Our goal is not only to make it easy for businesses to move to the cloud, but to support you at every step of your cloud business. Whether you're a small or medium-sized business or a large enterprise, our cloud service platform can help you digitally transform your business and let your business soar in the cloud. We understand the importance of enterprise cloud, especially in the global competition, and the overseas business and services we provide will become your strong backing.
So, why choose our cloud service platform? First of all, our platform has a significant price/performance advantage. Our cloud servers are not only reasonable, but also have excellent performance and are able to provide stable and efficient services. Second, our cloud solutions focus on security and reliability. We follow Oracle's Cloud-Native Secure Cloud Architecture Landing Zone (SCCA LZ) solution to ensure that a highly secure architecture is deployed in the shortest possible time and with minimal intervention. Oracle's Cloud-Native, Secure Cloud architecture optimizes the cost-performance trade-offs of network security and provides a layer of protection against potential threats between the Department of Defense's information systems network (DISN) and commercial cloud services. This architecture specifically targets attacks on mission-critical applications located in cloud service environments (CSEs), protecting the DISN infrastructure and adjacent tenants from attacks. In short, our cloud service platform not only provides a powerful business cloud service solution, but also ensures your enterprise data security and business continuity. Let's explore the new realm of cloud services and create the future of enterprises together. Architecture is key when it comes to building a robust and secure cloud service platform. In addition to supporting the DISA SCCA standard, our landing zone provides a framework to ensure that DOD Impact Level (IL) 4 and 5 workloads operate securely in the OC2 and OC3 regions of Oracle Cloud Infrastructure. This design was originally intended for the Department of Defense, but can be used by any customer looking to enhance security in their landing zone. Oracle's Cloud-Native SCCA Landing Zone Reference Architecture showcases the abstract building blocks for building SCCA components and configurations to help you achieve SCCA compliance. You can deploy this architecture on top of Oracle Cloud Infrastructure (OCI)'s cloud-native services. This reference architecture is based on the Disa FRD and includes components such as CAP BCAP, VDSS, VDMS, and TCCM. 
In our cloud service solution, an efficient monitoring architecture is critical to ensure DOD SCCA compliance. This architecture not only covers VDSS, VDMS, and workload areas, but also meets the initial SCCA requirements. Best of all, this monitoring structure can be flexibly adjusted according to your administrator's operating model. In Oracle Cloud Infrastructure (OCI), we offer a range of services that generate metrics and events that can be monitored through your metrics dashboard. You can create alerts based on queries for these metrics and events, making the monitoring process more proactive and precise. Taking it a step further, you can group these alerts into topics that you create. You can create different topics by different regions, such as VDSS, VDMS, and workloads, and assign their own monitoring rules to them. 
In the architecture of Oracle's Cloud Native SCCA Landing Zone, we integrate several key components to ensure the highest quality service and the highest level of security. Here's a closer look at the components of our architecture:Availability domainsThese are separate, independent data centers within a region. The physical resources of each availability domain are isolated from the resources in the other availability domains, providing fault tolerance. Availability domains don't share infrastructure, such as power or cooling systems, so a failure of one domain is unlikely to affect other availability domains within that region. Autonomous Database:Oracle Autonomous Database is a fully managed, preconfigured database environment for transaction processing and data warehousing workloads. You don't need to configure or manage any hardware, and you don't need to install any software. Oracle Cloud Infrastructure will be responsible for creating the database, as well as backing up, patching, upgrading, and tuning the database. Cloud Protection:You can use Oracle Cloud Protection to monitor and maintain the security of resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to