | -| Dynamic Routing Gateway | drg | drg-prod-\ | -| Dynamic Routing Gateway Attachment | drgatt | drgatt-prod-\-\-\ | -| Fast Connect | fc# \<# := 1...n\> | fc0-\-\ | -| File Storage | fss | fss-prod-\-\ | -| Internet Gateway | igw | igw-dev-\-\ | -| Jump Server | js | js-\-xxxxx | -| Load Balancer | lb | lb-prod-\-\ | -| Local Peering Gateway | lpg | lpg-prod-\-\ | -| NAT Gateway | nat | nat-prod-\-\ | -| Network Security Group | nsg | nsg-prod-\-waf | -| Managed key | key | key-prod-\-\-database01 | -| OCI Function Application | fn | fn-security-logs | -| Object Storage Bucket | bkt | bkt-audit-logs | -| Policy | pcy | pcy-services, pcy-tc-security-administration | -| Region Code, Location | xxx | fra, ams, zch \# three letter region code | -| Routing Table | rt | rt-prod-\-network | -| Secret | sec | sec-prod-wls-admin | -| Security List | sl | sl-\ | -| Service Connector Hub | sch | sch-\ | -| Service Gateway | sgw | sgw-\ | -| Subnet | sn | sn-\ | -| Tenancy | tc | tc | -| Vault | vlt | vlt-\ | -| Virtual Cloud Network | vcn | vcn-\ | -| Virtual Machine | vm | vm-xxxx | - -#### Security and Identity Management - -This chapter covers the Security and Identity Management definitions and resources that will be implemented for \. - -##### Universal Security and Identity and Access Management Principles - -- Groups will be configured at the tenancy level and access will be governed by policies configured in OCI. -- Any new project deployment in OCI will start with the creation of a new compartment. Compartments follow a hierarchy, and the compartment structure will be decided as per the application requirements. -- It is also proposed to keep any shared resources, such as Object Storage, Networks, etc. in a shared services compartment. This will allow the various resources in different compartments to access and use the resources deployed in the shared services compartment and user access can be controlled by policies related to specific resource types and user roles. -- Policies will be configured in OCI to maintain the level of access/control that should exist between resources in different compartments. These will also control user access to the various resources deployed in the tenancy. -- The tenancy will include a pre-provisioned Identity Cloud Service (IDCS) instance (the primary IDCS instance) or, where applicable, the Default Identity Domain. Both provide access management across all Oracle cloud services for IaaS, PaaS, and SaaS cloud offerings. -- The primary IDCS or the Default Identity Domain will be used as the access management system for all users administrating (OCI Administrators) the OCI tenant. - -##### Authentication and Authorization for OCI - -The provisioning of respective OCI administration users will be handled by \. - -###### User Management - -Only OCI Administrators are granted access to the OCI Infrastructure. As a good practice, these users are managed within the pre-provisioned and pre-integrated Oracle Identity Cloud Service (primary IDCS) or, where applicable, the OCI Default Identity Domain, of OCI tenancy. These users are members of groups. IDCS Groups can be mapped to OCI groups while Identity Domains groups do not require any mapping. Each mapped group membership will be considered during login. - -**Local Users** - -The usage of OCI Local Users is not recommended for the majority of users and is restricted to a few users only. These users include the initial OCI Administrator created during the tenancy setup and additional emergency administrators. - -**Local Users are considered Emergency Administrators and should not be used for daily administration activities!** - -**No additional users are to be, nor should be, configured as local users.** - -**\ is responsible to manage and maintain local users for emergency use cases.** - -**Federated Users** - -Unlike Local Users, Federated Users are managed in the Federated or Enterprise User Management system. In the OCI User list Federated Users may be distinguished by a prefix that consists of the name of the federated service in lower case, a '/' character followed by the user name of the federated user, for example: - -`oracleidentityservicecloud/user@example.com` - -Providing the same attributes (OCI API Keys, Auth Tokens, Customer Secret Keys, OAuth 2.0 Client Credentials, and SMTP Credentials) for Local and *Federated Users* federation with third-party Identity Providers should only be done in the pre-configured primary IDCS or the Default Identity Domain where applicable. - -All users have the same OCI-specific attributes (OCI API Keys, Auth Tokens, Customer Secret Keys, OAuth 2.0 Client Credentials, and SMTP Credentials). - -OCI Administration users should only be configured in the pre-configured primary IDCS or the Default Identity Domain where applicable. - -**Note:** Any federated user can be a member of 100 groups only. The OCI Console limits the number of groups in a SAML assertion to 100 groups. User Management in the Enterprise Identity Management system will be handled by \. - -**Authorization** - -In general, policies hold permissions granted to groups. Policy and Group naming follows the Resource Naming Conventions. - -**Tenant Level Authorization** - -The policies and groups defined at the tenant level will provide access to administrators and authorized users, to manage or view resources across the entire tenancy. The tenant-level authorization will be granted to tenant administrators only. - -These policies follow the recommendations of the [CIS Oracle Cloud Infrastructure Foundations Benchmark v1.2.0, recommendations 1.1, 1.2, 1.3](https://www.cisecurity.org/cis-benchmarks). - -**Service Policy** - -A Service Policy is used to enable services at the tenancy level. It is not assigned to any group. - -**Shared Compartment Authorization** - -Compartment-level authorization for the cmp-shared compartment structure uses the following specific policies and groups. - -Apart from tenant-level authorization, authorization for the cmp-shared compartment