Understand Your Deployment Architecture Options

When initially provisioned, all instances of Oracle Content and Experience are deployed on Oracle Cloud Infrastructure. This architecture is a high-availability topology across multiple availability domains within a single geographic region. It uses Oracle Container Engine for Kubernetes (OKE) with its elastically scalable Kubernetes clusters across these availability domains.

  • Availability Domains—An availability domain is one or more data centers located within a region. Availability domains are isolated from each other, fault tolerant, and unlikely to fail simultaneously. Because availability domains don’t share physical infrastructure, such as power or cooling, or the internal availability domain network, a failure that impacts one availability domain is unlikely to impact others. Availability domains in a region are connected to each other by a low-latency, high-bandwidth network. This predictable, encrypted interconnection between availability domains provides the building blocks for both high availability and disaster recovery.
  • Fault Domains—A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain contains three fault domains. Fault domains let you distribute your instances so that they are not on the same physical hardware within a single availability domain. As a result, hardware failures or maintenance events that affect one fault domain do not affect instances in other fault domains. You can optionally specify the fault domain for a new instance at launch time, or you can let the system select one for you.

In a default deployment, OKE automatically creates multiple clusters (or nodes) across availability domains. All sites and assets are synchronized to each availability domain. If one availability domain goes down, OKE automatically directs all incoming traffic to the operational availability domains. That way end users won't notice a service outage while the failed availability domain is restored.
Example of high-availability architecture

Beyond High Availability

While a high-availability service is designed to deliver a high degree of uptime and accessibility, many customers have additional needs that can be met with different architectures. These additional architectures, while still benefiting from the high availability provided out-of-the-box by Oracle Cloud Infrastructure and OKE, can be built to support development processes, even multi-region failover, or enhanced with private high-performance connections. To find the architecture that's right for your needs, you'll need to determine your organizations’ development process needs, your acceptable recovery time objectives (RTO), and your recovery point objectives (RPO).

  • Recovery Time Objective (RTO)—The RTO is the target time that is required to restore your application functionality after a disaster happens. The goal is to measure how quickly you must recover from a disaster. Typically, the more critical the applications, the lower the RTO.
  • Recovery Point Objective (RPO)—The RPO is the acceptable timeframe of lost data that your applications can tolerate. RPO is about how much data your applications can afford to lose in a disaster scenario.

Development Process

This refers to the process your organization uses to build and deploy new functionality and content for Oracle Content and Experience. It can include multiple environments that new functionality and content must go through before being approved for high-level environments and production. A common setup would include environments for development, testing, staging, and, finally, production. You organization's needs may vary.

Customers who want to utilize multiple instances to support their development processes should provision their additional instances as described in this document but do not need to provision a web application firewall (WAF) in front of them as they will be accessed directly. After you develop content in one of your instances, you can use the command-line interface (CLI) of the OCE Toolkit to propagate that content from instance to instance on your Oracle Content and Experience servers.

To propagate changes, you can use OCE Toolkit commands to create sites and manage their life cycles on development, test, and production servers. You can make changes to sites in a development environment and propagate those changes to test and production environments. You can also incorporate this set of command-line utilities into your scripting environments to manage your deployments. With the CLI utilities, you can roll out new items, such as assets and components, as well as updates of existing content. For more information, see Propagate Changes from Test to Production with OCE Toolkit.

Private Instance Using Oracle Cloud Infrastructure FastConnect

If you want to create a private instance that can be viewed only within your intranet, you need to set up Oracle Cloud Infrastructure FastConnect and perform some additional prerequisite steps. FastConnect provides a dedicated private connection with higher bandwidth and a more reliable and consistent networking experience when compared to internet-based connections. For more information, see Create a Private Instance Using Oracle Cloud Infrastructure FastConnect.

Implement a Backup Region

If your organization wants to use a backup region, you do so by configuring a web application firewall (WAF) and replicating your content to the backup.

Your backup can be in the same geographic region as your primary instance or in a different region. Creating your backup in a different region provides more protection against loss of data or availability.

