{"id":901,"date":"2026-04-16T15:08:44","date_gmt":"2026-04-16T15:08:44","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-compute-cloud-customer-isolated-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-edge-cloud\/"},"modified":"2026-04-16T15:08:44","modified_gmt":"2026-04-16T15:08:44","slug":"oracle-cloud-compute-cloud-customer-isolated-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-edge-cloud","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-compute-cloud-customer-isolated-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-edge-cloud\/","title":{"rendered":"Oracle Cloud Compute Cloud@Customer Isolated Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Edge Cloud"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Edge Cloud<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What this service is<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated is an Oracle Cloud (OCI) \u201cCloud@Customer\u201d offering that delivers OCI-style compute capabilities (and the minimum required control plane) into a customer-controlled location\u2014typically an on-premises data center or a secure facility\u2014while operating in an <strong>isolated \/ disconnected<\/strong> mode designed for strict regulatory, sovereignty, or air-gapped requirements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">One-paragraph simple explanation<\/h3>\n\n\n\n<p>If you need to run virtual machines (and possibly bare metal workloads) using OCI concepts like compartments, VCNs, and OCI APIs\u2014but you <strong>cannot<\/strong> rely on continuous connectivity to a public Oracle Cloud region\u2014Compute Cloud@Customer Isolated brings the cloud to you, rather than sending your workloads to the cloud.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">One-paragraph technical explanation<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated is part of Oracle\u2019s Edge Cloud \/ Cloud@Customer portfolio. Oracle provides and supports infrastructure and a local control plane that exposes OCI-compatible interfaces for provisioning and managing compute resources on your premises. \u201cIsolated\u201d indicates that the environment is intended to operate without (or with extremely restricted) connectivity to Oracle Cloud public regions; operational workflows, patching\/support processes, and service availability are therefore different from standard OCI. Exact included services and operational procedures can vary by contract and release\u2014<strong>verify your specific deployment capabilities in the official documentation and your Oracle order documents<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What problem it solves<\/h3>\n\n\n\n<p>It solves the common \u201cwe need cloud automation and a cloud operating model, but our data and systems must stay in a controlled facility with limited external connectivity\u201d problem\u2014especially in government, defense, critical infrastructure, and regulated industries.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Compute Cloud@Customer Isolated?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated is designed to deliver <strong>OCI compute capabilities in a customer location<\/strong> under strict isolation requirements. It aims to provide a cloud-like provisioning and governance experience while meeting constraints such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No direct internet access<\/li>\n<li>No continuous connectivity to an OCI public region<\/li>\n<li>Strong data residency and operational control requirements<\/li>\n<\/ul>\n\n\n\n<p>Because product packaging can evolve, confirm the latest positioning and scope using Oracle\u2019s Cloud@Customer pages and the Compute Cloud@Customer documentation:\n&#8211; Cloud@Customer overview: https:\/\/www.oracle.com\/cloud\/cloud-at-customer\/\n&#8211; OCI documentation portal (search within for \u201cCompute Cloud@Customer\u201d and \u201cIsolated\u201d): https:\/\/docs.oracle.com\/en-us\/iaas\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (conceptual)<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated typically focuses on the capabilities needed to run and manage compute workloads in an isolated environment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Provision and manage compute instances (VMs and\/or bare metal, depending on offering)<\/li>\n<li>OCI-style identity, access control, and resource organization (tenancy\/compartments, policies)<\/li>\n<li>OCI-style networking constructs (for example, VCN\/subnets\/security rules) <strong>to the extent included in your deployment<\/strong><\/li>\n<li>Images, boot volumes, and block storage primitives <strong>to the extent included<\/strong><\/li>\n<li>Programmatic management via OCI APIs\/SDKs\/CLI endpoints hosted within the isolated environment<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Important: The exact list of supported OCI services in a Cloud@Customer isolated deployment is not always identical to a public OCI region. Treat any service beyond core compute\/networking as <strong>\u201cverify in official docs for your deployment.\u201d<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (high level)<\/h3>\n\n\n\n<p>A typical Compute Cloud@Customer Isolated environment includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>On-premises infrastructure<\/strong> provided as part of the Cloud@Customer delivery (racks\/nodes, storage, networking appliances as applicable)<\/li>\n<li><strong>Local control plane<\/strong> exposing OCI-like APIs and a console endpoint hosted within the customer environment<\/li>\n<li><strong>Compute capacity<\/strong> (VM and\/or bare metal)<\/li>\n<li><strong>Local networking integration<\/strong> to connect the environment to customer networks<\/li>\n<li><strong>Operational tooling and processes<\/strong> for upgrades, patching, break-glass access, incident response, and metering (process differs in isolated mode)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Edge Cloud \/ Cloud@Customer<\/strong>: Oracle-managed or jointly operated cloud infrastructure placed in a customer-controlled site.<\/li>\n<li>Not a \u201cpure SaaS\u201d service; it is a delivered system plus an operating model.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope model (how it is \u201cscoped\u201d)<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated is best thought of as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Environment\/installation-scoped<\/strong>: It is tied to a specific customer site and delivered hardware\/control plane.<\/li>\n<li><strong>Tenancy-scoped within that environment<\/strong>: You typically organize resources using OCI-like constructs (tenancy, compartments, groups, policies).<\/li>\n<li><strong>Region-like endpoint, but local<\/strong>: You access services via local endpoints. Whether the environment presents a \u201cregion identifier\u201d similar to OCI public regions depends on the implementation\u2014<strong>verify in your deployment docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated aligns with OCI concepts, APIs, and governance patterns so teams can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply similar provisioning patterns (IaC, CI\/CD, API-driven operations)<\/li>\n<li>Standardize operational practices across public OCI and edge\/on-prem (where allowed)<\/li>\n<li>Support data sovereignty and air-gap requirements that public cloud regions may not satisfy<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Compute Cloud@Customer Isolated?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Meet strict residency and sovereignty constraints<\/strong> without giving up cloud-like operations.<\/li>\n<li><strong>Reduce approval friction<\/strong> for sensitive programs by keeping systems in controlled facilities.<\/li>\n<li><strong>Modernize legacy environments<\/strong> with automation and standardized governance patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Low-latency local compute<\/strong> for systems that must run near data sources or within secured networks.<\/li>\n<li><strong>Cloud-like provisioning APIs<\/strong> in an environment that cannot rely on public internet connectivity.<\/li>\n<li><strong>Consistency<\/strong> with OCI constructs (compartments, policies, networking patterns) for teams already using Oracle Cloud.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standard operating model<\/strong> for provisioning, change management, tagging, and access control.<\/li>\n<li><strong>Predictable environment boundary<\/strong> (a known site and hardware footprint).<\/li>\n<li><strong>Support model aligned to Oracle Cloud@Customer<\/strong> (exact responsibilities differ\u2014verify your contract and runbooks).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Supports scenarios requiring:<\/li>\n<li><strong>Air-gapped or disconnected operations<\/strong><\/li>\n<li><strong>Controlled facility requirements<\/strong><\/li>\n<li><strong>Tight network egress control<\/strong><\/li>\n<li><strong>Local-only management endpoints<\/strong><\/li>\n<li>Enables security teams to implement consistent controls around identity, segmentation, and logging within a defined boundary.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Provides cloud-style elasticity <strong>within the installed capacity<\/strong>.