1. Why OCI for Modern Architecture?
Many architects underestimate how much OCI has matured. Today, OCI offers:
- Low-latency networking with deterministic performance.
- Flexible compute shapes (standard, dense I/O, high memory).
- A Kubernetes service (OKE) with enterprise-level resilience.
- Cloud-native storage (Block, Object, File).
- A full security stack (Vault, Cloud Guard, WAF, IAM policies).
- A pricing model that is often 30–50% cheaper than equivalent hyperscaler deployments.
Reference: OCI Overview
https://docs.oracle.com/en-us/iaas/Content/home.htm
2. Multi-Tier Production Architecture Overview
A typical production workload on OCI includes:
- Network Layer: VCN, subnets, NAT, DRG, Load Balancers
- Compute Layer: OKE, VMs, Functions
- Data Layer: Autonomous DB, PostgreSQL, MySQL, Object Storage
- Security Layer: OCI Vault, WAF, IAM policies
- Observability Layer: Logging, Monitoring, Alarms, Prometheus/Grafana
- Automation Layer: Terraform, OCI CLI, GitHub Actions/Azure DevOps
3. Networking Foundation
You start with a Virtual Cloud Network (VCN), structured in a way that isolates traffic properly:
VCN Example Layout
- 10.10.0.0/16 — VCN Root
- 10.10.1.0/24 — Public Subnet (Load Balancers)
- 10.10.2.0/24 — Private Subnet (Applications / OKE Nodes)
- 10.10.3.0/24 — DB Subnet
- 10.10.4.0/24 — Bastion Subnet
Terraform Example
resource "oci_core_vcn" "main" {
cidr_block = "10.10.0.0/16"
compartment_id = var.compartment_ocid
display_name = "prod-vcn"
}
resource "oci_core_subnet" "private_app" {
vcn_id = oci_core_vcn.main.id
cidr_block = "10.10.2.0/24"
prohibit_public_ip_on_vnic = true
display_name = "app-private-subnet"
}
Reference: OCI Networking Concepts
https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm
4. Deploying Workloads on OKE (Oracle Kubernetes Engine)
OKE is one of OCI’s strongest services due to:
- Native integration with VCN
- Worker nodes running inside your own subnets
- The ability to use OCI Load Balancers or NGINX ingress
- Strong security by default
Cluster Creation Example (CLI)
oci ce cluster create \
--name prod-oke \
--vcn-id ocid1.vcn.oc1... \
--kubernetes-version "1.30.1" \
--compartment-id <compartment_ocid>
Node Pool Example
oci ce node-pool create \
--name prod-nodepool \
--cluster-id <cluster_ocid> \
--node-shape VM.Standard3.Flex \
--node-shape-config '{"ocpus":4,"memoryInGBs":32}' \
--subnet-ids '["<subnet_ocid>"]'
5. Adding Ingress Traffic: OCI LB + NGINX
In multi-cloud architectures (Azure, GCP, OCI), it’s common to use Cloudflare or F5 for global routing, but within OCI you typically rely on:
- OCI Load Balancer (Layer 4/7)
- NGINX Ingress Controller on OKE
Example: Basic Ingress for Microservices
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: payments-ingress
spec:
ingressClassName: nginx
rules:
- host: payments.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: payments-svc
port:
number: 8080
6. Secure Secrets With OCI Vault
Never store secrets in ConfigMaps or Docker images.
OCI Vault integrates tightly with:
- Kubernetes Secrets via CSI Driver
- Database credential rotation
- Key management (KMS)
Example: Using OCI Vault with Kubernetes
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
stringData:
username: appuser
password: ${OCI_VAULT_SECRET_DB_PASSWORD}
7. Observability: Logging + Monitoring + Prometheus
OCI Monitoring handles metrics out of the box (CPU, memory, LB metrics, OKE metrics).
But for application-level observability, you deploy Prometheus/Grafana.
Prometheus Helm Install
helm install prometheus prometheus-community/kube-prometheus-stack \
--namespace monitoring
Add ServiceMonitor for your applications:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: payments-monitor
spec:
selector:
matchLabels:
app: payments
endpoints:
- port: http
8. Disaster Recovery and Multi-Region Strategy
OCI provides:
- Block Volume replication
- Object Storage Cross-Region Replication
- Multi-AD (Availability Domain) deployment
- Cross-region DR using Remote Peering
Example: Autonomous DB Cross-Region DR
oci db autonomous-database create-adb-cross-region-disaster-recovery \
--autonomous-database-id <db_ocid> \
--disaster-recovery-region "eu-frankfurt-1"
9. CI/CD on OCI Using GitHub Actions
Example pipeline to build a Docker image and deploy to OKE:
name: Deploy to OKE
on:
push:
branches: [ "main" ]
jobs:
build-deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker Image
run: docker build -t myapp:${{ github.sha }} .
- name: OCI CLI Login
run: |
oci session authenticate
- name: Push Image to OCIR
run: |
docker tag myapp:${{ github.sha }} \
iad.ocir.io/tenancy/myapp:${{ github.sha }}
docker push iad.ocir.io/tenancy/myapp:${{ github.sha }}
- name: Deploy to OKE
run: |
kubectl set image deployment/myapp myapp=iad.ocir.io/tenancy/myapp:${{ github.sha }}
The Final Architecture will look like this
Technology Geek 