Here's an example of what the architecture looks like:

Example of WAF setup

Creating a backup can take quite a bit of time, especially if you have a lot of sites and assets, so we suggest you back up during off hours. Depending on the amount of content changes made in your instance, you should determine if backups should be made daily or as infrequently as once a week.

When implementing a backup region you use the Oracle Cloud Infrastructure Web Application Firewall service to direct traffic to your primary (active) instance, and in the event of a failure, you switch it to point to your standby instance.

Note

When you create your backup instance, you must mark it as non-primary so you don’t pay for duplicated assets. Primary and non-primary instances are billed at different rates.

After creating your primary instance, perform the following steps to implement your backup region:

  1. Create a new Oracle Content and Experience instance, making sure to mark the instance as non-primary.

    If you want your backup to be in a different region from your primary instance, create it in a secondary region.

  2. Configure a web application firewall (WAF) using the Oracle Cloud Infrastructure Web Application Firewall service.
  3. Use the OCE Toolkit to transfer all your sites and assets from your primary instance to your backup instance.
  4. Test that your data will be replicated correctly. Make a few changes (less than five) in the primary instance, including changes to each object type, then use the OCE Toolkit to backup your data again, and confirm the changes are accurately reflected in the backup instance.
  5. Sync any users who may need access to the backup instance in the event the primary instance is unavailable. For example, at a minimum, you'll need your administrators synced.
  6. Test that your system behaves as expected when the primary region fails:
    1. Disable the primary instance.
    2. Switch the WAF origin, by updating the WAF policy so that traffic is pointed at the backup instance.
    3. When the WAF policy change has propagated, confirm that all user experiences behave as expected on the backup instance.
  7. Re-enable the primary instance, updating the WAF policy so that it is again pointing to the primary instance, and confirm that the primary instance behaves as expected when it takes over its original responsibilities for content management and end-user delivery.

Configure a Web Application Firewall

There are several steps involved with configuring and enabling a web application firewall (WAF) to implement a backup region:

  1. Create a WAF policy.
  2. Upload your SSL certificate and key.
  3. Update your DNS and WTSS settings.
  4. Configure WAF on your instances.

If you need to switch from your primary to your secondary instance, you can do so by updating your WAF policy.

Create a WAF Policy

To configure a WAF policy, perform the following steps:

  1. Sign in to Oracle Cloud as the cloud account administrator. You can find your account name and login information in your welcome email.
  2. In the Infrastructure Console, click Navigation menu icon,on the top left to open the navigation menu, then, click Security, and then click WAF Policies. You might need to use the scroll bar on the left to scroll down to see the menu option.
  3. Click Create WAF Policy.
  4. Enter following details to create the WAF policy:
    • Policy Name: Provide a unique name for the policy (for example, cross_site_WAF). Avoid entering confidential information.
    • Primary Domain: Enter the fully qualified domain name of your application (for example, oce.example.com). This is the URL your users will use to access your application, which will then point to either the primary or secondary Oracle Content and Experience instance.
    • Additional Domains: Optionally, enter any subdomains where the policy should be applied.
  5. Click Save.

    When you save the policy, you'll see a message with the CNAME value, a hyphenated version of your primary domain within the OCI domain (for example, oce-example-com.o.waas.oci.oraclecloud.net). Take a note of this name, as you'll need it later to update the CNAME in your domain's DNS configuration.

  6. Open the WAF policy you created, click Origin Management, and then click Add Origin.
  7. Enter following details, and then click Save Origin to create the primary origin:
    • Origin Name: Provide a unique name for the primary origin (for example, primary_salesdocuments1).
    • URI: Enter the public facing endpoint (the URI) of your primary instance (for example, salesdocuments1-myaccount.cec.ocp.oraclecloud.com).
    • Select Set as WAF Origin?
    • HTTPS Port: Enter the port used for secure HTTP connections to your primary instance. The default port is 443.
    • HTTP Port: Enter the HTTP port your primary instance listens on. The default port is 80.
  8. Click Add Origin, enter following details, and then click Save Origin to create the secondary origin:
    • Origin Name: Provide a unique name for the secondary origin (for example, secondary_salesdocuments1).
    • URI: Enter the public facing endpoint (the URI) of your secondary instance (for example, salesdocuments2-myaccount.cec.ocp.oraclecloud.com).
    • Do not select Set as WAF Origin?
    • HTTPS Port: Enter the port used for secure HTTP connections to your secondary instance. The default port is 443.
    • HTTP Port: Enter the HTTP port the secondary instance listens on. The default port is 80.

