Oracle Cloud Infrastructure (OCI): Complete Platform Guide for Enterprise

Oracle Cloud Infrastructure (OCI) is Oracle’s next-generation cloud platform designed for high-performance computing, AI/ML workloads, and enterprise applications. This comprehensive guide covers OCI’s architecture, core services, and best practices for production deployments.

Why Choose Oracle Cloud Infrastructure?

Key Differentiators

Performance: Bare metal instances, NVMe storage, and ultra-low latency networking
Pricing: Predictable pricing with significant cost advantages over other clouds
Oracle Integration: Native integration with Oracle Database, Applications, and middleware
Security: Defense-in-depth architecture with isolated networks by default
Consistency: Same performance across regions (no noisy neighbors)

OCI vs. Other Cloud Providers

Feature	OCI	AWS	Azure	GCP
Pricing Model	Simple, predictable	Complex, variable	Complex	Simple
Bare Metal	✅ Yes	⚠️ Limited	⚠️ Limited	❌ No
Network Isolation	✅ Default	Configuration	Configuration	Configuration
Oracle DB	✅ Optimized	Compatible	Compatible	Compatible
Free Tier	✅ Always Free	12 months	12 months	90 days

OCI Architecture

Regions and Availability Domains

┌────────────────────────────────────────────────────────────┐
│                      OCI Region (e.g., US-East)             │
│                                                              │
│  ┌──────────────────────────────────────────────────────┐  │
│  │         Availability Domain 1 (AD-1)                  │  │
│  │                                                        │  │
│  │  ┌──────────────┐  ┌──────────────┐  ┌────────────┐ │  │
│  │  │ Fault Domain │  │ Fault Domain │  │   Fault    │ │  │
│  │  │      1       │  │      2       │  │  Domain 3  │ │  │
│  │  │              │  │              │  │            │ │  │
│  │  │ Compute      │  │ Compute      │  │  Compute   │ │  │
│  │  │ Storage      │  │ Storage      │  │  Storage   │ │  │
│  │  │ Network      │  │ Network      │  │  Network   │ │  │
│  │  └──────────────┘  └──────────────┘  └────────────┘ │  │
│  └──────────────────────────────────────────────────────┘  │
│                                                              │
│  ┌──────────────────────────────────────────────────────┐  │
│  │         Availability Domain 2 (AD-2)                  │  │
│  │         (Similar structure)                           │  │
│  └──────────────────────────────────────────────────────┘  │
│                                                              │
│  ┌──────────────────────────────────────────────────────┐  │
│  │         Availability Domain 3 (AD-3)                  │  │
│  │         (Similar structure)                           │  │
│  └──────────────────────────────────────────────────────┘  │
└────────────────────────────────────────────────────────────┘

Key Concepts:

Region: Geographic location (20+ regions globally)
Availability Domain (AD): Isolated data centers within a region
Fault Domain: Logical grouping within an AD for high availability

Core Services

1. Compute

VM Instances

# Create VM instance using OCI CLI
oci compute instance launch \
  --availability-domain "IYVq:US-ASHBURN-AD-1" \
  --compartment-id ocid1.compartment.oc1..unique_ID \
  --shape VM.Standard.E4.Flex \
  --shape-config '{"ocpus": 2, "memoryInGBs": 16}' \
  --image-id ocid1.image.oc1.iad.unique_ID \
  --subnet-id ocid1.subnet.oc1.iad.unique_ID \
  --display-name "web-server-01" \
  --assign-public-ip true \
  --ssh-authorized-keys-file ~/.ssh/id_rsa.pub \
  --metadata '{
    "user_data": "IyEvYmluL2Jhc2gKCmVjaG8gIkluc3RhbGxpbmcgd2ViIHNlcnZlci4uLiIKYXB0LWdldCB1cGRhdGUKeXVtIGluc3RhbGwgLXkgbmdpbng="
  }'

Using Terraform

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = "~> 5.0"
    }
  }
}

provider "oci" {
  region           = var.region
  tenancy_ocid     = var.tenancy_ocid
  user_ocid        = var.user_ocid
  fingerprint      = var.fingerprint
  private_key_path = var.private_key_path
}