<\/li>\n<li>Scaling beyond installed capacity may require ordering additional capacity and change windows\u2014this is not the same as \u201cinfinite\u201d public cloud scaling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Compute Cloud@Customer Isolated when you need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI-like compute provisioning <strong>on premises<\/strong><\/li>\n<li>Strong isolation requirements (no\/limited external connectivity)<\/li>\n<li>A cloud operations model for regulated or classified environments<\/li>\n<li>A platform that can be standardized with Oracle Cloud practices<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When they should not choose it<\/h3>\n\n\n\n<p>Avoid (or reconsider) Compute Cloud@Customer Isolated if:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need rapid, unlimited capacity scaling without procurement lead times<\/li>\n<li>Your workloads require a broad set of managed services only available in public OCI regions<\/li>\n<li>You have no facility capability for hosting the system (power, cooling, physical security)<\/li>\n<li>You cannot support the operational processes required for an isolated environment (offline patching, curated repos, controlled access)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Compute Cloud@Customer Isolated used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<p>Commonly aligned industries include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Government \/ defense \/ intelligence (classified or sovereign environments)<\/li>\n<li>Critical infrastructure (energy, utilities, transportation)<\/li>\n<li>Healthcare (highly regulated patient data environments)<\/li>\n<li>Financial services (certain sovereign\/regulated zones)<\/li>\n<li>Manufacturing and industrial environments with strict OT\/IT separation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams building standardized internal clouds<\/li>\n<li>Security engineering teams enforcing isolation and segmentation<\/li>\n<li>SRE\/operations teams managing lifecycle and reliability<\/li>\n<li>DevOps teams implementing CI\/CD in restricted networks<\/li>\n<li>Application teams modernizing monoliths into VM-based micro-segmentation patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Traditional enterprise applications requiring VMs<\/li>\n<li>COTS applications with strict deployment and network constraints<\/li>\n<li>Data processing pipelines operating on locally generated data<\/li>\n<li>Security tooling, SOC platforms, and offline analytics<\/li>\n<li>Private internal developer platforms (artifact repos, CI runners) in disconnected environments<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cOn-prem cloud region\u201d patterns with compartment-based governance<\/li>\n<li>Hub-and-spoke networks with strict segmentation<\/li>\n<li>Zero-trust internal network designs<\/li>\n<li>Multi-enclave architectures (for example, dev\/test vs prod separation at network + IAM levels)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secure data centers with controlled ingress\/egress<\/li>\n<li>Facilities with no internet connectivity<\/li>\n<li>Environments requiring local operator-only access<\/li>\n<li>Sites where audit evidence must remain on-prem<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: Common for regulated workloads that cannot leave the facility.<\/li>\n<li><strong>Dev\/test<\/strong>: Often used when dev\/test must mirror production isolation constraints (for example, classified programs).<\/li>\n<li>A common pattern is hybrid: dev\/test in public OCI, prod on isolated\u2014<strong>but only if policy permits<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Compute Cloud@Customer Isolated is a strong fit. Exact feasibility depends on your deployment\u2019s supported services\u2014verify against official docs for your environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Air-gapped mission system modernization<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A mission system must be modernized but cannot connect to the internet.<\/li>\n<li><strong>Why this service fits:<\/strong> Provides cloud-like provisioning and governance within an isolated environment.<\/li>\n<li><strong>Example scenario:<\/strong> A defense program migrates legacy VM workloads to an OCI-like on-prem environment, standardizing provisioning and patch windows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Sovereign data residency with cloud-style operations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Regulations require data to remain inside a specific facility or jurisdiction.<\/li>\n<li><strong>Why this service fits:<\/strong> Compute and management planes run locally under controlled boundaries.<\/li>\n<li><strong>Example scenario:<\/strong> A regulated agency runs citizen data workloads in an on-prem facility with strict access controls and local audit trails.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Secure build and CI\/CD runners for restricted codebases<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Build pipelines must operate on code that cannot be exposed to external services.<\/li>\n<li><strong>Why this service fits:<\/strong> CI runners can run on isolated compute instances; artifact flow can be kept internal.<\/li>\n<li><strong>Example scenario:<\/strong> A platform team hosts internal Git\/CI and runners on Compute Cloud@Customer Isolated with network segmentation by environment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) OT\/IT boundary enforcement for industrial sites<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Industrial control networks need compute for analytics without opening internet paths.<\/li>\n<li><strong>Why this service fits:<\/strong> Enables local compute close to OT data sources, with strict segmentation to IT.<\/li>\n<li><strong>Example scenario:<\/strong> A manufacturing site runs predictive maintenance analytics on local compute nodes, moving only aggregated results via controlled export.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Classified analytics enclave<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Analysts need compute capacity for batch processing in a classified enclave.<\/li>\n<li><strong>Why this service fits:<\/strong> Local compute scaling within installed capacity, with strong isolation properties.<\/li>\n<li><strong>Example scenario:<\/strong> A government team runs nightly analytics jobs on private subnets; access is restricted to jump hosts and approved workstations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) COTS application hosting in a disconnected facility<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A vendor application requires VMs and specific OS versions, and must be hosted offline.<\/li>\n<li><strong>Why this service fits:<\/strong> VM-based compute is well-suited for COTS; operations can be standardized.<\/li>\n<li><strong>Example scenario:<\/strong> A facility hosts a COTS case management platform with database and app tiers separated by network security groups.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Security tooling (SIEM collectors, forensics, malware analysis)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Security tooling must process sensitive logs\/artifacts locally.<\/li>\n<li><strong>Why this service fits:<\/strong> Compute instances can host collectors and analysis tools inside the secure boundary.<\/li>\n<li><strong>Example scenario:<\/strong> A SOC runs local log processing pipelines; only curated alerts are exported to a central system.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Private internal web applications for restricted users<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Internal users need web apps accessible only inside a secure network.<\/li>\n<li><strong>Why this service fits:<\/strong> App servers can be hosted on private subnets; access via internal load balancers (if available) or reverse proxies.<\/li>\n<li><strong>Example scenario:<\/strong> An internal portal runs on private IPs with strict ingress rules from corporate CIDRs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Offline data staging and transformation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Data enters via controlled media\/import processes and must be transformed internally.<\/li>\n<li><strong>Why this service fits:<\/strong> Batch compute can run transformations without cloud egress.<\/li>\n<li><strong>Example scenario:<\/strong> A research lab ingests datasets via secure import, runs ETL on isolated compute, and stores results on internal storage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) DR rehearsal and resilience within a secure site<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams need predictable recovery procedures without relying on external services.<\/li>\n<li><strong>Why this service fits:<\/strong> Standardized provisioning and images support repeatable environment recreation.<\/li>\n<li><strong>Example scenario:<\/strong> A team runs quarterly \u201crestore from image\/backup\u201d drills within the isolated environment to validate RTO\/RPO assumptions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Regulated dev\/test mirror of production enclave<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Developers need an environment with the same isolation constraints as production.<\/li>\n<li><strong>Why this service fits:<\/strong> Enables consistent IAM\/network patterns and repeatable provisioning.<\/li>\n<li><strong>Example scenario:<\/strong> A team validates releases in an isolated dev environment where external dependency calls are blocked by design.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Legacy-to-cloud operating model transition<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> An organization wants cloud governance patterns but cannot move workloads off-prem yet.<\/li>\n<li><strong>Why this service fits:<\/strong> Provides a stepping stone: cloud operating model on-prem now, potential hybrid later if allowed.<\/li>\n<li><strong>Example scenario:<\/strong> A bank standardizes compartments\/policies\/tags and automation in an isolated environment while preparing for future hybrid adoption.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Because Cloud@Customer portfolios can vary by contract and release, treat this as a \u201ccore feature set\u201d view and <strong>verify the exact supported services<\/strong> in your deployment\u2019s documentation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">OCI-style compute provisioning (VMs and\/or bare metal)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you create and manage compute instances using OCI-like constructs (shapes, images, boot volumes).<\/li>\n<li><strong>Why it matters:<\/strong> Enables standardized provisioning and lifecycle management in a restricted environment.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster environment creation and consistent change control.<\/li>\n<li><strong>Caveats:<\/strong> Instance shapes and capacity are bounded by installed hardware. Some public OCI shapes\/features may not exist in your on-prem footprint.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Local control plane and console\/API endpoints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Exposes a management console and APIs within the isolated environment.<\/li>\n<li><strong>Why it matters:<\/strong> Operations do not require public internet access.<\/li>\n<li><strong>Practical benefit:<\/strong> Teams can automate with IaC\/CLI against local endpoints.<\/li>\n<li><strong>Caveats:<\/strong> Endpoint configuration differs from public OCI; client tools may require custom endpoint\/region configuration\u2014<strong>follow your deployment\u2019s guide<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">OCI-style IAM concepts (users\/groups\/policies) and compartments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables least-privilege access control and resource isolation using familiar OCI policy language and compartment structure.<\/li>\n<li><strong>Why it matters:<\/strong> Strong governance is essential in high-trust environments.