Upload Your SSL Certificate and Key

To upload your SSL certificate and key, perform the following steps:

  1. On the WAF Policies page, click the WAF policy you created.
  2. Click Settings, and then click Edit.
  3. In the Edit Settings dialog, enter the following details:
    • WAF Origin: Select the name and IP address or the primary origin.
    • Enable HTTPS Support: Select this option so that communications between the browser and web app are encrypted.
    • SSL Certificate: Drag and drop, select a file, or paste in a valid SSL certificate in PEM format. You must also include intermediate certificates (the primary domain certificate must be first).
    • Private Key: Drag and drop, select a file, or paste in a valid private key in PEM format in this field. The private key cannot be protected by a password.
    • Self Signed Certificate: Enable this option when using a self-signed certificate to show an SSL warning in the browser.
    • HTTP to HTTPS Redirect: Enable this option to have all HTTP traffic automatically redirected to HTTPS.
  4. Click Save. Your update to the WAF policy appears under Unpublished Changes.
  5. Under Unpublished Changes, click View, and then click Publish All.
  6. In the Publish Changes dialog, click Publish All.

Update Your DNS and WTSS Configurations

Work with Oracle Support to update your DNS and WTSS configurations with your WAF information. Log a support request asking for the following actions:

  • In your DNS configuration, update the CNAME for your zone to route requests from internet clients to WAF. Make sure to include the CNAME you noted when you created your WAF policy.
  • In your WTSS configuration, update all your WTSS nodes' route.json files to map the WAF primary domain (for example, oce.example.com) to all the WAF origins (primary and secondary URIs; for example, salesdocuments1-myaccount.cec.ocp.oraclecloud.com and salesdocuments2-myaccount.cec.ocp.oraclecloud.com).

Configure WAF on Your Instances

To configure WAF on your instances, perform the following steps:

  1. In the Infrastructure Console, click Navigation menu icon,on the top left to open the navigation menu, then, click Application Integration, and then click Content and Experience. You might need to use the scroll bar on the left to scroll down to see the menu option.
  2. Click the primary instance to view the instance details.
  3. Click Configure WAF.
  4. In the Configure Web Application Firewall dialog, select the WAF policy you created earlier.

    The instance's compartment name is displayed. If the WAF policy is in a different compartment, click Change Compartment, and select the correct compartment.

  5. Click Save Changes.

    You'll see the progress in the Activities list as the update is made to the instance. After the update is complete, when you look at the instance details, you'll see the WAF Primary Domain listed.

  6. Repeat steps 2 through 5 for your secondary instance.

Switch Your WAF Origin

If you need to change your WAF origin from your primary instance to your secondary instance (or vice versa) for testing or backup purposes, you do so by updating the WAF policy.

To switch your WAF origin, perform the following steps:

  1. Sign in to Oracle Cloud as the cloud account administrator. You can find your account name and login information in your welcome email.
  2. In the Infrastructure Console, click Navigation menu icon,on the top left to open the navigation menu, then, click Security, and then click WAF Policies. You might need to use the scroll bar on the left to scroll down to see the menu option.
  3. Click the WAF policy you created for your instances, and then click Origin Management.
  4. Select the origin you want to switch to, and then click Edit.
  5. Select Set as WAF Origin?, and then click Save Origin. Your update to the WAF policy appears under Unpublished Changes.
  6. Under Unpublished Changes, click View, and then click Publish All.
  7. In the Publish Changes dialog, click Publish All.

    It may take some time for the update to complete. When it's done, traffic to your application will be directed to the selected origin.