# Compute Instance
resource "oci_core_instance" "web_server" {
  availability_domain = data.oci_identity_availability_domain.ad.name
  compartment_id      = var.compartment_id
  shape               = "VM.Standard.E4.Flex"

  shape_config {
    ocpus         = 2
    memory_in_gbs = 16
  }

  create_vnic_details {
    subnet_id        = oci_core_subnet.public_subnet.id
    display_name     = "web-server-vnic"
    assign_public_ip = true
    nsg_ids          = [oci_core_network_security_group.web_nsg.id]
  }

  source_details {
    source_type = "image"
    source_id   = data.oci_core_images.oracle_linux.images[0].id
  }

  metadata = {
    ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    user_data = base64encode(templatefile("cloud-init.yaml", {
      hostname = "web-server-01"
    }))
  }

  display_name = "web-server-01"

  freeform_tags = {
    "Environment" = "Production"
    "ManagedBy"   = "Terraform"
  }
}

# Bare Metal Instance for Database
resource "oci_core_instance" "database_server" {
  availability_domain = data.oci_identity_availability_domain.ad.name
  compartment_id      = var.compartment_id
  shape               = "BM.Standard.E4.128"

  create_vnic_details {
    subnet_id        = oci_core_subnet.private_subnet.id
    display_name     = "db-server-vnic"
    assign_public_ip = false
  }

  source_details {
    source_type = "image"
    source_id   = data.oci_core_images.oracle_linux.images[0].id
  }

  display_name = "database-server-01"
}

# Block Volume
resource "oci_core_volume" "data_volume" {
  availability_domain = data.oci_identity_availability_domain.ad.name
  compartment_id      = var.compartment_id
  display_name        = "data-volume"
  size_in_gbs         = 1024
  vpus_per_gb         = 20  # Ultra High Performance
}

# Attach volume to instance
resource "oci_core_volume_attachment" "data_volume_attachment" {
  attachment_type = "paravirtualized"
  instance_id     = oci_core_instance.database_server.id
  volume_id       = oci_core_volume.data_volume.id
}

2. Networking

Virtual Cloud Network (VCN)

# VCN with public and private subnets
resource "oci_core_vcn" "main" {
  compartment_id = var.compartment_id
  display_name   = "main-vcn"
  cidr_blocks    = ["10.0.0.0/16"]
  dns_label      = "mainvcn"

  freeform_tags = {
    "Environment" = "Production"
  }
}

# Internet Gateway
resource "oci_core_internet_gateway" "main" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.main.id
  display_name   = "internet-gateway"
  enabled        = true
}

# NAT Gateway
resource "oci_core_nat_gateway" "main" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.main.id
  display_name   = "nat-gateway"
}

# Service Gateway (for OCI services)
resource "oci_core_service_gateway" "main" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.main.id
  display_name   = "service-gateway"

  services {
    service_id = data.oci_core_services.all_services.services[0].id
  }
}

# Public Subnet
resource "oci_core_subnet" "public_subnet" {
  compartment_id      = var.compartment_id
  vcn_id              = oci_core_vcn.main.id
  cidr_block          = "10.0.1.0/24"
  display_name        = "public-subnet"
  dns_label           = "public"
  route_table_id      = oci_core_route_table.public_route_table.id
  security_list_ids   = [oci_core_security_list.public_security_list.id]
  prohibit_public_ip_on_vnic = false
}

# Private Subnet
resource "oci_core_subnet" "private_subnet" {
  compartment_id      = var.compartment_id
  vcn_id              = oci_core_vcn.main.id
  cidr_block          = "10.0.2.0/24"
  display_name        = "private-subnet"
  dns_label           = "private"
  route_table_id      = oci_core_route_table.private_route_table.id
  security_list_ids   = [oci_core_security_list.private_security_list.id]
  prohibit_public_ip_on_vnic = true
}

# Public Route Table
resource "oci_core_route_table" "public_route_table" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.main.id
  display_name   = "public-route-table"

  route_rules {
    destination       = "0.0.0.0/0"
    network_entity_id = oci_core_internet_gateway.main.id
  }
}