<\/li>\n<li><strong>Practical benefit:<\/strong> Clear separation of duties (platform admins vs app teams) and strong auditability.<\/li>\n<li><strong>Caveats:<\/strong> Federation\/SSO options depend on your environment and connectivity constraints\u2014<strong>verify supported identity integrations<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking constructs (VCN-like segmentation)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides logical network segmentation (for example VCNs\/subnets\/security rules) aligned with OCI patterns.<\/li>\n<li><strong>Why it matters:<\/strong> Network segmentation is a foundational control in isolated environments.<\/li>\n<li><strong>Practical benefit:<\/strong> Simple, repeatable segmentation patterns for multi-tier apps.<\/li>\n<li><strong>Caveats:<\/strong> Specific networking features (NAT gateways, service gateways, load balancers) may vary\u2014<strong>verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Boot volumes, images, and instance lifecycle operations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports instance creation from images, stopping\/starting, and lifecycle management.<\/li>\n<li><strong>Why it matters:<\/strong> Enables patching, golden image pipelines, and predictable rebuild processes.<\/li>\n<li><strong>Practical benefit:<\/strong> Standardization: rebuild is safer than manual drift management.<\/li>\n<li><strong>Caveats:<\/strong> Image import\/export is constrained by isolation; you typically need a controlled artifact pipeline (offline repos, signed images).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Isolation mode (disconnected operations)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports operation without connectivity to Oracle Cloud public regions.<\/li>\n<li><strong>Why it matters:<\/strong> Enables compliance with air-gap policies.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduced risk from external dependency chains.<\/li>\n<li><strong>Caveats:<\/strong> Operational processes (updates, support data exchange, metering) require offline procedures. Plan for curated package repositories and offline vulnerability feeds.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tagging, naming, and governance patterns (OCI-aligned)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports tagging to organize resources and allocate costs.<\/li>\n<li><strong>Why it matters:<\/strong> Even isolated environments require cost governance and ownership.<\/li>\n<li><strong>Practical benefit:<\/strong> Chargeback\/showback, audit readiness.<\/li>\n<li><strong>Caveats:<\/strong> Exact tagging capabilities depend on the platform release\u2014verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Observability hooks (monitoring\/logging) \u2014 if included<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides metrics\/logging capabilities (or integrations) for operations.<\/li>\n<li><strong>Why it matters:<\/strong> SRE practices depend on telemetry.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster incident triage and compliance evidence.<\/li>\n<li><strong>Caveats:<\/strong> In isolated mode, integrations to external SaaS endpoints are restricted; you may need local log shipping and local dashboards. If OCI Monitoring\/Logging services are not part of your deployment, use OS-level agents and on-prem monitoring stacks.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>A Compute Cloud@Customer Isolated deployment typically consists of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Customer facility boundary<\/strong><\/li>\n<li>Physical security and access control<\/li>\n<li>Customer network integration (core switches, firewalls)<\/li>\n<li><strong>Cloud@Customer system<\/strong><\/li>\n<li>Compute nodes and storage<\/li>\n<li>Local control plane services exposing OCI-like endpoints<\/li>\n<li><strong>Access paths<\/strong><\/li>\n<li>Admin\/operator access from controlled workstations or jump hosts<\/li>\n<li>Application traffic via internal networks<\/li>\n<li><strong>Operations<\/strong><\/li>\n<li>Provisioning via console, CLI, SDKs<\/li>\n<li>Offline patching\/artifact ingestion workflows<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane requests:<\/strong> Users\/tools call local endpoints to create\/manage resources.<\/li>\n<li><strong>Data plane traffic:<\/strong> Workload traffic stays inside your networks (east-west) and to approved networks (north-south) as configured.<\/li>\n<li><strong>Identity and policy evaluation:<\/strong> IAM controls authorize actions; auditing records management-plane events.<\/li>\n<li><strong>Telemetry:<\/strong> Metrics\/logs are collected locally and exported only through approved channels (if any).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations (depending on what\u2019s supported in your isolated deployment):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enterprise identity provider (for SSO\/federation) \u2014 <strong>verify support<\/strong><\/li>\n<li>On-prem DNS\/DHCP\/IPAM<\/li>\n<li>On-prem SIEM\/SOAR<\/li>\n<li>Artifact repositories (OS packages, container registries) hosted internally<\/li>\n<li>Configuration management (Ansible, Puppet, etc.) from internal control nodes<\/li>\n<li>IaC pipelines (Terraform) executed within the enclave<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Network connectivity between Cloud@Customer system and customer LAN (management + workload)<\/li>\n<li>IP address management, routing, firewall policies<\/li>\n<li>Jump hosts and controlled admin workstations<\/li>\n<li>Local time sync (NTP) sources in the enclave<\/li>\n<li>Local certificate authority \/ PKI for TLS in internal services<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized authorization through OCI-like IAM policies<\/li>\n<li>Strong separation of duties:<\/li>\n<li>Platform administrators manage base infrastructure, quotas, network foundations<\/li>\n<li>App teams deploy into dedicated compartments\/subnets<\/li>\n<li>Audit trail for management-plane actions<\/li>\n<li>\u201cBreak-glass\u201d procedures for emergency access<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>One or more logical virtual networks mapped to the customer network boundary<\/li>\n<li>Private subnets for workloads<\/li>\n<li>Optional DMZ subnets for ingress gateways (if permitted)<\/li>\n<li>Strict egress controls by default (common in isolated environments)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer local collection and retention aligned to policy<\/li>\n<li>Use immutable log storage patterns where feasible<\/li>\n<li>Regular evidence generation for compliance (access reviews, policy drift checks)<\/li>\n<li>Tagging standards for owner, environment, data classification<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Admin \/ DevOps User] --&gt;|Console \/ CLI \/ API| CP[Local OCI-like Control Plane\\n(Compute Cloud@Customer Isolated)]\n  CP --&gt; IAM[IAM Policies &amp; Compartments]\n  CP --&gt; NET[Virtual Networking\\n(VCN\/Subnets\/Security Rules)]\n  CP --&gt; CMP[Compute Instances\\n(VM\/Bare Metal)]\n  CMP --&gt; APP[Application Workloads]\n  APP --&gt;|Internal traffic| LAN[Customer Internal Network]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Facility[Customer Secure Facility \/ Data Center]\n    subgraph Access[Controlled Admin Access]\n      WS[Privileged Workstation] --&gt; JH[Jump Host \/ Bastion]\n      JH --&gt; CPAPI[Local Console\/API Endpoint]\n    end\n\n    subgraph CCoC[Compute Cloud@Customer Isolated System]\n      CPAPI --&gt; IAM[IAM \/ Policies \/ Compartments]\n      CPAPI --&gt; NET[Network Control\\n(VCN\/Subnets\/NSGs\/Sec Lists)]\n      CPAPI --&gt; AUD[Audit Logs (Management Plane)]\n      NET --&gt; SUBP[Private Subnets]\n      SUBP --&gt; WEB[Web Tier VMs]\n      SUBP --&gt; APP[App Tier VMs]\n      SUBP --&gt; DB[DB Tier VMs]\n    end\n\n    subgraph Enterprise[Enterprise Services (On-Prem)]\n      IDP[Identity Provider (SSO)\\n(verify support)] --&gt; IAM\n      DNS[DNS \/ NTP \/ PKI] --&gt; WEB\n      DNS --&gt; APP\n      DNS --&gt; DB\n      SIEM[SIEM \/ Log Platform] &lt;--&gt;|Log shipping| WEB\n      SIEM &lt;--&gt;|Log shipping| APP\n      SIEM &lt;--&gt;|Log shipping| DB\n      REPO[Offline OS\/Artifact Repo] --&gt; WEB\n      REPO --&gt; APP\n      REPO --&gt; DB\n    end\n\n    FW[Internal Firewall \/ Segmentation] --- NET\n    LAN[Corporate \/ Mission Networks] --- FW\n  end\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>Compute Cloud@Customer Isolated is not a \u201cclick-to-enable\u201d public cloud feature; you need a delivered environment and the right access.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription\/tenancy requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A provisioned <strong>Compute Cloud@Customer Isolated<\/strong> environment installed in your facility (or approved site).<\/li>\n<li>Tenancy\/environment access as provided by Oracle and your internal platform team.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions\/IAM roles<\/h3>\n\n\n\n<p>You typically need (names vary by organization):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ability to create and manage:<\/li>\n<li>Compartments\/projects<\/li>\n<li>Virtual networks and subnets<\/li>\n<li>Compute instances<\/li>\n<li>Security rules (security lists \/ NSGs)<\/li>\n<li>Read access to:<\/li>\n<li>Images\/shapes available in your environment<\/li>\n<li>Quotas\/limits<\/li>\n<\/ul>\n\n\n\n<p>Ask your platform admin for a role equivalent to \u201cCompute + Network Admin\u201d inside a sandbox compartment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud@Customer offerings are commonly contract-based (subscription\/commitment). Ensure:<\/li>\n<li>You understand who owns the cost center<\/li>\n<li>Tagging\/chargeback standards are defined<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH client (OpenSSH)<\/li>\n<li>A workstation that can reach the local console\/API endpoints (often via jump host)<\/li>\n<li>Optional (recommended for automation):<\/li>\n<li>OCI CLI: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/li>\n<li>Terraform OCI Provider: https:\/\/registry.terraform.io\/providers\/oracle\/oci\/latest\/docs (use only if supported in your environment)<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>In isolated mode, you may need to host installers internally and follow your enclave\u2019s software approval process.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud@Customer is <strong>site-specific<\/strong>. Availability is not \u201cregions list in the public console.\u201d<\/li>\n<li>Validate the environment endpoints and supported services with your Oracle delivery and internal platform team.