provides specific policies and groups. In general, policies will be designed so that lower-level compartments are not able to modify the resources of higher-level compartments. - -Policies for the cmp-shared compartment follow the recommendations of the [CIS Oracle Cloud Infrastructure Foundations Benchmark v1.2.0, recommendations 1.1, 1.2, 1.3](https://www.cisecurity.org/cis-benchmarks). - -**Compartment Level Authorization** +*Guide:* -Apart from tenant-level authorization, compartment-level authorization provides compartment structure-specific policies and groups. In general, policies will be designed so that lower-level compartments are not able to modify the resources of higher-level compartments. +*This chapter describes landing zone best practices and usually does not require any changes. If changes are required please refer to [Landing Zone GitHub](https://github.com/oracle-devrel/technology-engineering/tree/main/landing-zones). The full landing zone needs to be described in the Solution Design by the service provider.* -**Authentication and Authorization for Applications and Databases** +*Use this template ONLY for new cloud deployments and remove it for brownfield deployments.* -Application (including Compute Instances) and Database User management are completely separate and done outside of the primary IDCS or Default Identity Domain. The management of these users is the sole responsibility of \ using the application, compute instance, and database-specific authorization. +An OCI Landing Zone sets the foundations for a secure tenancy, providing design best practices and operational control over OCI resources. A Landing Zone also simplifies the onboarding of workloads and teams, with clear patterns for network isolation and segregation of duties in the organization, which sets the cloud operating model for day-to-day operations. -##### Security Posture Management +Oracle highly recommends the use of an OCI Landing Zone for any deployment. Use these [guidelines](https://github.com/oracle-devrel/technology-engineering/blob/main/landing-zones/commons/lz_solution_definition.md) to set up your OCI Landing Zone, including design considerations, approaches, and solutions to use. -**Oracle Cloud Guard** +Note that all workloads in a tenancy should sit on top of a Landing Zone, meaning that the workload architecture defined in the next section can be subject to adjustments (e.g., network structure) towards the landing zone model, along with other future workloads. -Oracle Cloud Guard Service will be enabled using the pcy-service policy and with the following default configuration. Customization of the Detector and Responder Recipes will result in clones of the default (Oracle Managed) recipes. +### Logical Architecture -Cloud Guard default configuration provides a number of good settings. It is expected that these settings may not match \'s requirements. +*Guide:* -**Targets** +*Provide a high-level logical Oracle solution for the complete Workload. Indicate Oracle products as abstract groups, and not as physical detailed instances. Create an architecture diagram following the latest notation and describe the solution.* -In accordance with the [CIS Oracle Cloud Infrastructure Foundations Benchmark, v1.2.0, Chapter 3.15](https://www.cisecurity.org/cis-benchmarks), Cloud Guard will be enabled in the root compartment. +*To implement a solution the Physical Architecture is needed in the next chapter. The physical notation can show individual components with physical attributes such as IP addresses, hostnames, or sizes.* -**Detectors** +*[The Oracle Cloud Notation, OCI Architecture Diagram Toolkits](https://docs.oracle.com/en-us/iaas/Content/General/Reference/graphicsfordiagrams.htm)* -The Oracle Default Configuration Detector Recipes and Oracle Default Activity Detector Recipes are implemented. To better meet the requirements, the default detectors must be cloned and configured by \. +### Physical Architecture -**Responder Rules** +*Guide:* -The default Cloud Guard Responders will be implemented. To better meet the requirements, the default detectors must be cloned and configured by \. +*The Workload Architecture is typically described in a physical form. This should include all solution components. You do not have to provide solution build or deployment details such as IP addresses.* -**Vulnerability Scanning Service** +*Please describe the solution with an architecture image plus a written text. If you have certain specifics you like to explain, you can also use the Solution Consideration chapter to describe the details there.* -In accordance with the [CIS Oracle Cloud Infrastructure Foundations Benchmark, v1.2.0, OCI Vulnerability Scanning](https://www.cisecurity.org/cis-benchmarks) will be enabled using the pcy-service policy. +*[The Oracle Cloud Notation, OCI Architecture Diagram Toolkits](https://docs.oracle.com/en-us/iaas/Content/General/Reference/graphicsfordiagrams.htm)* -Compute instances that should be scanned *must* implement the *Oracle Cloud Agent* and enable the *Vulnerability Scanning plugin*. +*Reference:* -**OCI OS Management Service** +[StarterPacks (use the search)](https://github.com/oracle-devrel/technology-engineering/) -Required policy statements for OCI OS Management Service are included in the pcy-service policy. +*Example:* -By default, the *OS Management Service Agent plugin* of the *Oracle Cloud Agent* is enabled and running on current Oracle Linux 6, 7, 8, and 9 platform images. +![Future State Deployment Diagram - EBS Workload Multi-AD, DR Design Diagram](images/MultiADDR-DeploymentDiagram-V2.pdf) -##### Monitoring, Auditing, and Logging +## Solution Considerations -In accordance with the [CIS Oracle Cloud Infrastructure Foundations Benchmark, v1.2.0, Chapter 3 Logging and Monitoring](https://www.cisecurity.org/cis-benchmarks) the following configurations will be made: +*Guide:* -- OCI Audit log retention period set to 365 days. -- At least one notification topic and subscription to receive monitoring alerts. -- Notification for Identity Provider changes. -- Notification for IdP group mapping changes. -- Notification for IAM policy changes. -- Notification for IAM group changes. -- Notification for user changes. -- Notification for VCN changes. -- Notification for changes to route tables. -- Notification for security list changes. -- Notification for network security group changes. -- Notification for changes to network gateways. -- VCN flow logging for all subnets. -- Write level logging for all Object Storage Buckets. -- Notification for Cloud Guard detected problems. -- Notification for Cloud Guard remedied problems. +*Describe certain aspects of your solution in detail. What are the security, resilience, networking, and operations decisions you have taken that are important for your customer?