Oracle Cloud Infrastructure offers a compelling platform for enterprise workload deployment, combining aggressive pricing with enterprise-grade security features. In this guide, I will walk through the complete architecture for deploying a production application on OCI using Compute instances, Flexible Load Balancer, WAF, and Security Zones — the same architecture I have deployed for banking and government clients requiring the highest levels of security and compliance.
Architecture Overview
┌─────────────────────────────────────────────────────────────────┐
│ INTERNET │
└─────────────────────────┬───────────────────────────────────────┘
│
┌─────────▼─────────┐
│ OCI WAF │ ← Edge Protection
│ (WAF Policy) │ OWASP, Bot Mgmt, Rate Limit
└─────────┬─────────┘
│
┌─────────▼─────────┐
│ OCI Flexible │ ← SSL Termination
│ Load Balancer │ Layer 7 Routing
│ (Public Subnet) │ Health Checks
└────┬─────────┬────┘
│ │
┌───────────▼──┐ ┌──▼───────────┐
│ AD-1 │ │ AD-2 │
│ (Fault Domain)│ │ (Fault Domain)│
│ │ │ │
│ ┌──────────┐ │ │ ┌──────────┐ │
│ │ Compute │ │ │ │ Compute │ │ ← Instance Pool
│ │ VM.Std3 │ │ │ │ VM.Std3 │ │ Auto Scaling
│ │ (4 OCPU) │ │ │ │ (4 OCPU) │ │
│ └──────────┘ │ │ └──────────┘ │
│ │ │ │
│ ┌──────────┐ │ │ ┌──────────┐ │
│ │ Compute │ │ │ │ Compute │ │
│ │ VM.Std3 │ │ │ │ VM.Std3 │ │
│ └──────────┘ │ │ └──────────┘ │
└──────┬───────┘ └──────┬───────┘
│ │
┌───────────▼──────────────────▼───────────┐
│ SECURITY ZONE │
│ (Maximum Security Recipe Enforced) │
│ │
│ ┌─────────────┐ ┌─────────────────┐ │
│ │ OCI DB System│ │ OCI Object │ │
│ │ (RAC - 2Node)│ │ Storage │ │
│ │ Encrypted │ │ (Private Bucket)│ │
│ └─────────────┘ └─────────────────┘ │
└───────────────────────────────────────────┘
Component 1: OCI WAF (Edge Protection)
OCI WAF operates at Oracle global edge network, inspecting traffic before it enters your VCN. My standard WAF policy configuration for enterprise deployments:
OCI WAF Policy Configuration:
├── Protection Rules:
│ ├── OWASP ModSecurity Core Rule Set 3.x
│ ├── SQL Injection Protection (Collaborative Detection)
│ ├── XSS Protection (Recursive Decode)
│ ├── Remote File Inclusion Protection
│ ├── PHP Injection Protection
│ └── Command Injection Protection
├── Access Control:
│ ├── IP Rate Limiting: 500 req/min per IP
│ ├── Geo-Blocking: Block non-business countries
│ ├── CAPTCHA Challenge: Suspicious IPs
│ └── Human Interaction Challenge: Bot detection
├── Bot Management:
│ ├── Known Bot Allow List (Googlebot, Bingbot)
│ ├── JavaScript Challenge for unknown bots
│ └── CAPTCHA for failed JS challenge
└── Custom Rules:
├── Block requests with no User-Agent
├── Block requests > 10MB body size
└── Rate limit login endpoint: 10 req/min
Component 2: OCI Flexible Load Balancer
OCI Flexible Load Balancer provides Layer 7 load balancing with bandwidth ranging from 10 Mbps to 8 Gbps. Unlike AWS ALB which charges per LCU, OCI charges a flat rate based on your selected bandwidth — making costs predictable and often lower for high-traffic applications.