check for security weaknesses in your resources and monitor high-risk activities for operators and users. When any misconfigured or unsafe activity is detected, Cloud Guard recommends corrective actions and assists you in taking those actions based on responder recipes that you can define. Area:A region is a cross-region logical partition within an Oracle Cloud Infrastructure tenant. You can use regions to organize resources in Oracle Cloud, control access to resources, and set usage quotas. In order to control access to resources in a specific region, you need to define policies that specify who can access those resources and what they can do. drg:Your virtual router can be attached to VCN and IPsec tunnels. Exadata Database Service:Oracle Exadata Database Service enables you to harness the power of Exadata in the cloud. You can add database compute servers and storage servers as needed to configure flexible x8m and x9m systems. Quick Connect:Oracle Cloud Infrastructure Express Connect provides an easy way to create a private, private connection between your data center and Oracle Cloud Infrastructure. Quick Connect offers higher bandwidth options and a more reliable network experience than internet-based connections. Fault Domains:A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your application can withstand physical server failures, system maintenance, and power failures within the fault domains. Firewall:Provide intrusion detection and prevention services and filter inbound traffic based on rules. Authentication:SCCAA LZ assumes that the identity domain functionality is available in the realm in which it is deployed. X. will be enabled in this landing zone deployment509 Functional Signs. DoD customers are required to provide their own X509 Identity Provider (IDP), which should also support SAML Bearer Key (HOK) profiles. Once configured, federated users will be able to log in to the OCI console using their Common Access Card (CAC) or Personal Authentication (PIV) card. Standalone Service:These are all-tenant services that will be activated for use with LZ, Cloud Guard, and VSS. Load balancingDevice:Oracle Cloud Infrastructure Load Balancing provides automatic traffic distribution from a single entry point to multiple servers on the back end. Local Peer Gateway (LPG):LPG allows one virtual cloud network (VCN) peered with another VCN within the same region. This means that VCNs communicate with each other using private IP addresses without the need to route them over the internet or your local network. Logging:This service can be used for auditing and includes a partition that dumps all audit logs to a shared location with retention rules to ensure that the logs are not modified. The DOD's requirement is that the bucket is accessible to external users, auditors, etc., without modifying the permissions of the rest of the environment. Log Analysis:Oracle Log Analytics is a cloud solution in OCI that allows you to index, enrich, aggregate, explore, search, analyze, correlate, visualize, and monitor all log data from your application and system infrastructure, on-premises or in the cloud. Monitoring:OCI and Landing Zone offer several services that work together to provide cross-tenant monitoring capabilities. They create a monitoring structure in VDSS, VDMS, and workload components to provide you with your initial monitoring needs. Network Address Translation (NAT) Gateway:NAT gateways allow private resources in the VCN to access hosts on the internet without exposing those resources to inbound connections to the internet. Network:To protect all traffic (north-south and east-west), OCI recommends using a hub-spoke topology to split the network, where traffic is routed through a central hub called the Virtual Data Center Security Stack (VDSS) VCN and connected to several different networks (WAFs). Object Storage:Object storage provides quick access to large amounts of structured and unstructured data, including database backups, analytics data and images, and more. Area:An Oracle Cloud Infrastructure region is a localized geographic region of one or more data centers, called an availability domain. Regions are independent of each other, and they may be far apart from each other (across countries or even continents). Security:SCCA Landing Zone will implement the following OCI cloud-native services to help your organization meet SCCA VDMS security requirements: Vault (Key Management).
Log archive bucket.
Streams and events. Default log group.
Service connectors.
Vulnerability Scanning Service (VSS).
Cloud Protection:Fortress.