* -For IDCS or OCI Identity Domain Auditing events, the respective Auditing API can be used to retrieve all required information. +### High Availability and Disaster Recovery -##### Data Encryption +*Reference:* -All data will be encrypted at rest and in transit. Encryption keys can be managed by Oracle or the customer and will be implemented for identified resources. +- [Resilliance on OCI](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/cloud-adoption-framework/era-resiliency.htm) +- [Workload Related Content](https://github.com/oracle-devrel/technology-engineering/) -###### Key Management +### Security -All keys for **OCI Block Volume**, **OCI Container Engine for Kubernetes**, **OCI Database**, **OCI File Storage**, **OCI Object Storage**, and **OCI Streaming** are centrally managed in a shared or a private virtual vault will be implemented and placed in the compartment cmp-security. +*Guide:* -**Object Storage Security** +*Please describe your solution from a security point of view. Generic security guidelines are in the Annex chapter.* -For Object Storage security the following guidelines are considered. +*Example:* -- **Access to Buckets** -- Assign least privileged access for IAM users and groups to resource types in the object-family (Object Storage Buckets & Object) -- **Encryption at rest** -- All data in the Object Storage is encrypted at rest using AES-256 and is on by default. This cannot be turned off and objects are encrypted with a master encryption key. +Please see our security guidelines in the [Annex](#security-guidelines). -**Data Residency** +### Networking -It is expected that data will be held in the respective region and additional steps will be taken when exporting the data to other regions to comply with the applicable laws and regulations. This should be reviewed for every project onboard into the tenancy. +*Guide:* -##### Operational Security +*If your customers have any or one of the needs described in the guide of the [Network Requirements](#networking-requirements), then the OCI Network Firewall (OCI NFW) is the cloud native solution that provides all of it. It is based on the industry-leading Nextgen firewall solution by Palo Alto (VM-Series). Refer to the Annex for more best practices around deployment models.* -**Security Zones** +*Reference:* -Whenever possible OCI Security Zones will be used to implement a security compartment for Compute instances or Database resources. For more information on Security Zones refer to the *Oracle Cloud Infrastructure User Guide* chapter on [Security Zones](https://docs.oracle.com/en-us/iaas/security-zone/using/security-zones.htm). +*A list of possible Oracle solutions can be found in the [Annex](#networking-solutions).* -**Remote Access to Compute Instances or Private Database Endpoints** +*Example:* -To allow remote access to Compute Instances or Private Database Endpoints, the OCI Bastion will be implemented for defined compartments. +The OCI Network Firewall can be deployed as a Distributed Network Firewall Model or Transit Network Firewall Model, where the firewall is hosted in the Hub VCN. In general, the OCI Network Firewall can be used to protect North-South traffic (Internet traffic) and/or East-West traffic (internal traffic). As a best practice, we do recommend using one dedicated OCI Network Firewall instance per type of traffic (North-South and East-West) in separated VCNs. This way performance will be maximized as well as ensuring the network isolation between the types of traffic. -To be able to use OCI services for OS management, Vulnerability Scanning, Bastion Service, etc. it is highly recommended to implement the Oracle Cloud Agent as documented in the *Oracle Cloud Infrastructure User Guide* chapter [Managing Plugins with Oracle Cloud Agent](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/manage-plugins.htm). +For more information please follow [this link.](https://docs.oracle.com/en/solutions/oci-network-firewall/index.html#GUID-875E911C-8D7D-4205-952B-5E8FAAD6C6D3) -##### Network Time Protocol Configuration for Compute Instance +### Manageability and Observability -Synchronized clocks are a necessity for securely operating environments. OCI provides a Network Time Protocol (NTP) server using the OCI global IP number 169.254.169.254. All compute instances should be configured to use this NTP service. +*Example:* -##### Regulations and Compliance +Observability is a technology advancement focused on getting insights from a vast array of data, logs, and events generated within an IT environment. By implementing an Observability strategy, organizations gain the capability to anticipate system disruptions, prevent resource overconsumption, and enhance the overall application user satisfaction. That means being proactive, which is a must, especially in a distributed environment. -\ is responsible for setting the access rules to services and environments that require stakeholders’ integration into the tenancy to comply with all applicable regulations. Oracle will support in accomplishing this task. +Gone are the days when the IT landscape remained a mysterious black box. The company's digitalization and the Cloud model compel C-level executives to gain comprehensive insights into asset utilization. The efficient allocation of resources directly influences budgetary considerations. -### Physical Architecture +Observability helps organizations examine how well their infrastructure is working, predict future needs, and help take proactive steps to improve efficiency and protect investments. Therefore, Observability tools are needed to cover these important areas. -*Guide:* +![Observability and Manageability](snippets/observability-and-manageability/manageability-sol-con/images/OMAreas.png){width="50%"} -*The Workload Architecture is typically described in a physical form. This should include all solution components. You do not have to provide solution build or deployment details such as IP addresses.