# Private Route Table
resource "oci_core_route_table" "private_route_table" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.main.id
  display_name   = "private-route-table"

  route_rules {
    destination       = "0.0.0.0/0"
    network_entity_id = oci_core_nat_gateway.main.id
  }

  route_rules {
    destination       = data.oci_core_services.all_services.services[0].cidr_block
    destination_type  = "SERVICE_CIDR_BLOCK"
    network_entity_id = oci_core_service_gateway.main.id
  }
}

# Network Security Group for Web Tier
resource "oci_core_network_security_group" "web_nsg" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.main.id
  display_name   = "web-nsg"
}

# NSG Rules
resource "oci_core_network_security_group_security_rule" "web_ingress_http" {
  network_security_group_id = oci_core_network_security_group.web_nsg.id
  direction                 = "INGRESS"
  protocol                  = "6"  # TCP
  source                    = "0.0.0.0/0"
  source_type               = "CIDR_BLOCK"

  tcp_options {
    destination_port_range {
      min = 80
      max = 80
    }
  }
}

resource "oci_core_network_security_group_security_rule" "web_ingress_https" {
  network_security_group_id = oci_core_network_security_group.web_nsg.id
  direction                 = "INGRESS"
  protocol                  = "6"
  source                    = "0.0.0.0/0"
  source_type               = "CIDR_BLOCK"

  tcp_options {
    destination_port_range {
      min = 443
      max = 443
    }
  }
}

resource "oci_core_network_security_group_security_rule" "web_egress_all" {
  network_security_group_id = oci_core_network_security_group.web_nsg.id
  direction                 = "EGRESS"
  protocol                  = "all"
  destination               = "0.0.0.0/0"
  destination_type          = "CIDR_BLOCK"
}

3. Load Balancing

# Load Balancer
resource "oci_load_balancer_load_balancer" "web_lb" {
  compartment_id = var.compartment_id
  display_name   = "web-load-balancer"
  shape          = "flexible"

  shape_details {
    minimum_bandwidth_in_mbps = 10
    maximum_bandwidth_in_mbps = 100
  }

  subnet_ids = [
    oci_core_subnet.public_subnet.id
  ]

  is_private = false
}

# Backend Set
resource "oci_load_balancer_backend_set" "web_backend_set" {
  load_balancer_id = oci_load_balancer_load_balancer.web_lb.id
  name             = "web-backend-set"
  policy           = "ROUND_ROBIN"

  health_checker {
    protocol            = "HTTP"
    port                = 80
    url_path            = "/health"
    interval_ms         = 10000
    timeout_in_millis   = 3000
    retries             = 3
    return_code         = 200
  }
}

# Backends
resource "oci_load_balancer_backend" "web_backend_1" {
  load_balancer_id = oci_load_balancer_load_balancer.web_lb.id
  backendset_name  = oci_load_balancer_backend_set.web_backend_set.name
  ip_address       = oci_core_instance.web_server.private_ip
  port             = 80
  backup           = false
  drain            = false
  offline          = false
  weight           = 1
}

# Listener
resource "oci_load_balancer_listener" "web_listener_https" {
  load_balancer_id         = oci_load_balancer_load_balancer.web_lb.id
  name                     = "https-listener"
  default_backend_set_name = oci_load_balancer_backend_set.web_backend_set.name
  port                     = 443
  protocol                 = "HTTP"

  ssl_configuration {
    certificate_name        = oci_load_balancer_certificate.ssl_cert.certificate_name
    verify_peer_certificate = false
  }
}

# SSL Certificate
resource "oci_load_balancer_certificate" "ssl_cert" {
  load_balancer_id   = oci_load_balancer_load_balancer.web_lb.id
  certificate_name   = "ssl-certificate"
  ca_certificate     = file("${path.module}/certs/ca.crt")
  private_key        = file("${path.module}/certs/private.key")
  public_certificate = file("${path.module}/certs/public.crt")
}

4. Object Storage

# Create bucket
oci os bucket create \
  --compartment-id $COMPARTMENT_ID \
  --name production-data \
  --public-access-type NoPublicAccess \
  --storage-tier Standard \
  --versioning Enabled

# Upload object
oci os object put \
  --bucket-name production-data \
  --file /path/to/file.txt \
  --name data/file.txt

