This topic describes the features of environments that you should consider before you
create an environment. You create environments in an environment family.
Environments in an environment family share certain characteristics. Before you plan
your environment, see Planning an Environment Family.
About Environment Types
In the environment family, you can create both production and non-production environments
(test and development). Each Fusion Applications subscription allows one production
environment and one test environment. In addition, you can order non-production
development environments.
Production environment
The production environment supports your day-to-day real-time business operations by
authorized users. An environment family is allotted one production environment to
provision.
Non-production environments
Test environment
The test environment is typically used for staging before
application deployment to production and for validation of maintenance updates
before the same maintenance is applied to the production environment. An
environment family is allotted one test environment to provision.
Development (also referred to as Additional Test Environment or ATE)
Development
environments are typically used as individual or collaborative development
sandboxes for developing extensions (such as reporting, pages, and interfaces)
or integrations with other applications. You must order the number of
development environments needed by your organization.
The following table summarizes characteristics of the three environment types:
Feature
Production
Test
Development/ATE
Workload type
Production
Non-production
Non-production
Typical usage
Production workloads for business users
Systems integration testing
Conversion and data migration testing
User acceptance testing
Development, configuration, and unit testing
Training, familiarization
Low-volume user acceptance testing
Typical user
Business user
Development user
Development user
Purchase requirement
Included with the Fusion Applications purchase
1 (and only 1) test environment is included with every Fusion Applications
production environment
Purchased separately
Each ATE purchase unit equals one environment
Limit
One per environment family
One per environment family
Limit based on the number purchased
Provisioning behavior and dependencies
Self-service with no dependency
Can be the first environment provisioned in a family
Production go live is dependent on the successful provisioning of the
test environment
Self-service with no dependency
Can be the first environment in a family
Required to be provisioned before a production environment goes
live
Self-service refresh supported from any source environment within the
environment family (see Refreshing an Environment)
Self-service refresh supported from any source environment within the
environment family (see Refreshing an Environment)
Integrated services
Provisioned
Some services provisioned
Some services provisioned
Termination
Self-service termination not allowed after the environment is live. To
terminate, file a service request.
Self-service termination not allowed after production is live. To
terminate, file a service request.
Self-service termination allowed
Choosing a Compartment 🔗
A compartment is a logical grouping of resources for controlling access to those
resources. Placing resources in compartments allows you to restrict access to as
granular a level as you require.
For example, if your tenancy has multiple environments, you can restrict access to each
family to different groups of users by placing them in different compartments. You then
write policy to allow access based on the group and compartment. If you don't
specifically choose a compartment (or if your organization has not set up multiple
compartments) the environment family will be created directly in the tenancy (also
called the root compartment). If your organization chooses to set up compartments later,
you can move the environment family to a different compartment.
Also, if you plan to have different administrators for your environment families and your environments, you can place each of them in different compartments to create different access policies for each. For more information about planning compartments, see Learn Best Practices for Setting Up Your Tenancy.
You have two options for when you create the compartment:
Create the compartment before you create the environment.
If you create the
compartment first, then you can create the Fusion Applications environment in
the compartment. The benefit of this approach is that the supporting resources
that are created with the environment, such as the Oracle Digital Assistant
instance, are also created in the compartment.
To create the environment
in the compartment, choose it during environment creation.
Create the compartment after you create the environment.
If you have already
created the environment, it is easy to move it to another compartment. See To move an environment to a different compartment. You will also need to move the
instances of the integrated applications and other related resources to the same
compartment.
Here is the basic procedure for creating a compartment. For full details on working with
compartments, see Managing Compartments.
Open the navigation menu and select Identity & Security. Under Identity, select Compartments. The list of the compartments is displayed.
Navigate to the compartment in which you want to create the new compartment:
To create the compartment in the tenancy (root compartment) click
Create Compartment.
Otherwise, click through the hierarchy of compartments until you reach the
detail page of the compartment in which you want to create the compartment.
On the Compartment Details page, click
Create Compartment.
Enter the following:
Name: A unique name for the compartment (maximum 100
characters, including letters, numbers, periods, hyphens, and underscores).
The name must be unique across all the compartments in your tenancy. Avoid entering confidential information.
Description: A friendly description. You can change
this later if you want to.
Parent Compartment: The compartment you are in is
displayed. To choose another compartment to create this compartment in,
select it from the list.
Tags:
If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
Click Create Compartment.
Understanding Language Packs 🔗
When you create an environment, English is installed by default. If you want to add more languages, you can select up to two
languages when you provision the environment, or you can add them later. Adding a
language pack does not impact the availability of the environment. Each language pack
installed in an environment can slightly increase update duration. After you add a
language pack, it can't be removed.
Understanding Environment Network Access Control Rules 🔗
You can set up network access control rules to limit the network traffic that is allowed
to reach an environment. The rules can be created to:
Allow only traffic from specified CIDR block ranges.
Allow only traffic from specified Oracle Cloud Infrastructure virtual cloud
networks (VCNs).
Allow only traffic from specified CIDR block ranges within specified OCI VCNs.
After you set up the rules, traffic originating outside a specified allowed source is
blocked. If you don't set up any rules for the environment, then all network traffic is
allowed to reach the environment. The network access control rules only support defining
allowed traffic. You can't set up a block list. You can set up the network access
control list when you create the environment, or you can edit it after environment creation.
You can also set up location-based access in your Fusion Applications. For more
information, see Location-Based Access.
Securing Network Access to a Fusion Applications Environment 🔗
Users can access Fusion Applications from the internet as long as they have valid user credentials. However, to do so you might need to update local network settings to allow traffic to the IP address ranges of the OCI region where the environment is provisioned. Along with allowing traffic to the primary OCI region, you might also need to allow-list IP address ranges of the Disaster Recovery OCI region to which your production environments will be failed over in a disaster situation. Note the following:
For information on public IP address ranges for services that are deployed in Oracle Cloud Infrastructure, see IP Address Ranges. Use the IP addresses file to find the CIDR block ranges for the environment's primary and DR regions.
Tip
The IP addresses file contains several types of CIDR IPs. You only need to add the CIDR IPs with the "OSN" tag.
After identifying the IP address ranges of the primary and DR regions, update the following on-premises configurations:
Firewall rule for egress
Network routing configuration (for example, VPN configurations)
Also, if you have set up your Fusion Applications for outbound integration with other services (for example, transmitting files and reports to external destinations, and external integrations such as Oracle Integration Cloud), you might need to perform the following network configurations:
Update Allow-lists for Transferring Files and External Integrations:
If the destination network or server of your external integration is using IP allow-listing to restrict access from only a trusted source, you must update the settings on the destination server to allow Oracle's DR region gateway IPs to continue receiving these transmissions. Common application flows where you might have Oracle IP allow-listing include:
If you're transmitting files to external destinations in any of the above scenarios, you must also verify the port settings for these transmissions. Ensure that the ports are within this list: 22, 80, 443, 631, 993.
To further control access to your environment, Fusion Application supports the following options. These use cases are not mutually exclusive and can be supported with each other:
Access Control List (ACL): Allow access to your environment only from selected public IPs (CIDRs) or virtual cloud networks (VCNs) using an Access Control List (ACL). You can set up the network access control rules at the time you create the environment or you can edit them later.
Access privately from on-premises networks: Allow access to your environment from your on-premises network without going through the internet. This option requires setting up a secure VPN connection between your on-premises network and a VCN in your tenancy. For more information, see Securely Accessing Fusion Applications.
Location Based Access Control (LBAC): Allow uses access to tasks and data based on their roles and compute IP addressed. This option is configured on your running application. For details, see Overview of Location-Based Access.