* +#### Observability Architecture -*Please describe the solution as a written text. If you have certain specifics you like to explain, you can also use the Solution Consideration chapter to describe the details there.* +The basic monitoring OCI services collect the data and send logs and metrics to OCI Monitoring and Logging services. If you want to apply machine-learning capabilities and perform analysis, you can send the data to the Logging Analytics service. If you want to use OCI Logging Analytics to collect logs coming from both on-premises and cloud sources to analyze them for auditing, security purposes, or to integrate data with an external SIEM solution, the Connector Hub serves as the solution. -*[The Oracle Cloud Notation, OCI Architecture Diagram Toolkits](https://docs.oracle.com/en-us/iaas/Content/General/Reference/graphicsfordiagrams.htm)* +It's advisable to plan your monitoring strategy by considering both the O&M (Observability and Management) native service of OCI and its integration with third-party tools, as O&M is flexible and a highly customizable solution. -*Reference:* +![OCI Architecture](snippets/observability-and-manageability/manageability-sol-con/images/OCIArchitecture.png) -[StarterPacks (use the search)](https://github.com/oracle-devrel/technology-engineering/) +#### Real-Time Monitoring -*Example:* +Real-time monitoring is the delivery of continuously updated data about systems, processes, or events. Such monitoring provides information streaming at zero or low latency, so there is minimal delay between data collection and analysis. It enables quick detection of anomalies, performance issues, and critical events. -![Future State Deployment Diagram - EBS Workload Multi-AD, DR Design Diagram](images/MultiADDR-DeploymentDiagram-V2.pdf) +Please find all references for this chapter in the [Annex](#real-time-monitoring-annex). -## Solution Considerations +#### Performance and Tuning -*Guide:* +Performance tuning is the improvement of system performance. It can be done proactively to prevent issues or reactively in response to increased workload, which is crucial for avoiding system outages. -*Describe certain aspects of your solution in detail. What are the security, resilience, networking, and operations decisions you have taken that are important for your customer?* +Please find all references for this chapter in the [Annex](#performance-and-tuning-annex). -### High Availability and Disaster Recovery +#### Administration -*Reference:* +Administrator tasks involve upholding a data management policy and ensuring essential equipment functionality, such as instance management, backup & restore operations, key management, and allocating resources from the database to the storage. -- [Resilliance on OCI](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/cloud-adoption-framework/era-resiliency.htm) -- [Workload Related Content](https://github.com/oracle-devrel/technology-engineering/) +Please find all references for this chapter in the [Annex](#administration-annex). -### Security +#### Troubleshooting -*Guide:* +Issues can happen on several levels. To identify the root cause, it is important to be able to correlate resources, drill down into the issues, and analyze trends in the systems. It's crucial to consider that the application itself might be the root cause of the issue. Therefore, it's essential to gather information about the application's behavior and performance to fully understand the problem and resolve it effectively. Troubleshooting also allows you to avoid an outage which is why it is important to notice issues as early as possible. -*Please describe your solution from a security point of view. Generic security guidelines are in the Annex chapter.* +Please find all references for this chapter in the [Annex](#troubleshooting-annex). -*Example:* +#### Cost Control and Chargeback -Please see our security guidelines in the [Annex](#security-guidelines). +Cost control is the practice of identifying and reducing business expenses to increase profits. It starts with the budgeting process. Cost control is an important factor in maintaining and growing profitability. -### Networking +IT chargeback can provide greater visibility into the costs of IT services and infrastructure usage. It enables organizations to identify opportunities for cost optimization and reduce wasteful spending. -*Reference:* +Cost control and chargeback are critical concerns, especially for companies transitioning to the cloud, presenting new financial operational challenges (FinOps). In this context, reducing consumption directly impacts the company's business. -*A list of possible Oracle solutions can be found in the [Annex](#networking-solutions).* +Please find all references for this chapter in the [Annex](#cost-control-and-chargeback-annex). ## Sizing and Bill of Materials @@ -573,13 +535,7 @@ Please see our security guidelines in the [Annex](#security-guidelines). *Even if the BoM and sizing were done with the help of Excel between the different teams, ensure that this chapter includes or links to the final BoM as well.