# Create pre-authenticated request (PAR)
oci os preauth-request create \
  --bucket-name production-data \
  --name "temp-access" \
  --access-type ObjectRead \
  --time-expires "2026-12-31T23:59:59Z" \
  --object-name data/file.txt

# Python SDK example
import oci

config = oci.config.from_file()
object_storage = oci.object_storage.ObjectStorageClient(config)

namespace = object_storage.get_namespace().data

# Upload file
with open('data.txt', 'rb') as f:
    object_storage.put_object(
        namespace,
        'production-data',
        'data/data.txt',
        f
    )

# Download file
get_obj = object_storage.get_object(
    namespace,
    'production-data',
    'data/data.txt'
)

with open('downloaded.txt', 'wb') as f:
    for chunk in get_obj.data.raw.stream(1024 * 1024, decode_content=False):
        f.write(chunk)

5. Autonomous Database

# Autonomous Database
resource "oci_database_autonomous_database" "app_database" {
  compartment_id           = var.compartment_id
  db_name                  = "APPDB"
  display_name             = "Application Database"
  admin_password           = var.db_admin_password
  cpu_core_count           = 2
  data_storage_size_in_tbs = 1
  db_version               = "19c"
  db_workload              = "OLTP"  # or "DW" for data warehouse
  is_auto_scaling_enabled  = true
  is_free_tier             = false
  license_model            = "LICENSE_INCLUDED"

  subnet_id                       = oci_core_subnet.private_subnet.id
  nsg_ids                         = [oci_core_network_security_group.database_nsg.id]
  is_mtls_connection_required     = true
  is_data_guard_enabled           = true

  freeform_tags = {
    "Environment" = "Production"
  }
}

# Autonomous Database Backup
resource "oci_database_autonomous_database_backup" "app_database_backup" {
  autonomous_database_id = oci_database_autonomous_database.app_database.id
  display_name          = "manual-backup-$(date +%Y%m%d)"
}

Identity and Access Management (IAM)

Compartments

# Compartment structure
resource "oci_identity_compartment" "production" {
  compartment_id = var.tenancy_ocid
  description    = "Production environment"
  name           = "production"
}

resource "oci_identity_compartment" "network" {
  compartment_id = oci_identity_compartment.production.id
  description    = "Network resources"
  name           = "network"
}

resource "oci_identity_compartment" "compute" {
  compartment_id = oci_identity_compartment.production.id
  description    = "Compute resources"
  name           = "compute"
}

resource "oci_identity_compartment" "database" {
  compartment_id = oci_identity_compartment.production.id
  description    = "Database resources"
  name           = "database"
}

Policies

# IAM Policy
resource "oci_identity_policy" "network_admins" {
  compartment_id = oci_identity_compartment.production.id
  description    = "Policy for network administrators"
  name           = "network-admins-policy"

  statements = [
    "Allow group NetworkAdmins to manage virtual-network-family in compartment production:network",
    "Allow group NetworkAdmins to manage load-balancers in compartment production:network",
    "Allow group NetworkAdmins to manage network-security-groups in compartment production:network",
  ]
}

resource "oci_identity_policy" "compute_operators" {
  compartment_id = oci_identity_compartment.production.id
  description    = "Policy for compute operators"
  name           = "compute-operators-policy"

  statements = [
    "Allow group ComputeOperators to manage instance-family in compartment production:compute",
    "Allow group ComputeOperators to manage volume-family in compartment production:compute",
    "Allow group ComputeOperators to use virtual-network-family in compartment production:network",
  ]
}

Monitoring and Observability

Monitoring Queries

# Query metrics using Python SDK
import oci
from datetime import datetime, timedelta

monitoring = oci.monitoring.MonitoringClient(config)

# Query CPU utilization
end_time = datetime.utcnow()
start_time = end_time - timedelta(hours=1)

query = """
CpuUtilization[1m]{resourceId="ocid1.instance.oc1.iad.unique_ID"}.mean()
"""

result = monitoring.summarize_metrics_data(
    compartment_id=compartment_id,
    summarize_metrics_data_details=oci.monitoring.models.SummarizeMetricsDataDetails(
        namespace="oci_computeagent",
        query=query,
        start_time=start_time,
        end_time=end_time,
        resolution="1m"
    )
)

for metric_data in result.data:
    print(f"Metric: {metric_data.name}")
    for datapoint in metric_data.aggregated_datapoints:
        print(f"  {datapoint.timestamp}: {datapoint.value}")