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Capacity is constrained by installed hardware.<\/li>\n<li>Tenancy\/service limits apply within the environment (exact limits vary). Plan for:<\/li>\n<li>Maximum instances per compartment<\/li>\n<li>CPU\/memory availability by shape<\/li>\n<li>Limits on VCNs\/subnets\/security rules<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>Depending on your organization\u2019s design:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS, NTP, certificate authority available within the enclave<\/li>\n<li>Offline OS package repositories (highly recommended)<\/li>\n<li>Central log platform or SIEM (local)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (how to think about it)<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated is typically purchased through an Oracle Cloud@Customer commercial agreement. Pricing is often <strong>contracted<\/strong> and may include a combination of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consumption-based pricing for enabled services (OCI-like units) and\/or<\/li>\n<li>Fixed infrastructure fees<\/li>\n<li>Minimum commitments<\/li>\n<li>Support and lifecycle management terms<\/li>\n<\/ul>\n\n\n\n<p>Because pricing differs by country, contract, ordering vehicle, and included services, do <strong>not<\/strong> treat any third-party numbers as authoritative. Use Oracle\u2019s official pricing resources and your Oracle order documents.<\/p>\n\n\n\n<p>Official starting points:\n&#8211; Cloud@Customer overview: https:\/\/www.oracle.com\/cloud\/cloud-at-customer\/\n&#8211; Cloud@Customer pricing entry point (verify current page): https:\/\/www.oracle.com\/cloud\/cloud-at-customer\/pricing\/\n&#8211; OCI Pricing: https:\/\/www.oracle.com\/cloud\/pricing\/\n&#8211; OCI Cost Estimator (public OCI reference; for Cloud@Customer you must confirm applicability): https:\/\/www.oracle.com\/cloud\/costestimator.html<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (common drivers)<\/h3>\n\n\n\n<p>Expect costs to be influenced by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Committed capacity<\/strong> (installed compute\/storage footprint)<\/li>\n<li><strong>Compute consumption<\/strong> (OCPU\/CPU, memory, instance-hours) depending on contract model<\/li>\n<li><strong>Storage consumption<\/strong> (boot\/block volumes, snapshots\/backups) depending on included services<\/li>\n<li><strong>Support level<\/strong> and operational model (who does what; isolated environments can require special procedures)<\/li>\n<li><strong>Expansion events<\/strong> (adding racks\/nodes may have lead time and cost)<\/li>\n<li><strong>License implications<\/strong> (if you run licensed software on top\u2014OS, databases, middleware)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Oracle Cloud Free Tier applies to public OCI and is generally <strong>not<\/strong> applicable to Cloud@Customer installations. Treat Compute Cloud@Customer Isolated as a paid, contracted service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (direct and indirect)<\/h3>\n\n\n\n<p><strong>Direct:<\/strong>\n&#8211; Contracted service charges (compute, storage, support, infrastructure)<\/p>\n\n\n\n<p><strong>Indirect (often bigger than expected in isolated environments):<\/strong>\n&#8211; Facility costs: power, cooling, rack space\n&#8211; Network\/security appliances and firewall rule management\n&#8211; Offline patching pipeline (repos, signing, artifact scanning)\n&#8211; Operations headcount: 24&#215;7 coverage, change management, audits\n&#8211; Backup\/DR tooling (if not included natively)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In an isolated environment, \u201cegress to internet\u201d is usually not the cost driver; the driver is <strong>network architecture complexity<\/strong>:<\/li>\n<li>Cross-zone segmentation<\/li>\n<li>Dedicated links between enclaves<\/li>\n<li>Controlled export processes for data<\/li>\n<\/ul>\n\n\n\n<p>If any connectivity to an OCI region exists (some customers allow limited connectivity even in \u201cisolated-like\u201d postures), confirm:\n&#8211; Whether metering, support telemetry, or data export crosses that link\n&#8211; Whether your contract treats that connectivity as billable transfer<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-size shapes and use smaller test compartments for non-prod.<\/li>\n<li>Standardize golden images to reduce drift and incident cost.<\/li>\n<li>Use strict tag policies (owner, cost center, environment, data classification).<\/li>\n<li>Avoid \u201calways-on\u201d non-prod instances\u2014schedule shutdown where permitted.<\/li>\n<li>Consolidate shared services (repos, logging collectors) into a platform compartment rather than duplicating in every app compartment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (how to estimate without making up prices)<\/h3>\n\n\n\n<p>Because numbers are contract-dependent, use this approach:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Identify the smallest sandbox footprint you can run:\n   &#8211; 1 small admin\/jump VM\n   &#8211; 1 test app VM\n   &#8211; Minimal storage for boot volumes<\/li>\n<li>Determine whether your contract is:\n   &#8211; Fixed capacity fee regardless of use, or\n   &#8211; Metered within committed capacity<\/li>\n<li>Multiply expected instance-hours by your contracted rate (from order documents) and add storage.<\/li>\n<\/ol>\n\n\n\n<p>If you do not have the contract rate sheet, you cannot produce a reliable estimate\u2014request it from procurement or your Oracle account team.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For production, cost planning must include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>N+1 capacity for maintenance and failure domains<\/li>\n<li>Separate environments (dev\/test\/prod) and segmentation overhead<\/li>\n<li>Backups and retention (especially in regulated settings)<\/li>\n<li>Security tooling, vulnerability scanning, and audit evidence generation<\/li>\n<li>Planned expansion cycles (capex-like planning even if billed as a service)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab is designed to be <strong>realistic and executable<\/strong> inside a Compute Cloud@Customer Isolated environment, assuming you already have access to its local console\/API endpoint and your platform team has provided a sandbox compartment (or permission to create one).<\/p>\n\n\n\n<p>Because isolated deployments vary, any step that depends on optional features is called out explicitly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Provision a small, private web workload in Compute Cloud@Customer Isolated:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a sandbox compartment (if allowed)<\/li>\n<li>Create a private virtual network and subnet<\/li>\n<li>Launch two compute instances:<\/li>\n<li>A \u201cweb\u201d instance that runs an HTTP server<\/li>\n<li>A \u201cclient\u201d instance used to test internal connectivity<\/li>\n<li>Validate traffic using private IPs only<\/li>\n<li>Clean up all created resources<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will build a minimal \u201cprivate-only\u201d architecture:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1 VCN (or equivalent virtual network)<\/li>\n<li>1 private subnet<\/li>\n<li>2 compute instances on the same subnet<\/li>\n<li>Security rules allowing:<\/li>\n<li>SSH from your jump host or admin CIDR<\/li>\n<li>HTTP traffic from the client instance to the web instance<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Why private-only? In isolated environments, public IPs and internet gateways are often disallowed. This lab matches that reality.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Confirm access, endpoints, and your sandbox boundary<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p>Obtain from your platform admin:\n   &#8211; Local console URL (for the isolated environment)\n   &#8211; Your username and MFA requirements (if used)\n   &#8211; Your assigned compartment (recommended) or permission to create one\n   &#8211; Network rules for admin access (what CIDR can SSH to instances)<\/p>\n<\/li>\n<li>\n<p>Log in to the local console.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You can access the Compute Cloud@Customer Isolated console and see your compartment(s).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In the console, confirm you can navigate to Compute resources and Networking resources without authorization errors.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create (or select) a compartment for the lab<\/h3>\n\n\n\n<p>If your organization allows you to create compartments:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Identity &amp; Security \u2192 Compartments<\/strong>.<\/li>\n<li>Click <strong>Create Compartment<\/strong>.<\/li>\n<li>Use:\n   &#8211; Name: <code>lab-ccoc-isolated<\/code>\n   &#8211; Description: <code>Hands-on lab compartment for Compute Cloud@Customer Isolated<\/code><\/li>\n<li>Create.<\/li>\n<\/ol>\n\n\n\n<p>If compartments are centrally managed, <strong>use the sandbox compartment you were given<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A dedicated compartment exists to isolate and clean up lab resources.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Switch your console scope to the compartment and confirm it appears in the compartment selector.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a private network (VCN) and subnet<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Networking \u2192 Virtual Cloud Networks<\/strong> (or your platform\u2019s equivalent).<\/li>\n<li>Click <strong>Create VCN<\/strong>.<\/li>\n<li>Use a simple CIDR that does not overlap with your on-prem networks, for example:\n   &#8211; VCN CIDR: <code>10.10.0.0\/16<\/code><\/li>\n<li>Create one private subnet:\n   &#8211; Subnet CIDR: <code>10.10.10.0\/24<\/code>\n   &#8211; \u201cPublic subnet\u201d: <strong>No<\/strong> (private)<\/li>\n<li>Keep defaults for route tables and DHCP options unless your platform team has standards to follow.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A VCN with a private subnet exists.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Confirm subnet is <code>Available<\/code>.\n&#8211; Confirm the subnet has a security list or NSG capability available for instance attachments.<\/p>\n\n\n\n<blockquote>\n<p>If your environment provides predefined networks that you must use, follow your platform team\u2019s guidance and adapt the lab by deploying into the approved private subnet.