* -*WIP* - -- *Revision of existing discovery templates* -- *Consolidated data gathering sheet (sizing focused)* -- *Workload-specific sizing process/methodology* - -# Project Implementation (Only for Oracle Implementations!) +# Project Implementation ## Solution Scope @@ -591,9 +547,9 @@ Please see our security guidelines in the [Annex](#security-guidelines). *Example:* -As part of the Oracle \ Project, any scope needs to be agreed upon by both the customer and Oracle. A scope can change but must be confirmed again by both parties. Oracle can reject scope changes for any reason and may only design and implement a previously agreed scope. A change of scope can change any previously agreed milestone and needs to be technically feasible. +As part of the Oracle ${doc.config.impl.type} Project, any scope needs to be agreed upon by both the customer and Oracle. A scope can change but must be confirmed again by both parties. Oracle can reject scope changes for any reason and may only design and implement a previously agreed scope. A change of scope can change any previously agreed milestone and needs to be technically feasible. -All items not explicitly stated to be within the scope of the \ project will be considered out of scope. Oracle recommends the use of professional services to implement extensions or customizations beyond the original scope, as well as to operate the solution, with an Oracle-certified partner. +All items not explicitly stated to be within the scope of the ${doc.config.impl.type} project will be considered out of scope. Oracle recommends the use of professional services to implement extensions or customizations beyond the original scope, as well as to operate the solution, with an Oracle-certified partner. ### Overview @@ -614,9 +570,9 @@ All items not explicitly stated to be within the scope of the \ service brings several benefits to this project. All the activities mentioned within the scope will ensure the deployment of workload as per Oracle's best practices. As a tried and tested methodology by many customers, Oracle \ brings the speed of deployment resulting in successful projects without any setbacks. Oracle \ services will bring value to the overall project provisioning OCI environments for the application workload. +The Oracle ${doc.config.impl.type} service brings several benefits to this project. All the activities mentioned within the scope will ensure the deployment of workload as per Oracle's best practices. As a tried and tested methodology by many customers, Oracle ${doc.config.impl.type} brings the speed of deployment resulting in successful projects without any setbacks. Oracle ${doc.config.impl.type} services will bring value to the overall project provisioning OCI environments for the application workload. -Oracle Cloud \ services provide guidance from cloud engineers and project managers on planning, project management, architecting, deploying, and managing cloud migrations. +Oracle Cloud ${doc.config.impl.type} services provide guidance from cloud engineers and project managers on planning, project management, architecting, deploying, and managing cloud migrations. ### Success Criteria @@ -626,7 +582,7 @@ Oracle Cloud \ services provide guidance from cloud engineers *Example:* -The below-listed success criteria are for the \ implementation only. Partner activities and success criteria are not listed in this documentation. +The below-listed success criteria are for the ${doc.config.impl.type} implementation only. Partner activities and success criteria are not listed in this documentation. - Finish provisioning of all OCI resources - Establish all required network connectivity @@ -796,11 +752,11 @@ All items not explicitly stated to be within the scope of the implementation pro #### Introduction -Following the deployment of the solution to Oracle Cloud Infrastructure by the \ team, it is important to ensure a smooth handover to a technical team, or a partner. \ values the continuation of the cloud journey and we focus our efforts to ensure you start with the best possible foundation, to set you up for success in OCI. +Following the deployment of the solution to Oracle Cloud Infrastructure by the ${doc.config.impl.type} team, it is important to ensure a smooth handover to a technical team, or a partner. ${doc.config.impl.type} values the continuation of the cloud journey and we focus our efforts to ensure you start with the best possible foundation, to set you up for success in OCI. -When \ completes the deliverables as described in the [Workplan](#workplan) section of this document, \ will hand over the controls of the new OCI environment. +When ${doc.config.impl.type} completes the deliverables as described in the [Workplan](#workplan) section of this document, ${doc.config.impl.type} will hand over the controls of the new OCI environment. -\, or a partner of your choice, will assume the ownership of the OCI tenancy and responsibility for further development of the OCI environment. From that moment forward, having completed the [Solution Scope](#solution-scope), \ will disengage. For post-implementation support, Oracle provides you with three distinct resources: +${doc.customer.name}, or a partner of your choice, will assume the ownership of the OCI tenancy and responsibility for further development of the OCI environment. From that moment forward, having completed the [Solution Scope](#solution-scope), ${doc.config.impl.type} will disengage. For post-implementation support, Oracle provides you with three distinct resources: 1. Oracle Account Cloud Engineer (ACE) – This is your first point of contact and will provide technical leadership and support for Oracle cloud technologies and your cloud transformation. 