Safe List:For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet. Safe Zone:The security enclave ensures Oracle's security best practices from the outset, by enforcing policies such as encrypting data and preventing public access to the entire partitioned network. Service Connector Center:This is a service used to transfer data between servicesServices Gateway:A service gateway provides access to other services, such as Oracle Cloud Infrastructure Object Storage, for a virtual cloud network (VCN). Traffic from the VCN to Oracle services travels through the Oracle network infrastructure and does not traverse the Internet. Stream Processing:This capability enables the ingestion and consumption of large data streams in real time. Tenants:A tenant is a secure and isolated partition that Oracle sets up in Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and manage resources in Oracle Cloud within your tenant. Tenant can be considered synonymous with a company or organization. Typically, a company will have a tenant within which its organizational structure will be reflected. A tenant is typically associated with a single subscription, and a subscription typically has only one tenant. Tenant-side services:These services include identity domains, identity access management (IAM), policies, auditing, and cloud protection. Virtual Cloud Networks (VCNs) and Subnets:A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. You can divide a VCN into subnets, which can be scoped to a region or an availability domain. Each subnet consists of a contiguous range of addresses that do not overlap with other subnets in the VCN. Subnets can be public or private. Virtual Data Center Management Services (VDMS):This includes all the core services required to manage the operations of your environment, such as vaults, VSS, and object storage. Virtual Data Center Security Services (VDSS):The VCN is the only point of entry and exit for traffic within your environment, and your traffic is isolated and routed through network control. Virtual Private Vault (VPV):Encryption management services to store and manage encryption keys and secrets for secure access to resources. For disaster recovery, the VPV will replicate to the DR zone for redundancy and key management. Vulnerability Scanning Service (VSS).You must use this service to continuously monitor all enclaves within the cloud provider's environment. Workload Regions:Each workload has a dedicated zone and VCN, routed through VDSS and a network firewall to communicate with on-premises systems. Disclaimer: This document is for informational purposes only and is intended to assist you in planning the implementation and upgrade of product features. It is not a promise to deliver any materials,** or features, and should not be used to make a purchasing decision. The development, release, and timing of any features or functionality described in this document are at the sole discretion of Oracle. This document may refer to products or services or security controls that are currently in the process of obtaining a DISA Impact Level 5 Provisional Authorization. Virtual Cloud Network (VCN):When you create a VCN, determine the number of CIDR blocks you need and the size of each block based on the number of resources you plan to connect to the VCN subnet. Select a CIDR block within the standard private IP address space. Ensure that the selected CIDR block does not overlap with any other networks (in Oracle Cloud Infrastructure, your on-premises data center, or other cloud providers) to which you intend to establish a private connection. Cloud Protection:Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what types of security violations generate warnings and what actions are allowed to be taken on them. Safe Zone:For resources that require the highest level of security, Oracle recommends that you use secure zones. A security zone is a partition associated with an oracle-defined security policy recipe based on best practices. Network Security Group (NSG):You can use NSGs to define a set of inbound and outbound rules that apply to a specific VNIC. We recommend using NSG instead of a security list because NSG enables you to separate the subnet architecture of your VCN from the security requirements of your application. Load balancingBandwidth:When you create a load balancer, you can choose to provide a predefined shape with fixed bandwidth, or specify a custom (flexible) shape, set a bandwidth range, and have the service automatically scale bandwidth based on traffic patterns. Considerations:Performance: Performance in a region is not affected by the number of VCNs. Latency should be considered when peering to a VCN in different regions.
Security: Use appropriate security mechanisms to protect the topology. The topology deployed using the provided terraform contains the following security characteristics.
Management: Most of the routes will be in the DRG, simplifying route management.
Operational costs: Cloud consumption should be closely monitored to ensure that operational costs are within the design budget. The VDSS and VDMS partitions are configured with basic partition-level labels.
Deployment: Terraform** for this reference architecture is available as an example stack in Oracle Cloud Infrastructure Explorer. You can also download it from github*** and customize it to your specific business needs.
By following these recommendations and considerations, you can ensure that your cloud service architecture meets your business needs while remaining efficient and secure when deploying Oracle Cloud Native SCCA Landing Zone. As an Oracle Premier Partner, Agilewing is redefining the way enterprises experience Oracle Cloud Services. With its streamlined account opening process and best-in-class technical support, Agilewing transforms the complex process of account opening and operation into an easy, intuitive experience. With our one-stop shop, you can quickly get up and running with the full range of Oracle Cloud services, so you can seamlessly integrate into the cloud. Agilewing's AgileCDN service, combined with OCI's cloud-based services, provides a best-in-class global content acceleration solution. A strong network of more than 2,800 global POP nodes and 7,000 direct connection points ensures efficient and stable operation no matter where your business expands to the world. Leveraging the advanced technology of Oracle Cloud, Agilewing is committed to simplifying the process of cloud service building, cloud migration, and business going global. "Our partnership model provides customers with cost-effective solutions that allow them to focus more on their core business while enjoying the high performance and security of Oracle Cloud." Oracle Cloud Service, as a promising field, opens the door to new opportunities for enterprises with its high performance, security, and globally consistent service standards. Through Agilewing's professional services, both individual users and enterprises can easily enter this new era full of technological innovation and high performance. Let Agilewing start exploring Oracle Cloud Services and open the door to a whole new world today.