Load Balancer Configuration: ├── Shape: Flexible (Min: 100 Mbps, Max: 1 Gbps) ├── Subnet: Public Regional Subnet ├── Listeners: │ ├── HTTPS (443) → Backend Set (weighted round robin) │ └── HTTP (80) → Redirect Rule → HTTPS ├── SSL Configuration: │ ├── Certificate: OCI Certificates Service (auto-renewed) │ ├── Cipher Suite: oci-wider-compatible-ssl-cipher-suite-v1 │ └── Protocol: TLSv1.2, TLSv1.3 ├── Backend Set: │ ├── Policy: Weighted Round Robin │ ├── Session Persistence: Disabled │ └── Health Check: │ ├── Protocol: HTTP │ ├── Port: 8080 │ ├── URL Path: /health │ ├── Interval: 10000ms │ ├── Timeout: 3000ms │ └── Retries: 3 ├── Path Route Sets: │ ├── /api/* → Backend Set (API servers) │ ├── /static/* → Backend Set (CDN origin) │ └── /* → Backend Set (Web servers) └── Network Security Group: Allow 443, 80 from 0.0.0.0/0
Component 3: Compute Instance Pool with Auto Scaling
Instance Pool Configuration: ├── Shape: VM.Standard3.Flex (4 OCPU, 32GB RAM) ├── Image: Custom Image (pre-configured golden image) ├── Placement: Spread across 2 Fault Domains ├── Instance Count: Min 2, Max 8, Desired 4 ├── Auto Scaling Policy: │ ├── Scale Out: CPU > 70% for 3 min → Add 1 instance │ ├── Scale In: CPU < 25% for 10 min → Remove 1 instance │ └── Cooldown: 300 seconds ├── Cloud-Init Script: Pull latest code, start app ├── Boot Volume: 100GB, encrypted with Vault key └── Network: Private Subnet, no public IP
Component 4: Security Zones (OCI Unique Feature)
This is where OCI truly differentiates from AWS and Azure. Security Zones enforce security policies at the infrastructure level — preventing the creation of non-compliant resources entirely. The Maximum Security Recipe enforces:
Security Zone - Maximum Security Recipe:
├── Compute:
│ ├── All boot volumes MUST be encrypted with customer-managed key
│ ├── All instances MUST be in private subnets (no public IP)
│ └── All instances MUST use Shielded Instances
├── Networking:
│ ├── No security list can allow 0.0.0.0/0 on port 22
│ ├── No subnet can be public (except LB subnet)
│ └── All VCN flow logs MUST be enabled
├── Storage:
│ ├── All Object Storage buckets MUST be private
│ ├── All block volumes MUST be encrypted
│ └── No public pre-authenticated requests allowed
├── Database:
│ ├── All databases MUST use TDE encryption
│ ├── All databases MUST have automatic backups enabled
│ └── Database subnet MUST NOT have internet gateway route
└── Identity:
├── All resources MUST be tagged (CostCenter, Environment)
└── No API keys older than 90 days
If anyone — even an administrator — tries to create a resource that violates these policies, the API call is blocked with a clear error message. This prevents configuration drift and ensures compliance is maintained continuously, not just at audit time.
Network Security Architecture
VCN: 10.0.0.0/16
├── Public Subnet (10.0.1.0/24) - Load Balancer ONLY
│ ├── Route Table: Internet Gateway
│ ├── Security List: Allow 443, 80 inbound from 0.0.0.0/0
│ └── NSG-LB: Allow 443, 80 from anywhere
├── Private Subnet - App (10.0.10.0/24)
│ ├── Route Table: NAT Gateway (outbound only)
│ ├── Security List: Allow 8080 from LB subnet only
│ ├── NSG-App: Allow 8080 from NSG-LB
│ └── NSG-App: Allow 22 from Bastion subnet
├── Private Subnet - DB (10.0.20.0/24)
│ ├── Route Table: No internet route
│ ├── Security List: Allow 1521 from App subnet only
│ └── NSG-DB: Allow 1521 from NSG-App only
└── Private Subnet - Bastion (10.0.30.0/24)
├── Route Table: NAT Gateway
└── OCI Bastion Service (session-based access)
Cost Comparison: OCI vs AWS
Monthly Cost (Mumbai Region):
OCI AWS
Compute (4x 4OCPU/32GB): $180 $340 (4x m5.xlarge)
Load Balancer: $20 $25
WAF: $15 $15
Database (2-node RAC): $350 $720 (Multi-AZ RDS)
Object Storage (1TB): $25 $23
Data Transfer (500GB): $0* $45
Security Zones: $0 N/A
─────────────────────────────────────────────
Total: $590 $1,168
*OCI includes 10TB/month free outbound data transfer
OCI delivers approximately 50% cost savings compared to equivalent AWS architecture, primarily due to lower compute pricing, free outbound data transfer, and significantly cheaper database options. For organizations running Oracle databases, the savings are even more dramatic due to BYOL (Bring Your Own License) options.
Deployment with Terraform
I deploy this entire architecture using Terraform with OCI Resource Manager. The infrastructure-as-code approach ensures reproducibility, version control, and automated deployment across environments (dev, staging, production). The complete Terraform configuration is approximately 800 lines across 12 modules covering VCN, compute, load balancer, WAF, database, and security zones.