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create security rules for SSH and HTTP (least privilege)<\/h3>\n\n\n\n<p>You need two kinds of access:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH admin access to instances (from a controlled CIDR, often a jump host subnet)<\/li>\n<li>HTTP access from the client instance to the web instance (internal only)<\/li>\n<\/ul>\n\n\n\n<p>Choose one of these patterns (use what your environment supports):<br\/>\n<strong>A) Security Lists<\/strong>, or <strong>B) Network Security Groups (NSGs)<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option A: Security List approach (simple)<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to your subnet\u2019s <strong>Security List<\/strong>.<\/li>\n<li>\n<p>Add <strong>Ingress Rules<\/strong>:\n   &#8211; Allow SSH:<\/p>\n<ul>\n<li>Source CIDR: your admin\/jump CIDR (example: <code>192.168.50.0\/24<\/code>)<br\/>\n<strong>Use your real admin CIDR; do not guess.<\/strong><\/li>\n<li>Protocol: TCP<\/li>\n<li>Destination port: 22<\/li>\n<li>Allow HTTP from inside subnet:<\/li>\n<li>Source CIDR: <code>10.10.10.0\/24<\/code><\/li>\n<li>Protocol: TCP<\/li>\n<li>Destination port: 80<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Keep egress rules minimal (often default allow-all egress is acceptable for an isolated lab, but production should be tighter).<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: NSG approach (recommended for production patterns)<\/h4>\n\n\n\n<p>If NSGs are supported and enabled:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create an NSG <code>nsg-web<\/code> allowing TCP\/80 from <code>nsg-client<\/code> (or from subnet CIDR).<\/li>\n<li>Create an NSG <code>nsg-client<\/code> with SSH rules as needed.<\/li>\n<li>Attach NSGs to the respective instances.<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Network rules allow only the required access paths.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Review the effective rules and confirm:\n  &#8211; Port 22 allowed only from admin\/jump CIDR\n  &#8211; Port 80 allowed only from the subnet (or client NSG)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Generate an SSH key pair (on your admin workstation)<\/h3>\n\n\n\n<p>On your admin workstation (or jump host), generate a key:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh-keygen -t ed25519 -f ~\/.ssh\/ccoc_isolated_lab -C \"ccoc-isolated-lab\"\n<\/code><\/pre>\n\n\n\n<p>This creates:\n&#8211; Private key: <code>~\/.ssh\/ccoc_isolated_lab<\/code>\n&#8211; Public key: <code>~\/.ssh\/ccoc_isolated_lab.pub<\/code><\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You have an SSH public key to inject into instances.<\/p>\n\n\n\n<p><strong>Verification<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">ls -l ~\/.ssh\/ccoc_isolated_lab*\ncat ~\/.ssh\/ccoc_isolated_lab.pub\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Launch the \u201cweb\u201d compute instance<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Compute \u2192 Instances<\/strong>.<\/li>\n<li>Click <strong>Create Instance<\/strong>.<\/li>\n<li>\n<p>Configure:\n   &#8211; Name: <code>web-01<\/code>\n   &#8211; Compartment: <code>lab-ccoc-isolated<\/code> (or your sandbox)\n   &#8211; Placement: accept defaults (availability\/fault domain options vary)\n   &#8211; Image: choose an approved Linux image available in your environment<br\/>\n     (Oracle Linux is common; use what\u2019s approved and available.)\n   &#8211; Shape: choose a small shape suitable for a lab\n   &#8211; Networking: attach to your private subnet (<code>10.10.10.0\/24<\/code>)\n   &#8211; Public IP: <strong>Disabled \/ none<\/strong>\n   &#8211; SSH keys: paste the contents of <code>ccoc_isolated_lab.pub<\/code><\/p>\n<\/li>\n<li>\n<p>Create the instance.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Instance <code>web-01<\/code> is running with a private IP (for example, <code>10.10.10.10<\/code>).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In instance details, note:\n  &#8211; Lifecycle state: <code>Running<\/code>\n  &#8211; Private IP address<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Launch the \u201cclient\u201d compute instance<\/h3>\n\n\n\n<p>Repeat instance creation with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: <code>client-01<\/code><\/li>\n<li>Same subnet<\/li>\n<li>Same SSH key<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Instance <code>client-01<\/code> is running with a private IP (for example, <code>10.10.10.11<\/code>).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Confirm both instances are in <code>Running<\/code> state and have private IPs.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Connect to the client instance (via jump host) and test reachability<\/h3>\n\n\n\n<p>How you SSH depends on your environment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you can SSH directly from your workstation to the private subnet (rare), use direct SSH.<\/li>\n<li>More commonly, you SSH to a jump host first, then to the instance.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example SSH (direct from a host that can reach the subnet)<\/h4>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/ccoc_isolated_lab opc@10.10.10.11\n<\/code><\/pre>\n\n\n\n<blockquote>\n<p>Usernames vary by image (for example <code>opc<\/code>, <code>oraclelinux<\/code>, <code>ubuntu<\/code>). Use the username documented for your selected image.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You have shell access to <code>client-01<\/code>.<\/p>\n\n\n\n<p><strong>Verification<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">hostname\nip addr | grep \"10.10.10\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Install and start a web server on web-01<\/h3>\n\n\n\n<p>From <code>client-01<\/code>, SSH to <code>web-01<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/ccoc_isolated_lab opc@10.10.10.10\n<\/code><\/pre>\n\n\n\n<p>Install a small HTTP server. Choose a method that works with your OS and your enclave\u2019s package repository situation:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option A (preferred): Use the approved package repository inside the enclave<\/h4>\n\n\n\n<p>For Oracle Linux (example; adjust if you use a different OS and repo):<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo dnf -y install nginx\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n<p>Create a simple page:<\/p>\n\n\n\n<pre><code class=\"language-bash\">echo \"Hello from Compute Cloud@Customer Isolated: $(hostname)\" | sudo tee \/usr\/share\/nginx\/html\/index.html\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Option B (fallback): Python HTTP server (no packages needed)<\/h4>\n\n\n\n<p>If you cannot install packages due to repo restrictions:<\/p>\n\n\n\n<pre><code class=\"language-bash\">mkdir -p ~\/webroot\necho \"Hello from Compute Cloud@Customer Isolated: $(hostname)\" &gt; ~\/webroot\/index.html\ncd ~\/webroot\npython3 -m http.server 8080\n<\/code><\/pre>\n\n\n\n<p>If you use port <code>8080<\/code>, update security rules accordingly.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; <code>web-01<\/code> is serving HTTP content on port 80 (or 8080).<\/p>\n\n\n\n<p><strong>Verification (on web-01)<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -s http:\/\/127.0.0.1\/ | head\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 10: Test HTTP from client-01 to web-01 over private IP<\/h3>\n\n\n\n<p>Exit back to <code>client-01<\/code> (or open another terminal on it), then:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -v http:\/\/10.10.10.10\/\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You receive the \u201cHello from\u2026\u201d response.\n&#8211; The TCP connection succeeds without using any public IP.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Confirm curl output returns HTTP 200 (or a valid response if using Python server).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Instances running<\/strong>\n   &#8211; <code>web-01<\/code>: running, private IP assigned\n   &#8211; <code>client-01<\/code>: running, private IP assigned<\/p>\n<\/li>\n<li>\n<p><strong>SSH works<\/strong>\n   &#8211; From jump\/admin network to instances on port 22<\/p>\n<\/li>\n<li>\n<p><strong>HTTP works<\/strong>\n   &#8211; <code>client-01<\/code> can <code>curl http:\/\/web-01-private-ip\/<\/code><\/p>\n<\/li>\n<li>\n<p><strong>No public exposure<\/strong>\n   &#8211; No public IPs assigned\n   &#8211; Security rules do not allow <code>0.0.0.0\/0<\/code> ingress on SSH\/HTTP (unless your policy explicitly requires it, which is uncommon in isolated environments)<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: SSH timeout<\/h4>\n\n\n\n<p><strong>Causes<\/strong>\n&#8211; Missing route between jump network and subnet\n&#8211; Security rule missing port 22 from correct source CIDR\n&#8211; OS firewall blocking SSH (less common on default images)<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Confirm security rules: allow TCP\/22 from your jump CIDR.\n&#8211; Confirm the subnet route and on-prem routing are correct (work with network team).\n&#8211; Verify instance is in correct subnet and has correct private IP.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: \u201cPermission denied (publickey)\u201d<\/h4>\n\n\n\n<p><strong>Causes<\/strong>\n&#8211; Wrong username for the OS image\n&#8211; Wrong key used\n&#8211; Key not injected properly<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Verify correct username for image.\n&#8211; Confirm you used the matching private key (<code>ccoc_isolated_lab<\/code>).\n&#8211; Confirm the SSH public key in instance metadata (console).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: HTTP connection refused<\/h4>\n\n\n\n<p><strong>Causes<\/strong>\n&#8211; Web server not running\n&#8211; Wrong port\n&#8211; Security rules missing port 80\n&#8211; OS firewall blocking port 80<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; On <code>web-01<\/code>: <code>sudo systemctl status nginx<\/code>\n&#8211; Confirm rules allow TCP\/80 from subnet CIDR.\n&#8211; If using Python server on 8080, update rules and use correct URL.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: No package repository access<\/h4>\n\n\n\n<p><strong>Causes<\/strong>\n&#8211; In isolated environments, outbound internet repos are blocked (expected).\n&#8211; Internal mirror repo not configured.<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Use the Python server method for the lab.\n&#8211; For production, implement an approved offline repository and signed artifact pipeline.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid consuming capacity:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p>Terminate instances:\n   &#8211; <code>web-01<\/code>\n   &#8211; <code>client-01<\/code><\/p>\n<\/li>\n<li>\n<p>Delete network resources (if created for the lab):\n   &#8211; Subnet\n   &#8211; VCN\n   &#8211; NSGs\/security list rules (if separate objects)<\/p>\n<\/li>\n<li>\n<p>Delete the lab compartment (only if you created it and your org allows it).