2. Cloud Adoption Manager (CAM) - Introduces and plans operation monitoring and optimization advisory activities, and continues working with you on the next milestones. Please contact your ACE for further information. @@ -808,9 +764,9 @@ When \ completes the deliverables as described in the [Workpl #### Transition Acceptance -When \ completes the deliverables as specified in the [Workplan](#workplan) section of this document, a closure session will be scheduled within 1-2 weeks to recap the project and to hand it over to the accepting party. In the case of this project, the accepting party is \. \ is now responsible for the OCI tenancy. +When ${doc.config.impl.type} completes the deliverables as specified in the [Workplan](#workplan) section of this document, a closure session will be scheduled within 1-2 weeks to recap the project and to hand it over to the accepting party. In the case of this project, the accepting party is ${doc.config.impl.handover}. ${doc.config.impl.handover} is now responsible for the OCI tenancy. -From this moment forward, the Oracle \ team will fully remove their access from your OCI tenancy and provide the access credentials to the accepting party. This marks the completion of the \ project. There is no sign-off signature required. +From this moment forward, the Oracle ${doc.config.impl.type} team will fully remove their access from your OCI tenancy and provide the access credentials to the accepting party. This marks the completion of the ${doc.config.impl.type} project. There is no sign-off signature required. # Annex @@ -823,7 +779,7 @@ Oracle Cloud Infrastructure (OCI) is designed to protect customer workloads with - [Security Strategy](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security-strategy.htm) – To create a successful security strategy and architecture for your deployments on OCI, it's helpful to understand Oracle's security principles and the OCI security services landscape. - The [security pillar capabilities](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security.htm#capabilities) reflect fundamental security principles for architecture, deployment, and maintenance. The best practices in the security pillar, help your organization to define a secure cloud architecture, identify and implement the right security controls, and monitor and prevent issues such as configuration drift. -#### References +### References - The Best Practices Framework for OCI provides architectural guidance about how to build OCI services in a secure fashion, based on recommendations in the [Best practices framework for Oracle Cloud Infrastructure](https://docs.oracle.com/en/solutions/oci-best-practices). - Learn more about [Oracle Cloud Security Practices](https://www.oracle.com/corporate/security-practices/cloud/). @@ -831,11 +787,11 @@ Oracle Cloud Infrastructure (OCI) is designed to protect customer workloads with ### Compliance and Regulations -Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and the customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS). +Cloud computing is fundamentally different from traditional on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and the customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS). -## Additional Resources +### Additional Resources -- [Oracle Cloud Compliance](https://www.oracle.com/corporate/cloud-compliance/) – Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment. This site is a primary reference for customers on the Shared Management Model with Attestations and Advisories. +- [Oracle Cloud Compliance](https://www.oracle.com/corporate/cloud-compliance/) – Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an evermore complex regulatory environment. This site is a primary reference for customers on the Shared Management Model with Attestations and Advisories. - [Oracle Security Practices](https://www.oracle.com/corporate/security-practices/) – Oracle’s security practices are multidimensional, encompassing how the company develops and manages enterprise systems, and cloud and on-premises products and services. - [Oracle Cloud Security Practices](https://www.oracle.com/corporate/security-practices/cloud/) documents. - [Contract Documents](https://www.oracle.com/contracts/cloud-services/#online) for Oracle Cloud Services. @@ -883,7 +839,14 @@ The below questions help to identify networking requirements. ### Security and Access Control -- Are you familiar with the concept of Next-Generation Firewalls (NGFW) and their benefits over traditional firewalls? +- Some of the below questions help you to adopt the right sizing and deployment model of the network firewall. + - Does the customer need to protect traffic from VCN to VCN? + - Does the customer need to protect traffic from subnet to subnet in the same VCN? + - When deploying an OCI Network Firewall in a dedicated HUB or secure VCN, do you want to protect inter-VCN traffic and/or inter-subnet traffic from within the same VCN? + - Does the customer need to protect incoming or egressing traffic to the internet? + - Does the customer need to protect internal traffic (including on-premises via IPSEC/FC)? + - Is the network performance critical? + - Does the customer have any requirement on network isolation (i.e., internet traffic never traverses or is mixed with internal traffic)? - Have you considered the importance of protecting your web applications from potential cyber threats using a Web Application Firewall (WAF)? ### Monitoring and Troubleshooting @@ -975,3 +938,79 @@ Easily create, deploy, and manage Secure Sockets Layer/Transport Layer Security You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see [Monitoring](https://docs.oracle.com/iaas/Content/Monitoring/home.htm) and [Notifications](https://docs.oracle.com/en-us/iaas/Content/Notification/home.htm#top). - [Networking Metrics](https://docs.oracle.com/en-us/iaas/Content/Network/Reference/networkmetrics.htm) + +## Manageability + +OCI offers a full set of services to cover all Observability and Monitoring requirements. + +![OCI Observability](snippets/observability-and-manageability/manageability-annex/images/OCIObservability.png) + +Thanks to AI algorithms the OCI O&M (Observability and Management) solutions offer valuable insights into system status, requirements, and trends. Furthermore, it identifies SQL performance issues. This proactive approach empowers proactive measures to prevent future issues. + +### OCI O&M Services List + +The observability and management services include the following services: + +[Application Performance Monitoring](https://docs.oracle.com/en-us/iaas/Content/connector-hub/overview.htm) offers in-depth insight into application performance and facilitates rapid diagnostics to ensure a reliable level of service. This includes monitoring various components and application logic spread across clients, third-party services, and backend computing tiers, whether on-premises or in the cloud. + +[Database Management](https://docs.oracle.com/en-us/iaas/database-management/index.html) provides comprehensive database performance diagnostics and management capabilities to monitor and manage Oracle databases. + +[Logging](https://docs.oracle.com/en-us/iaas/Content/Logging/home.htm) lets you enable, view, and manage all the logs in your tenancy and provides access to logs from Oracle Cloud Infrastructure resources. These logs include critical diagnostic information that describes how resources are performing and being accessed. + +[Logging Analytics](https://docs.oracle.com/en-us/iaas/logging-analytics/home.htm) is a unified, integrated cloud solution that enables users to monitor, aggregate, index, analyze, search, explore, and correlate all log data from their applications and system infrastructure. + +[OCI Monitoring](https://docs.oracle.com/en-us/iaas/Content/Monitoring/home.htm) enables you to query [metrics](https://docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm#SupportedServices) and manage [alarms](https://docs.oracle.com/en-us/iaas/Content/Monitoring/Tasks/managingalarms.htm). Metrics and alarms help monitor the health, capacity, and performance of your cloud resources. + +[Ops Insights](https://docs.oracle.com/en-us/iaas/operations-insights/index.html) provides a 360-degree insight into the resource utilization and capacity of Oracle Autonomous Databases. You can easily analyze CPU and storage resources, forecast capacity issues, and proactively identify SQL performance issues across a fleet of Autonomous Databases. + +[Service Connector Hub](https://docs.oracle.com/en-us/iaas/Content/connector-hub/overview.htm) is a cloud message bus platform that offers a single pane of glass for describing, running, and monitoring interactions for data moving between Oracle Cloud Infrastructure services. + +[Stack Monitoring](https://docs.oracle.com/en-us/iaas/stack-monitoring/index.html) enables proactive monitoring of applications and their underlying stack, including application servers and databases. By discovering all components of an application, including the application topology, Stack Monitoring automatically collects status, load, response, error, and utilization metrics for all application components. Each component of the application stack is referred to as a resource. + +### Real-Time Monitoring Annex + +| Service/Product Name | Description | Collateral | +|-----------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Monitoring** | OCI Monitoring collects PaaS and IaaS OCI services metrics. It is enabled by default for all the OCI services. | [List of metrics collected by default](https://docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm#SupportedServices) | +| **OCI Application Performance Monitor** | APM is a Distributed Tracing System as a Service. It enables DevOps teams to follow every step of every task. It uses open standards such as OpenTelemetry to monitor various programming languages. Plus, it includes a dedicated Java agent to track older J2EE applications, ensuring complete transaction tracing even in mixed environments. | [OCI Application Performance Monitoring](https://docs.oracle.com/en-us/iaas/Content/connector-hub/overview.htm) | +| **OCI Console** | The Service Console offers a list of visual representations and basic information about critical metrics like CPU, memory, and storage. | [OCI Console](https://docs.oracle.com/en-us/iaas/Content/GSG/Concepts/console.htm) `
`{=html} [Resource Usage Tracking](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcemonitoring.htm) | +| **OCI Database Management (opt to OEM)** | It is an OCI-managed service that simplifies database operations and enhances efficiency. It offers advanced monitoring and diagnostic capabilities, enabling proactive management and optimization of database performance. | [List of metrics collected by OCI Database Management](https://docs.oracle.com/en-us/iaas/database-management/doc/database-management-metrics.html) | +| **Stack Monitoring** | Stack Monitoring lets you proactively monitor an application and its underlying application stack, including application servers and databases. | [Stack Monitoring for Oracle Database](https://docs.oracle.com/en-us/iaas/stack-monitoring/doc/promotion-and-discovery.html#GUID-633470D8-9FC3-4FD7-A34A-2A7208586AD6) | +| **Third-Party Tools - Service Connector Hub** | OCI provides complete O&M capabilities. However, for customers who prefer to use their own tools, OCI allows seamless integration through the Service Connect Hub. | [OCI Connector Hub](https://docs.oracle.com/en-us/iaas/Content/connector-hub/overview.htm)`
`{=html}`
`{=html} [Third-Party Tools Use Cases](https://github.com/oracle-devrel/technology-engineering/tree/main/manageability-and-operations/observability-and-manageability) | + +### Performance and Tuning Annex + +| Service/Product Name | Description | Collateral | +|------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **OCI Logging** | The OCI Logging service is a highly scalable and fully managed single pane of glass for all the logs in your tenancy. Logging provides access to logs from Oracle Cloud Infrastructure resources. These logs include critical diagnostic information that describes how resources are performing and being accessed. | [OCI Logging](https://docs.oracle.com/en-us/iaas/Content/Logging/home.htm) | +| **OCI Monitoring** | Use the Oracle Cloud Infrastructure Monitoring service to actively and passively monitor cloud resources using the Metrics and Alarms features. Metric data posted to the Monitoring service is only presented to you or