OCI Best Practices

NEVER Do This

❌ NEVER create a VCN with /24 or smaller CIDR — it cannot be expanded

# WRONG - only 256 IPs, exhausted quickly, cannot expand
oci network vcn create --cidr-block "10.0.0.0/24"

# RIGHT - start with /16 (65,536 IPs, room for 256 /24 subnets)
oci network vcn create --cidr-block "10.0.0.0/16"
# OCI supports /16 to /30

Migration cost: Must create new VCN and migrate everything — hours of downtime, IP changes, security rule updates.

❌ NEVER use AD-specific subnets (deprecated, breaks multi-AD HA)

# WRONG - subnet tied to a single AD
oci network subnet create --availability-domain "fMgC:US-ASHBURN-AD-1" ...
# Cannot launch instances in other ADs; no HA possible

# RIGHT - omit --availability-domain for regional subnet
oci network subnet create --vcn-id <vcn-ocid> --cidr-block "10.0.1.0/24"
# Instances can be in any AD in region

Some old OCI guides still show AD-specific subnets — this is a deprecated pattern.

❌ NEVER hardcode AD names — they are tenancy-specific, not portable

# WRONG - only works in YOUR tenancy
availability_domain = "fMgC:US-ASHBURN-AD-1"
# Another tenant's prefix for the SAME physical AD: "xYzA:US-ASHBURN-AD-1"

# RIGHT - query dynamically
data "oci_identity_availability_domains" "ads" {
  compartment_id = var.tenancy_ocid
}
# OCI generates unique prefixes per tenant for security isolation

❌ NEVER enable Cloud Guard auto-remediation without testing first

Detector: "Public bucket detected"
Auto-remediation: Make bucket private → breaks public website immediately!

Detector: "Security list allows 0.0.0.0/0"
Auto-remediation: Removes rule → breaks internet access!

Safe approach:
1. Enable detectors in read-only mode
2. Review findings for 1-2 weeks
3. Tune responders to eliminate false positives
4. Enable auto-remediation only for trusted patterns

Cloud Guard is enabled by default in some tenancies — check before assuming it's inactive.

❌ NEVER deploy all resources in a single AD (no SLA)

Single-AD: Oracle refuses SLA claims in 3-AD regions
Multi-AD:  99.95% SLA

Correct pattern:
AD-1, AD-2, AD-3: web instances (distribute evenly)
Load Balancer:    automatically multi-AD
Database:         ADB (auto 3-AD) or RAC (2+ nodes in separate ADs)

OCI vs AWS/Azure Terminology

OCI Term	AWS	Azure
VCN	VPC	Virtual Network
Security List (subnet-level, stateful)	VPC Security Group	NSG (network-level)
NSG (resource-level, stateful)	Security Group	Application Security Group
DRG	Virtual Private Gateway	VPN Gateway
Compartment	Resource Group / OU	Resource Group
Tenancy	Account	Subscription
Availability Domain	Availability Zone	Availability Zone
Fault Domain	(within AZ)	Availability Set
Dynamic Group	IAM Role (for EC2)	Managed Identity
Instance Principal	EC2 Instance Profile	Managed Identity
OCIR	ECR	Container Registry
OKE	EKS	AKS

Critical difference: OCI has BOTH Security Lists (subnet-scope) AND NSGs (resource-scope). AWS has only resource-scope Security Groups. This causes confusion when migrating.

Always-Free Tier (Exact Limits)

Compute

2 AMD VMs: VM.Standard.E2.1.Micro (1/8 OCPU, 1 GB RAM)
Arm: 4 OCPUs total, 24 GB RAM — VM.Standard.A1.Flex only (A2 is paid)
- Example: 4× 1OCPU/6GB instances, free forever

Database

2 Autonomous Databases: 1 OCPU, 20 GB each — ATP or ADW
Limit is tenancy-wide (not per region): 1 ATP Phoenix + 1 ADW Ashburn = limit reached
Stopped ADB still counts toward the 2-ADB limit — must DELETE to free slot

Storage / Networking

200 GB block volumes, 10 GB Object Storage, 10 GB Archive
1 flexible Load Balancer (10 Mbps), 1 reserved public IP per region

Free tier vs trial: Free tier is permanent; trial is $300 credit for 30 days. These are separate.

Compartment Hierarchy

Root (tenancy)
├─ SharedServices
│  ├─ Network  (VCNs, DRGs)
│  └─ Security (Vault, KMS, Cloud Guard)
├─ Production
│  ├─ App1 (Compute / Database / Storage)
│  └─ App2
├─ NonProduction
│  ├─ Development
│  ├─ Testing
│  └─ Staging
└─ Sandbox (auto-cleanup policies)

Key OCI-specific property: deleting a compartment deletes all resources inside — use this for Sandbox lifecycle management. IAM policies scoped to compartments enforce least privilege without account/subscription proliferation.

Multi-AD and Fault Domain Patterns

OCI regions with 3 ADs: US-Phoenix, US-Ashburn, UK-London, DE-Frankfurt, AU-Sydney, AU-Melbourne.

Gotcha: Some shapes are only available in specific ADs — check before distributing:

oci compute shape list --compartment-id <ocid> --availability-domain "fMgC:US-ASHBURN-AD-1"

Fault Domains (3 per AD, separate power/cooling/network): Use for extra-critical apps only — adds operational complexity. Spread across ADs first; add FD distribution only if single-instance impact matters.

Cost: Flex Shapes and Storage Tiering

Flex shapes (OCI-unique): Decouple OCPU and RAM billing.

Fixed shape VM.Standard2.4: 4 OCPUs, 60 GB RAM, $218/month
Flex VM.Standard.E4.Flex: 4 OCPUs, 16 GB RAM, $109/month (50% savings)
Arm VM.Standard.A1.Flex: $0.01/OCPU-hr vs AMD $0.03/OCPU-hr (67% cheaper)

Object Storage tiering (exact prices):

Tier	Cost/GB/Month	Retrieval
Standard	$0.0255	Free, instant
Infrequent Access	$0.0125	$0.01/GB, instant
Archive	$0.0024	$0.01/GB, 1-hour delay

1 TB data for 1 year — lifecycle policy (30d Standard → 60d Infrequent → Archive): $72/year vs $306/year flat Standard (76% savings).

Security Zones (OCI-Unique Enforcement)

Security Zones enforce policies at the API level — requests that violate are rejected, not just flagged:

All storage encrypted
No public buckets
No internet gateways
Databases private-endpoint only

# This fails if compartment is in a Security Zone
oci os bucket create --public-access-type ObjectRead
# → HTTP 400: Security Zone violation

Test Security Zone policies in dev before applying to production — they can break existing automation.

Reference Files

Load references/oci-well-architected-checklist.md when you need:

CIS OCI Foundations Benchmark audit checklist
Automated security scanning scripts
Remediation scripts for common findings
Drift detection monitoring setup

best-practices