<br\/>\n   Note: compartment deletion may require all resources to be fully removed first and may take time.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; No remaining instances, networks, or lab artifacts consuming capacity.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Design with <strong>private subnets by default<\/strong>; treat public ingress as an exception requiring formal approval.<\/li>\n<li>Use a <strong>hub-and-spoke segmentation model<\/strong>:<\/li>\n<li>Shared services in a platform compartment (repos, logging, CI runners)<\/li>\n<li>Application compartments per team\/environment<\/li>\n<li>Build for <strong>rebuildability<\/strong>:<\/li>\n<li>Golden images<\/li>\n<li>Immutable infrastructure patterns where feasible<\/li>\n<li>Avoid hidden dependencies on internet services (time servers, package repos, license servers). Provide internal equivalents.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>least privilege<\/strong> policies:<\/li>\n<li>Separate network admins from compute admins where possible<\/li>\n<li>Grant app teams rights only within their compartments<\/li>\n<li>Use <strong>groups and policies<\/strong>, not individual grants.<\/li>\n<li>Implement <strong>break-glass accounts<\/strong> with strong controls:<\/li>\n<li>Separate credentials<\/li>\n<li>Time-bound approval<\/li>\n<li>Full auditing and post-incident review<\/li>\n<li>Require MFA where supported and permitted.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce tagging: <code>owner<\/code>, <code>cost-center<\/code>, <code>env<\/code>, <code>data-classification<\/code>, <code>app<\/code>.<\/li>\n<li>Build non-prod scheduling (stop\/start) if your operational model allows it.<\/li>\n<li>Track capacity usage as a finite resource:<\/li>\n<li>Monitor free CPU\/memory capacity<\/li>\n<li>Avoid \u201cVM sprawl\u201d with quotas and approval gates<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep high-IO workloads close to their storage and within the same fault domain guidance (as supported).<\/li>\n<li>Standardize baseline images with performance tooling (sysstat, tuned profiles).<\/li>\n<li>Use consistent instance sizing and avoid \u201coversizing by default.\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use multi-tier redundancy (multiple instances) where capacity allows.<\/li>\n<li>Prepare for <strong>maintenance windows<\/strong> for platform upgrades (common in managed appliances).<\/li>\n<li>Document and rehearse restore procedures (image-based rebuilds, backups).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintain a \u201cday-2 operations\u201d runbook:<\/li>\n<li>Provisioning standards<\/li>\n<li>Patch cadence<\/li>\n<li>Incident response<\/li>\n<li>Capacity planning<\/li>\n<li>Centralize logs locally; define retention and access.<\/li>\n<li>Keep an internal mirror of required packages and dependencies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Naming convention example:<\/li>\n<li><code>{env}-{app}-{tier}-{index}<\/code> \u2192 <code>prod-payments-web-01<\/code><\/li>\n<li>Tagging convention:<\/li>\n<li><code>env=dev|test|prod<\/code><\/li>\n<li><code>owner=email\/team<\/code><\/li>\n<li><code>data_class=public|internal|confidential|restricted<\/code><\/li>\n<li>Use compartments to model environments and teams, and enforce guardrails with policies.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use OCI-style IAM constructs:<\/li>\n<li>Users, groups, policies, compartments<\/li>\n<li>Integrate with enterprise IdP if supported in isolated mode\u2014<strong>verify in official docs<\/strong>.<\/li>\n<li>Apply separation of duties:<\/li>\n<li>Platform\/IAM admins<\/li>\n<li>Network\/security admins<\/li>\n<li>Application operators<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data-at-rest encryption depends on the platform\u2019s storage implementation and enabled services.<\/li>\n<li>For workloads:<\/li>\n<li>Use OS-level disk encryption if required by policy (and operationally supported).<\/li>\n<li>Use TLS for all internal service-to-service communication.<\/li>\n<li>If key management services (like OCI Vault equivalents) are available in your deployment, use them; otherwise, rely on approved on-prem HSM\/KMS solutions.<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Because isolated deployments can differ, confirm encryption controls and compliance evidence paths in your specific documentation.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Default-deny inbound at subnet boundaries.<\/li>\n<li>Avoid assigning public IPs (often disallowed anyway).<\/li>\n<li>Use jump hosts with strict controls (session recording if required).<\/li>\n<li>Implement micro-segmentation:<\/li>\n<li>NSGs for app tiers<\/li>\n<li>Restrictive security lists<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not store secrets in instance user-data or images.<\/li>\n<li>Prefer:<\/li>\n<li>Local secrets manager (if approved and available)<\/li>\n<li>OS-level secure storage with strict permissions<\/li>\n<li>Short-lived credentials where feasible<\/li>\n<li>Rotate keys on a defined schedule, especially after staff changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure management-plane actions are audited.<\/li>\n<li>Forward logs to a local SIEM\/log platform.<\/li>\n<li>Protect audit logs:<\/li>\n<li>Restricted access<\/li>\n<li>Immutable retention (WORM-like) if required<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Compute Cloud@Customer Isolated is often selected to support:\n&#8211; Classified or sovereign controls\n&#8211; Restricted connectivity mandates\n&#8211; Strong chain-of-custody requirements<\/p>\n\n\n\n<p>However, compliance is not automatic:\n&#8211; You still must configure IAM, networks, logging, patching, and evidence collection correctly.\n&#8211; Document control mappings (NIST, ISO, CIS, etc.) and validate with auditors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allowing <code>0.0.0.0\/0<\/code> ingress \u201ctemporarily\u201d and forgetting it<\/li>\n<li>Using shared admin accounts<\/li>\n<li>Skipping internal patch repo setup and allowing ad-hoc removable media processes<\/li>\n<li>No break-glass process (or break-glass used routinely)<\/li>\n<li>Missing asset inventory and ownership tags<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce policy-as-code where possible (Terraform with internal pipelines, if permitted).<\/li>\n<li>Require code review for IAM\/network changes.<\/li>\n<li>Use hardened images and CIS benchmarks where applicable.<\/li>\n<li>Treat the isolated environment as a high-value enclave: minimum software, minimum ports, maximum logging.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>These are common constraints in isolated edge-cloud systems; validate specifics for your Compute Cloud@Customer Isolated deployment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Finite capacity<\/strong>: You can\u2019t instantly scale beyond installed hardware.<\/li>\n<li><strong>Service catalog differences<\/strong>: Not all OCI public region services may be present.<\/li>\n<li><strong>Operational procedures differ<\/strong>: Upgrades\/patches may require scheduled windows and offline processes.<\/li>\n<li><strong>Dependency management<\/strong>: OS\/package updates require internal mirrors.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Instance count and resource limits per compartment\/tenancy.<\/li>\n<li>Network object limits (VCNs, subnets, rules).<\/li>\n<li>Limits vary\u2014<strong>verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This is <strong>site-specific<\/strong>; there is no \u201cswitch to another OCI region\u201d unless you have another installation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Contract minimums and infrastructure fees may dominate costs more than usage.<\/li>\n<li>Non-prod sprawl consumes finite capacity even if \u201cmetering\u201d is not your primary cost driver.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some third-party tools assume internet access (license checks, update servers).<\/li>\n<li>Some agents require endpoints that may be blocked in isolated mode.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Time sync: ensure internal NTP is reliable.<\/li>\n<li>Certificates: plan an internal PKI and rotation process.<\/li>\n<li>DNS: avoid hardcoding IPs; ensure internal DNS is robust.<\/li>\n<li>Patch pipeline: without internal repos, systems become unpatchable quickly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exporting\/importing images and data requires controlled transfer procedures.<\/li>\n<li>App architectures with many external dependencies need redesign for offline operation.<\/li>\n<li>Governance model changes (compartments\/policies) may require training for traditional virtualization teams.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Support workflows can differ in isolated mode (log bundles, offline diagnostics, controlled data exchange). Establish and test the support process early.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Compute Cloud@Customer Isolated sits in a specific niche: OCI-like compute on premises with strong isolation requirements. Here\u2019s how it compares at a high level.