Alarms

# Alarm for high CPU
resource "oci_monitoring_alarm" "high_cpu" {
  compartment_id        = var.compartment_id
  display_name          = "high-cpu-alarm"
  is_enabled            = true
  metric_compartment_id = var.compartment_id
  namespace             = "oci_computeagent"
  query                 = "CpuUtilization[1m].mean() > 80"
  severity              = "CRITICAL"

  destinations = [oci_ons_notification_topic.alerts.id]

  repeat_notification_duration = "PT2H"

  body    = "CPU utilization is above 80%"
  message_format = "PRETTY_JSON"
}

# Notification Topic
resource "oci_ons_notification_topic" "alerts" {
  compartment_id = var.compartment_id
  name           = "production-alerts"
}

# Email Subscription
resource "oci_ons_subscription" "email_alert" {
  compartment_id = var.compartment_id
  topic_id       = oci_ons_notification_topic.alerts.id
  protocol       = "EMAIL"
  endpoint       = "ops-team@example.com"
}

Security Best Practices

1. Vault for Secrets Management

# Vault
resource "oci_kms_vault" "production_vault" {
  compartment_id = var.compartment_id
  display_name   = "production-vault"
  vault_type     = "DEFAULT"
}

# Master Encryption Key
resource "oci_kms_key" "master_key" {
  compartment_id = var.compartment_id
  display_name   = "master-encryption-key"

  key_shape {
    algorithm = "AES"
    length    = 32
  }

  management_endpoint = oci_kms_vault.production_vault.management_endpoint
}

# Secret
resource "oci_vault_secret" "database_password" {
  compartment_id = var.compartment_id
  vault_id       = oci_kms_vault.production_vault.id
  key_id         = oci_kms_key.master_key.id
  secret_name    = "database-admin-password"

  secret_content {
    content_type = "BASE64"
    content      = base64encode(var.db_admin_password)
  }
}

2. Cloud Guard

# Enable Cloud Guard
oci cloud-guard configuration update \
  --reporting-region us-ashburn-1 \
  --status ENABLED

# Create Cloud Guard target
oci cloud-guard target create \
  --compartment-id $COMPARTMENT_ID \
  --display-name "production-target" \
  --target-resource-type COMPARTMENT \
  --target-resource-id $COMPARTMENT_ID

Cost Optimization

Always Free Resources

2 Oracle Autonomous Databases (20 GB each)
2 Compute VMs (AMD E2.1 Micro)
2 Block Volumes (200 GB total)
10 GB Object Storage
10 GB Archive Storage
Resource Manager
Monitoring and Notifications

Cost Tracking

# View cost analysis
oci usage-api usage-summary list-usage-summaries \
  --tenant-id $TENANCY_OCID \
  --time-usage-started "2026-01-01T00:00:00Z" \
  --time-usage-ended "2026-01-31T23:59:59Z" \
  --granularity DAILY \
  --query-type COST

# Set budget alerts
oci budget budget create \
  --compartment-id $COMPARTMENT_ID \
  --amount 1000 \
  --reset-period MONTHLY \
  --target-compartment-id $COMPARTMENT_ID \
  --display-name "Monthly Budget" \
  --alert-rule-recipients '["budget-alerts@example.com"]' \
  --alert-rule-threshold 80 \
  --alert-rule-type ACTUAL

Conclusion

Oracle Cloud Infrastructure provides a robust, high-performance platform designed for enterprise workloads. With its focus on security, predictable pricing, and bare-metal performance, OCI is particularly well-suited for Oracle database workloads, enterprise applications, and high-performance computing.

The platform’s emphasis on isolation, consistent performance, and deep integration with Oracle technologies makes it a compelling choice for organizations already invested in Oracle ecosystems or seeking superior price-performance ratios.

Ready to master Oracle Cloud? Explore our cloud training programs or contact us for customized OCI training tailored to your team’s needs.