consumed by the Oracle Cloud Infrastructure features that you enable to use metric data. | [OCI Monitoring](https://docs.oracle.com/en-us/iaas/Content/Monitoring/home.htm) | +| **OCI Dashboard** | The Console Dashboards service allows you to create custom dashboards in the Oracle Cloud Infrastructure Console to monitor resources, diagnostics, and key metrics for your tenancy. | [OCI Dashboard](https://docs.oracle.com/en-us/iaas/Content/Dashboards/home.htm) | +| **OCI Logging Analytics** | OCI Logging Analytics empowers users to analyze log data from diverse sources across their infrastructure. It provides insights into system performance, identifies trends, and enables proactive resource optimization by correlating data from multiple layers of the infrastructure. | [OCI Logging Analytics](https://docs.oracle.com/en-us/iaas/logging-analytics/home.htm) | +| **OCI Application Performance Monitor** | APM allows to drill down from user sessions till the single DB query or external call to identify performance bottleneck. | [OCI Application Performance Monitoring](https://docs.oracle.com/en-us/iaas/Content/connector-hub/overview.htm) | +| **OCI Database Management - PerfHub** | Is an OCI-managed service that offers performance and tuning capabilities. It provides the same performance and tuning features as the Oracle Enterprise Manager (OEM) Performance and Tuning Pack but in a managed solution. | [Database Management Performance Hub](https://docs.oracle.com/en-us/iaas/performance-hub/index.html) | +| **Ops Insights Sql Warehouse and Capacity Planning** | OCI Ops Insights allows for the tracking of metrics charts and data collection. It allows for the correlation of resources across various infrastructure layers. Additionally, it predicts high resource utilization for computing and database instances. | [OCI Operations Insight SQL Warehouse](https://docs.oracle.com/en-us/iaas/operations-insights/doc/operations-insights.html#GUID-9F401CEC-8B90-4B0C-AF2B-6780BA3E799D) `
`{=html} [OCI Operations Insight Capacity planning](https://docs.oracle.com/en-us/iaas/operations-insights/doc/operations-insights.html#GUID-B2A3E104-494B-46A5-9F3E-8E3977C9328F) | + +### Administration Annex + +| Service/Product Name | Description | Collateral | +|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------| +| **OCI Console** | The OCI Console is embedded in all cloud services. It allows basic tasks such as listing, starting, stopping, or termination of ressources. | [OCI Console](https://docs.oracle.com/en-us/iaas/database-tools/doc/using-oracle-cloud-infrastructure-console.html) | +| **OCI Database Management** | This OCI-managed service allows you to manage your databases. It provides a subset of functionalities offered by the OEM. | [Database Management](https://www.oracle.com/it/manageability/database-management/) | +| **OCI Organization Management** | The OCI Console has several tenancy management features. You can use Organization Management to centrally manage your multi-tenancy environment. | [Organization Management](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm) | + +### Troubleshooting Annex + +| Service/Product Name | Description | Collateral | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Logging Analytics** | OCI Logging Analytics can handle log events generated by all software applications and infrastructure on the cloud or on-premises. For Oracle software logs, a predefined severity pre-classification exists based on Oracle experience. | [OCI Logging Analytics](https://github.com/oracle-quickstart/terraform-oci-open-lz/blob/master/design/OCI_Open_LZ.pdf) `
`{=html} [OCI Logging Analytics for Exa](https://github.com/oracle-quickstart/terraform-oci-open-lz/blob/master/design/OCI_Open_LZ.pdf) | +| **OCI Application Performance Monitor** | APM allows to drill down from user sessions till the application logs to find the root cause. | [OCI Application Performance Monitoring](https://docs.oracle.com/en-us/iaas/Content/connector-hub/overview.htm) | +| **OCI Database Management** | OCI-managed service that allows you to drill down and correlate metrics and data from different layers. it provides built-in links that allow you to connect to other O&M services (ex. Ops Insights). | [Database Management](https://www.oracle.com/it/manageability/database-management/) | +| **Ops Insights** | OCI Ops Insights allows tracking of metrics charts and data collection. It allows for the correlation of resources from different infrastructure layers. | [OCI Operations Insight](https://docs.oracle.com/en-us/iaas/operations-insights/doc/operations-insights.html) `
`{=html} [OCI ExaInsight](https://blogs.oracle.com/cloud-infrastructure/post/available-now-exadata-insights-in-oracle-cloud-infrastructure-operations-insights) | + +### Cost Control and Chargeback Annex + +| Service/Product Name | Description | Collateral | +|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Ops Insights Capacity Planning** | This OCI-managed service allows one to predict the resource consumption for a year. With tags, you can associate the forecast and the consumption to a specific department. | [Operations Insight Capacity Planning](https://docs.oracle.com/en-us/iaas/operations-insights/doc/operations-insights.html#GUID-B2A3E104-494B-46A5-9F3E-8E3977C9328F) | +| **Cost Analysis** | Cost Analysis is an easy-to-use visualization tool to help you track and optimize your Oracle Cloud Infrastructure spending. It allows for the generation of charts and the download of accurate and reliable tabular reports of aggregated cost data. With tags, you can associate the forecast and the consumption to a specific department. | [OCI Cost Analysis](https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/costanalysisoverview.htm) `
`{=html} | +| **Usage RestAPI** | OCI offers various RestAPI’s to manage services, including the one for cost management. | [OCI Usage RestAPI](https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/costanalysisoverview.htm#cost_analysis_using_the_api) `
`{=html} |