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Compute Cloud@Customer Isolated (Oracle Cloud)<\/strong><\/td>\n<td>Air-gapped or strongly isolated OCI-style on-prem compute<\/td>\n<td>OCI-aligned governance and APIs; local control plane; designed for restricted connectivity<\/td>\n<td>Finite capacity; service catalog may differ from public OCI; contracted delivery and lead times<\/td>\n<td>When isolation is non-negotiable and you want OCI-like operations on-prem<\/td>\n<\/tr>\n<tr>\n<td>Oracle Cloud Compute (public OCI regions)<\/td>\n<td>Elastic compute with broad OCI service ecosystem<\/td>\n<td>Rapid scaling; managed services; global regions<\/td>\n<td>Requires connectivity; data residency may be harder for certain constraints<\/td>\n<td>When workloads can run in public cloud and need managed services<\/td>\n<\/tr>\n<tr>\n<td>Oracle Dedicated Region Cloud@Customer<\/td>\n<td>Full OCI region in customer location (broad service set)<\/td>\n<td>Region-like experience on-prem; many OCI services<\/td>\n<td>Larger footprint and complexity; may be overkill for \u201ccompute-only\u201d needs<\/td>\n<td>When you need a broad OCI service catalog on-prem and can support the footprint<\/td>\n<\/tr>\n<tr>\n<td>Oracle Roving Edge Infrastructure<\/td>\n<td>Rugged\/portable edge compute<\/td>\n<td>Portable edge use; local processing near data sources<\/td>\n<td>Different operational model; not the same as Cloud@Customer<\/td>\n<td>When you need portable edge compute rather than a data-center installation<\/td>\n<\/tr>\n<tr>\n<td>AWS Outposts<\/td>\n<td>AWS infrastructure on-prem<\/td>\n<td>AWS consistency; integrated services<\/td>\n<td>Service availability varies; connectivity requirements differ by design<\/td>\n<td>When your org is standardized on AWS and needs on-prem extension<\/td>\n<\/tr>\n<tr>\n<td>Azure Stack Hub \/ Azure Stack HCI<\/td>\n<td>Microsoft on-prem cloud\/hybrid<\/td>\n<td>Strong Windows\/AD integration; hybrid patterns<\/td>\n<td>Different APIs\/governance than OCI<\/td>\n<td>When Microsoft ecosystem integration is primary<\/td>\n<\/tr>\n<tr>\n<td>Google Distributed Cloud<\/td>\n<td>Google-managed hybrid\/edge<\/td>\n<td>Designed for distributed environments<\/td>\n<td>Service catalog and availability depends on offering<\/td>\n<td>When aligned with Google hybrid strategy<\/td>\n<\/tr>\n<tr>\n<td>Self-managed VMware \/ OpenStack<\/td>\n<td>Traditional private cloud<\/td>\n<td>Full control; no vendor lock-in to managed appliance<\/td>\n<td>Higher ops burden; harder to match cloud governance consistency<\/td>\n<td>When you need maximum control and can staff operations heavily<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated government analytics enclave<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A government organization must run analytics on sensitive datasets in a facility with no internet connectivity. They need standardized provisioning, access control, and auditable operations.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Compute Cloud@Customer Isolated installed in the facility<\/li>\n<li>Compartments for <code>platform<\/code>, <code>dev<\/code>, <code>prod<\/code><\/li>\n<li>Private subnets only; jump hosts with session controls<\/li>\n<li>Internal artifact repositories for OS updates and tools<\/li>\n<li>Central local SIEM receiving audit logs and OS logs<\/li>\n<li><strong>Why this service was chosen:<\/strong><\/li>\n<li>Provides OCI-like governance and automation inside a disconnected environment<\/li>\n<li>Supports strong segmentation and auditable access control<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Faster environment provisioning with consistent controls<\/li>\n<li>Reduced configuration drift through image-based rebuilds<\/li>\n<li>Improved audit readiness due to standardized IAM and logging patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: manufacturing site with strict OT isolation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A small manufacturing company wants to run local dashboards and batch analytics on machine data but cannot allow broad internet connectivity from the production network.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Compute Cloud@Customer Isolated hosts a small set of VMs:<ul>\n<li>Data ingestion VM<\/li>\n<li>Analytics VM<\/li>\n<li>Dashboard VM<\/li>\n<\/ul>\n<\/li>\n<li>Segmented network between OT ingestion and IT viewer access<\/li>\n<li>Offline update process with internal package mirror<\/li>\n<li><strong>Why this service was chosen:<\/strong><\/li>\n<li>The team needs cloud-like provisioning and governance without exposing OT networks to the internet<\/li>\n<li>A managed on-prem cloud model reduces operational burden compared to building from scratch<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Lower latency analytics and improved production visibility<\/li>\n<li>Stronger security posture via segmentation and controlled egress<\/li>\n<li>Repeatable deployment patterns as additional sites are added (subject to procurement\/capacity planning)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Is Compute Cloud@Customer Isolated the same as public OCI Compute?<\/h3>\n\n\n\n<p>No. It is designed to provide OCI-like compute in a customer location, but service availability, scaling, and operations differ. Expect finite capacity and deployment-specific service catalogs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) What does \u201cIsolated\u201d mean in practice?<\/h3>\n\n\n\n<p>It generally means the environment is intended to operate without continuous connectivity to OCI public regions and with strict network egress controls. Confirm the exact isolation model for your deployment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) Do I get the same OCI console experience?<\/h3>\n\n\n\n<p>You typically get a local console\/API experience aligned with OCI patterns, but exact UI and available services can differ by release.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) Can I use OCI CLI and SDKs?<\/h3>\n\n\n\n<p>Often yes, against local endpoints\u2014but configuration may differ from public OCI. Follow your deployment documentation for endpoint\/region configuration.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Can I use Terraform?<\/h3>\n\n\n\n<p>Possibly, if the OCI APIs exposed in your environment are compatible and Terraform is approved in your enclave. Verify supported provider versions and endpoints.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6) Does it support compartments and IAM policies?<\/h3>\n\n\n\n<p>OCI-style governance is a common design goal. Confirm the IAM feature set and federation options in your deployment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7) Can I assign public IPs?<\/h3>\n\n\n\n<p>In many isolated deployments, public IPs and internet gateways are restricted or disallowed. Design for private-only access unless your security policy allows otherwise.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8) How do OS updates work without internet access?<\/h3>\n\n\n\n<p>You typically need internal mirrors of OS repositories and a controlled artifact ingestion pipeline. Plan this early\u2014it is a major operational dependency.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9) How do I monitor instances?<\/h3>\n\n\n\n<p>If platform monitoring services are included, use them. Otherwise use OS-level monitoring agents and local telemetry stacks (Prometheus, syslog, etc.) approved for the enclave.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10) How does scaling work?<\/h3>\n\n\n\n<p>You can scale within installed capacity. Scaling beyond that usually requires procurement and expansion of the on-prem footprint.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">11) Is this a good fit for container platforms?<\/h3>\n\n\n\n<p>You can run containers on VMs you provision. Whether a managed Kubernetes service is available depends on the Cloud@Customer service catalog\u2014verify in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12) What about backups and disaster recovery?<\/h3>\n\n\n\n<p>Backups depend on included storage services and your organization\u2019s backup tooling. DR may require a second site or a defined restoration process within the same site.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">13) How is security auditing handled?<\/h3>\n\n\n\n<p>Management-plane actions are typically auditable. You should also centralize OS and application logs locally and ensure retention and immutability as required.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">14) How does support work in an isolated environment?<\/h3>\n\n\n\n<p>Support workflows may involve offline log bundles and controlled data exchange procedures. Establish the process and test it during onboarding.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">15) Is Compute Cloud@Customer Isolated considered \u201cEdge Cloud\u201d?<\/h3>\n\n\n\n<p>Yes. It is an edge\/on-prem deployment model in Oracle Cloud\u2019s Cloud@Customer portfolio, commonly used for secure or low-connectivity environments.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">16) Can I connect it to an OCI public region later?<\/h3>\n\n\n\n<p>Some organizations evolve from isolated to limited connectivity, but this is a policy and architecture decision. Treat it as \u201cpossible but not assumed\u201d\u2014verify supported connectivity models and compliance constraints.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">17) What\u2019s the first thing to plan?<\/h3>\n\n\n\n<p>Networking and identity:\n&#8211; Define compartment structure and policies\n&#8211; Define IP ranges and segmentation\n&#8211; Define admin access paths and jump hosts\n&#8211; Define offline patch\/artifact flows<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Compute Cloud@Customer Isolated<\/h2>\n\n\n\n<p>Because Oracle documentation structure can change, use Oracle\u2019s docs search for the most current Compute Cloud@Customer Isolated materials.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official product overview<\/td>\n<td>Oracle Cloud@Customer<\/td>\n<td>High-level positioning and where Compute Cloud@Customer fits in Oracle Cloud@Customer portfolio. https:\/\/www.oracle.com\/cloud\/cloud-at-customer\/<\/td>\n<\/tr>\n<tr>\n<td>Official documentation portal<\/td>\n<td>Oracle Cloud Infrastructure Documentation<\/td>\n<td>Entry point for OCI docs; use search for \u201cCompute Cloud@Customer\u201d and \u201cIsolated\u201d. https:\/\/docs.oracle.com\/en-us\/iaas\/<\/td>\n<\/tr>\n<tr>\n<td>Official OCI CLI docs<\/td>\n<td>OCI CLI Installation and Usage<\/td>\n<td>How to install and use OCI CLI; adapt endpoint configuration for isolated environments per your deployment docs. https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Cloud@Customer pricing<\/td>\n<td>Starting point for official pricing model; Cloud@Customer is typically contract-based. Verify current details. https:\/\/www.oracle.com\/cloud\/cloud-at-customer\/pricing\/<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Oracle Cloud Pricing<\/td>\n<td>General OCI pricing concepts useful for understanding dimensions even when Cloud@Customer is contracted. https:\/\/www.oracle.com\/cloud\/pricing\/<\/td>\n<\/tr>\n<tr>\n<td>Official estimator<\/td>\n<td>Oracle Cloud Cost Estimator<\/td>\n<td>Helps structure estimation; confirm applicability to Cloud@Customer terms. https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<\/tr>\n<tr>\n<td>Architecture center<\/td>\n<td>Oracle Cloud Architecture Center<\/td>\n<td>Reference architectures and design principles (adapt for isolated connectivity constraints). https:\/\/www.oracle.com\/cloud\/architecture\/<\/td>\n<\/tr>\n<tr>\n<td>Terraform provider docs<\/td>\n<td>OCI Terraform Provider<\/td>\n<td>Useful if your environment supports Terraform automation. https:\/\/registry.terraform.io\/providers\/oracle\/oci\/latest\/docs<\/td>\n<\/tr>\n<tr>\n<td>Training (official)<\/td>\n<td>Oracle University \/ OCI training<\/td>\n<td>Official training paths and certifications for OCI concepts that apply to Cloud@Customer operational models. https:\/\/education.oracle.