Standard Operating Procedure: Oracle Cloud Infrastructure (OCI) Deployment & Management

This Standard Operating Procedure (SOP) outlines the mandatory protocols for provisioning, configuring, and maintaining environments within Oracle Cloud Infrastructure (OCI). Adherence to this procedure ensures high availability, security compliance, and cost optimization across all production and development tenancies. This document serves as the primary reference for cloud engineers and operations managers tasked with managing OCI resources.

1. Pre-Deployment Configuration

Before provisioning any infrastructure, ensure the following foundational elements are established to maintain governance and network integrity.

• Compartment Hierarchy: Verify that resources are assigned to the correct compartment (e.g., /Production/Application_X) to support cost tracking and IAM policy scoping.
• VCN/Subnet Strategy: Validate the Virtual Cloud Network (VCN) CIDR blocks to avoid overlap. Ensure public subnets are strictly reserved for load balancers and NAT gateways.
• Tagging Compliance: Apply mandatory cost-center tags and environment-type tags (e.g., Env: Prod, Project: Alpha) to all new resources.
• Service Limits: Check OCI Service Limits in the console to ensure current tenancy quotas allow for the planned deployment.

2. Security and IAM Implementation

Security is the primary pillar of OCI operations. Never deploy resources with default settings.

• IAM Policies: Enforce the Principle of Least Privilege. Use Dynamic Groups for compute instances rather than long-lived API keys.
• Security Lists/NSGs: Utilize Network Security Groups (NSGs) for granular, resource-level traffic control. Restrict SSH (Port 22) and RDP (Port 3389) access to VPN/Bastion IP ranges.
• Encryption: Ensure all Object Storage buckets are private by default and use Customer Managed Keys (CMK) via the OCI Vault service for disk and bucket encryption.
• MFA Enforcement: Verify that Multi-Factor Authentication is enabled for all IAM users with console access.

3. Deployment and Compute Provisioning

Follow these steps to ensure system stability during the lifecycle of an instance.

• Image Selection: Use the latest hardened OCI-provided images or verified custom images from the Image Catalog.
• Shape Selection: Choose the appropriate OCI shape based on workload performance requirements. Enable "Flexible" shapes for optimal resource scaling.
• Boot Volume Configuration: Enable "Performance-Based" boot volumes if the application requires high IOPS.
• Backups: Enable Automatic Boot Volume Backups and configure the Backup Policy (Bronze/Silver/Gold) based on RPO/RTO requirements.

4. Monitoring and Operational Maintenance

Post-deployment, the focus shifts to observability and health tracking.

• Alarms: Configure OCI Monitoring alarms for CPU utilization (>80%), memory pressure, and status checks.
• Logging: Enable Service Logs and Audit Logs. Stream logs to an OCI Logging bucket for long-term retention.
• Patching: Establish a schedule for OS-level patching using the OCI OS Management Service (OSMS).
• Drift Detection: Utilize OCI Resource Manager to maintain "Infrastructure as Code" (Terraform) and perform drift detection periodically.

Pro Tips & Pitfalls

• Pro Tip: Use OCI Cloud Shell for quick CLI interactions; it comes pre-authenticated and pre-configured with the OCI CLI.
• Pro Tip: Always utilize Terraform/OpenTofu. Manual console clicks (Click-Ops) lead to configuration drift and are difficult to replicate during disaster recovery.
• Pitfall: Do not store secrets or passwords in user_data scripts. Use OCI Vault/Secrets Management to inject credentials securely.
• Pitfall: Forgetting to terminate unused "Always Free" resources can lead to unexpected billing if you exceed the tier limits or migrate to paid shapes.

Frequently Asked Questions (FAQ)

Q: How do I handle cross-region replication for my OCI Object Storage? A: Use the OCI Object Storage Replication policy feature. You must configure the source and destination buckets and create a replication policy that defines the synchronization direction.

Q: What is the best way to troubleshoot connectivity issues between VCNs? A: Utilize the OCI "Network Path Analyzer" tool. It provides a visual trace of the packet flow and identifies which Security List or NSG is blocking the traffic.

Q: Can I increase my service limits automatically? A: No, service limits must be requested via the "Service Limits, Quotas, and Usage" section in the OCI Console. For production environments, it is recommended to request limit increases at least 72 hours prior to a large-scale deployment.