Overview
Setting up an OCI tenancy properly from the beginning saves significant time and prevents security issues later. This guide covers creating a logical compartment structure, designing your Virtual Cloud Network (VCN) with proper subnet segmentation, and writing IAM policies that follow the principle of least privilege.
Prerequisites
- OCI tenancy administrator access
- OCI CLI installed and configured
- Understanding of your team structure and workload requirements
Step 1: Design Compartment Hierarchy
Compartments are the primary organizational unit in OCI. Design a hierarchy that reflects your organizational structure:
# Root Tenancy
# ├── Network (shared VCN, DRG, FastConnect)
# ├── Security (vaults, keys, bastion, audit)
# ├── Production
# │ ├── Prod-Compute
# │ ├── Prod-Database
# │ └── Prod-Storage
# ├── Non-Production
# │ ├── Dev
# │ ├── Staging
# │ └── QA
# └── Shared-Services (DNS, logging, monitoring)
# Create compartments
oci iam compartment create --name "Network" --description "Shared networking resources" --compartment-id $TENANCY_ID
oci iam compartment create --name "Security" --description "Security and compliance" --compartment-id $TENANCY_ID
oci iam compartment create --name "Production" --description "Production workloads" --compartment-id $TENANCY_ID
oci iam compartment create --name "Non-Production" --description "Dev/Test/Staging" --compartment-id $TENANCY_ID
# Create sub-compartments
oci iam compartment create --name "Prod-Compute" --description "Production compute" --compartment-id $PROD_COMPARTMENT_ID
oci iam compartment create --name "Prod-Database" --description "Production databases" --compartment-id $PROD_COMPARTMENT_IDStep 2: Create Groups and Users
# Create groups
oci iam group create --name "NetworkAdmins" --description "Network infrastructure team"
oci iam group create --name "DBAdmins" --description "Database administrators"
oci iam group create --name "Developers" --description "Development team"
oci iam group create --name "SecurityAuditors" --description "Security and compliance team"
# Add users to groups
oci iam group add-user --group-id $GROUP_ID --user-id $USER_IDStep 3: Write IAM Policies
# Network Admins - manage all networking in Network compartment
Allow group NetworkAdmins to manage virtual-network-family in compartment Network
Allow group NetworkAdmins to manage load-balancers in compartment Network
Allow group NetworkAdmins to read all-resources in tenancy
# DB Admins - manage databases in Production
Allow group DBAdmins to manage autonomous-database-family in compartment Production
Allow group DBAdmins to manage db-systems in compartment Production
Allow group DBAdmins to use virtual-network-family in compartment Network
# Developers - limited access to Non-Production
Allow group Developers to manage instance-family in compartment Non-Production
Allow group Developers to manage object-family in compartment Non-Production
Allow group Developers to use virtual-network-family in compartment Network
Allow group Developers to read autonomous-database-family in compartment Non-Production
# Security Auditors - read-only everywhere
Allow group SecurityAuditors to inspect all-resources in tenancy
Allow group SecurityAuditors to read audit-events in tenancyStep 4: Create VCN
# Create VCN in Network compartment
oci network vcn create \
--compartment-id $NETWORK_COMPARTMENT_ID \
--display-name "prod-vcn" \
--cidr-blocks '["10.0.0.0/16"]' \
--dns-label "prodvcn"
# Create Internet Gateway
oci network internet-gateway create \
--compartment-id $NETWORK_COMPARTMENT_ID \
--vcn-id $VCN_ID \
--display-name "prod-igw" \
--is-enabled true
# Create NAT Gateway
oci network nat-gateway create \
--compartment-id $NETWORK_COMPARTMENT_ID \
--vcn-id $VCN_ID \
--display-name "prod-nat"
# Create Service Gateway (for OCI services without internet)
oci network service-gateway create \
--compartment-id $NETWORK_COMPARTMENT_ID \
--vcn-id $VCN_ID \
--display-name "prod-sgw" \
--services '[{"serviceId":"ocid1.service.oc1.ap-mumbai-1.all-services"}]'Step 5: Create Subnets
# Public subnet (Load Balancers, Bastion)
oci network subnet create \
--compartment-id $NETWORK_COMPARTMENT_ID \
--vcn-id $VCN_ID \
--display-name "pub-subnet" \
--cidr-block "10.0.1.0/24" \
--dns-label "pubsub" \
--prohibit-public-ip-assignment false
# Private subnet (Application servers)
oci network subnet create \
--compartment-id $NETWORK_COMPARTMENT_ID \
--vcn-id $VCN_ID \
--display-name "app-subnet" \
--cidr-block "10.0.10.0/24" \
--dns-label "appsub" \
--prohibit-public-ip-assignment true
# Database subnet
oci network subnet create \
--compartment-id $NETWORK_COMPARTMENT_ID \
--vcn-id $VCN_ID \
--display-name "db-subnet" \
--cidr-block "10.0.20.0/24" \
--dns-label "dbsub" \
--prohibit-public-ip-assignment trueStep 6: Configure Security Lists
# Public subnet security list
# Ingress: 80, 443 from 0.0.0.0/0 | 22 from office CIDR
# Egress: All traffic allowed
# App subnet security list
# Ingress: 8080 from pub-subnet | 22 from pub-subnet (bastion)
# Egress: 1521/1522 to db-subnet | 443 to all (API calls)
# DB subnet security list
# Ingress: 1521/1522 from app-subnet ONLY
# Egress: None (no outbound needed)Verification
- ✅ Compartments created matching organizational hierarchy
- ✅ Groups created for each team role
- ✅ IAM policies follow least-privilege principle
- ✅ VCN created with proper CIDR planning
- ✅ IGW, NAT, and Service Gateway configured
- ✅ Subnets segmented: public, app, database
- ✅ Security lists restrict traffic between tiers