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The following providers are listed as external training resources. Availability, course accuracy, and alignment to Compute Cloud@Customer Isolated should be validated on each site.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>DevOpsSchool.com<\/strong>\n   &#8211; <strong>Suitable audience:<\/strong> DevOps engineers, platform teams, cloud beginners to intermediate\n   &#8211; <strong>Likely learning focus:<\/strong> DevOps practices, cloud fundamentals, automation\n   &#8211; <strong>Mode:<\/strong> Check website\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>ScmGalaxy.com<\/strong>\n   &#8211; <strong>Suitable audience:<\/strong> SCM\/DevOps learners, engineers seeking tooling knowledge\n   &#8211; <strong>Likely learning focus:<\/strong> Source control, CI\/CD, DevOps toolchain\n   &#8211; <strong>Mode:<\/strong> Check website\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n<li>\n<p><strong>CLoudOpsNow.in<\/strong>\n   &#8211; <strong>Suitable audience:<\/strong> CloudOps\/operations practitioners\n   &#8211; <strong>Likely learning focus:<\/strong> Operations, monitoring, reliability, cloud operations\n   &#8211; <strong>Mode:<\/strong> Check website\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.cloudopsnow.in\/<\/p>\n<\/li>\n<li>\n<p><strong>SreSchool.com<\/strong>\n   &#8211; <strong>Suitable audience:<\/strong> SREs, operations teams, reliability-focused engineers\n   &#8211; <strong>Likely learning focus:<\/strong> SRE principles, incident response, SLIs\/SLOs\n   &#8211; <strong>Mode:<\/strong> Check website\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.sreschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>AiOpsSchool.com<\/strong>\n   &#8211; <strong>Suitable audience:<\/strong> Ops teams exploring AIOps concepts\n   &#8211; <strong>Likely learning focus:<\/strong> AIOps tooling, automation, operational analytics\n   &#8211; <strong>Mode:<\/strong> Check website\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>Listed as training resource platforms\/sites. Verify specific trainer credentials and course relevance for Oracle Cloud and Compute Cloud@Customer Isolated.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>RajeshKumar.xyz<\/strong>\n   &#8211; <strong>Likely specialization:<\/strong> DevOps\/cloud coaching (verify site specifics)\n   &#8211; <strong>Suitable audience:<\/strong> Engineers seeking guided training\n   &#8211; <strong>Website URL:<\/strong> https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n<li>\n<p><strong>devopstrainer.in<\/strong>\n   &#8211; <strong>Likely specialization:<\/strong> DevOps tools and practices training\n   &#8211; <strong>Suitable audience:<\/strong> Beginners to intermediate DevOps learners\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.devopstrainer.in\/<\/p>\n<\/li>\n<li>\n<p><strong>devopsfreelancer.com<\/strong>\n   &#8211; <strong>Likely specialization:<\/strong> Freelance DevOps services\/training resources\n   &#8211; <strong>Suitable audience:<\/strong> Teams seeking short-term help or coaching\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.devopsfreelancer.com\/<\/p>\n<\/li>\n<li>\n<p><strong>devopssupport.in<\/strong>\n   &#8211; <strong>Likely specialization:<\/strong> DevOps support and training resources\n   &#8211; <strong>Suitable audience:<\/strong> Ops\/DevOps teams needing practical support\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>These are listed as consulting resources. Validate offerings, scope, and references directly with each company.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>cotocus.com<\/strong>\n   &#8211; <strong>Likely service area:<\/strong> Cloud\/DevOps consulting (verify exact offerings)\n   &#8211; <strong>Where they may help:<\/strong> Delivery planning, automation, CI\/CD, operations processes\n   &#8211; <strong>Consulting use case examples:<\/strong> IaC standardization, pipeline design, operational runbooks\n   &#8211; <strong>Website URL:<\/strong> https:\/\/cotocus.com\/<\/p>\n<\/li>\n<li>\n<p><strong>DevOpsSchool.com<\/strong>\n   &#8211; <strong>Likely service area:<\/strong> DevOps consulting and training services\n   &#8211; <strong>Where they may help:<\/strong> DevOps transformation, tooling implementation, skills development\n   &#8211; <strong>Consulting use case examples:<\/strong> CI\/CD rollout, infrastructure automation, observability practices\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>DEVOPSCONSULTING.IN<\/strong>\n   &#8211; <strong>Likely service area:<\/strong> DevOps consulting services (verify exact offerings)\n   &#8211; <strong>Where they may help:<\/strong> Platform engineering guidance, automation, cloud operations\n   &#8211; <strong>Consulting use case examples:<\/strong> Deployment automation, monitoring\/logging setup, SRE practices\n   &#8211; <strong>Website URL:<\/strong> https:\/\/www.devopsconsulting.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>OCI fundamentals<\/strong>\n   &#8211; Compartments, IAM policies, networking concepts (VCN\/subnets\/security rules)<\/li>\n<li><strong>Linux administration<\/strong>\n   &#8211; SSH, systemd, package management, firewall basics<\/li>\n<li><strong>Networking<\/strong>\n   &#8211; CIDR, routing, DNS, load balancing fundamentals<\/li>\n<li><strong>Security basics<\/strong>\n   &#8211; Least privilege, segmentation, audit logging, key management<\/li>\n<li><strong>Automation<\/strong>\n   &#8211; CLI usage, Terraform basics (if allowed), configuration management basics<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Golden image pipelines<\/strong>\n   &#8211; Patching, hardening, image versioning, rollback strategy<\/li>\n<li><strong>Offline software supply chain<\/strong>\n   &#8211; Artifact signing, SBOMs, vulnerability scanning, curated repositories<\/li>\n<li><strong>Observability in isolated environments<\/strong>\n   &#8211; Local metrics\/logging stacks, alerting, retention design<\/li>\n<li><strong>Resilience engineering<\/strong>\n   &#8211; Capacity planning for finite hardware, maintenance windows, DR drills<\/li>\n<li><strong>Policy-as-code and governance<\/strong>\n   &#8211; Automated compliance checks, drift detection<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud\/Platform Engineer (Edge\/On-Prem Cloud)<\/li>\n<li>DevOps Engineer (restricted environments)<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Cloud Security Engineer \/ Security Architect<\/li>\n<li>Infrastructure Architect \/ Solutions Architect<\/li>\n<li>Operations Lead for regulated enclaves<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Oracle certifications generally focus on OCI public cloud fundamentals and architectures. Those skills often transfer conceptually to Cloud@Customer.<\/li>\n<li>Start with Oracle University OCI training and verify current certification tracks:<\/li>\n<li>https:\/\/education.oracle.com\/<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a compartment and network baseline module (Terraform if supported).<\/li>\n<li>Create a hardened golden image and a rebuild pipeline.<\/li>\n<li>Implement a local OS repository mirror and signed update workflow.<\/li>\n<li>Create a \u201cprivate-only\u201d reference architecture for a 3-tier app with strict NSG rules.<\/li>\n<li>Build an internal monitoring\/logging stack and document incident runbooks.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud@Customer:<\/strong> Oracle\u2019s portfolio for deploying Oracle Cloud infrastructure\/services in a customer-controlled location.<\/li>\n<li><strong>Compute Cloud@Customer Isolated:<\/strong> A Cloud@Customer compute offering designed for isolated\/disconnected operations (verify exact scope for your deployment).<\/li>\n<li><strong>Compartment:<\/strong> OCI governance boundary used to organize resources and apply IAM policies.<\/li>\n<li><strong>IAM Policy:<\/strong> Authorization rule describing who can do what on which resources.<\/li>\n<li><strong>VCN (Virtual Cloud Network):<\/strong> OCI virtual networking construct for isolating IP spaces and subnets (availability depends on deployment).<\/li>\n<li><strong>Subnet:<\/strong> A CIDR range within a VCN where instances are placed.<\/li>\n<li><strong>Security List \/ NSG:<\/strong> Network access control constructs to allow\/deny traffic at subnet\/instance level.<\/li>\n<li><strong>Jump Host \/ Bastion:<\/strong> Controlled host used to access private instances without exposing them publicly.<\/li>\n<li><strong>Golden Image:<\/strong> A standardized, patched, hardened base image used to launch instances consistently.<\/li>\n<li><strong>Air-gapped:<\/strong> Physically or logically isolated from external networks, especially the internet.<\/li>\n<li><strong>Management plane:<\/strong> APIs\/console used to create and manage resources.<\/li>\n<li><strong>Data plane:<\/strong> Actual workload traffic flowing between applications and users\/systems.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Compute Cloud@Customer Isolated (Oracle Cloud, Edge Cloud category) brings OCI-style compute provisioning and governance into a customer-controlled location designed for isolated or disconnected operations. It matters when regulatory, sovereignty, or mission constraints prevent the use of public cloud regions, but teams still need cloud-like automation, segmentation, and policy-based access control.<\/p>\n\n\n\n<p>Architecturally, it fits as a secure \u201con-prem cloud\u201d boundary: private subnets, strict ingress controls, local endpoints, and offline-first operational design (repos, patching, logging). Cost planning is contract-driven and must account for finite capacity, facility and operations overhead, and lifecycle processes unique to isolated environments. Security success depends on least-privilege IAM, micro-segmentation, hardened images, strong audit logging, and well-tested break-glass\/support procedures.<\/p>\n\n\n\n<p>If your primary requirement is strict isolation with a cloud operating model on premises, Compute Cloud@Customer Isolated is a strong candidate. Next, validate your deployment\u2019s supported service catalog and runbooks in the official documentation and perform a small pilot like the private web lab in this tutorial to confirm networking, access, and offline operations end-to-end.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Edge Cloud<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,62],"tags":[],"class_list":["post-901","post","type-post","status-publish","format-standard","hentry","category-edge-cloud","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=901"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/901\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}