oraclecloud-reference-architecture
Standard 3-tier OCI reference architecture with VCN, subnets, gateways, load balancer, compute, and Autonomous DB. Use when designing a new OCI deployment, translating AWS/Azure patterns, or creating Terraform for OCI infrastructure. Trigger with "oraclecloud architecture", "oci reference design", "oci 3 tier", "oci vpc design".
Best use case
oraclecloud-reference-architecture is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Standard 3-tier OCI reference architecture with VCN, subnets, gateways, load balancer, compute, and Autonomous DB. Use when designing a new OCI deployment, translating AWS/Azure patterns, or creating Terraform for OCI infrastructure. Trigger with "oraclecloud architecture", "oci reference design", "oci 3 tier", "oci vpc design".
Teams using oraclecloud-reference-architecture should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/oraclecloud-reference-architecture/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How oraclecloud-reference-architecture Compares
| Feature / Agent | oraclecloud-reference-architecture | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Standard 3-tier OCI reference architecture with VCN, subnets, gateways, load balancer, compute, and Autonomous DB. Use when designing a new OCI deployment, translating AWS/Azure patterns, or creating Terraform for OCI infrastructure. Trigger with "oraclecloud architecture", "oci reference design", "oci 3 tier", "oci vpc design".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Oracle Cloud Reference Architecture
## Overview
OCI architecture has more moving parts than AWS or Azure. Where AWS has VPC + subnets + internet gateway, OCI has VCN + regional subnets + Internet Gateway + NAT Gateway + Service Gateway + DRG (Dynamic Routing Gateway) + LPG (Local Peering Gateway) — and getting the routing tables wrong means silent packet drops with no error. This provides the standard 3-tier architecture (web/app/db) with every OCI-specific component wired correctly, plus Terraform code to deploy it.
**Purpose:** Produce a production-ready 3-tier OCI architecture with correctly configured networking, gateways, security rules, and compute/database tiers — deployable via Terraform.
## Prerequisites
- **OCI account** with an active tenancy — https://cloud.oracle.com
- **OCI CLI installed and configured** — `~/.oci/config` validated (see `oraclecloud-install-auth`)
- **Python 3.8+** with the OCI SDK — `pip install oci`
- **Terraform 1.5+** with the OCI provider — https://registry.terraform.io/providers/oracle/oci/latest/docs
- **Compartment OCID** for the target environment
- Familiarity with CIDR notation for subnet planning
## Instructions
### Step 1: Architecture Overview
```
┌─────────────────────────── OCI Region (us-ashburn-1) ───────────────────────────┐
│ │
│ ┌────────────────────────── VCN (10.0.0.0/16) ──────────────────────────────┐ │
│ │ │ │
│ │ ┌─── Internet GW ───┐ ┌─── NAT GW ───┐ ┌─── Service GW ───┐ │ │
│ │ └────────┬───────────┘ └──────┬────────┘ └───────┬──────────┘ │ │
│ │ │ │ │ │ │
│ │ ┌────────▼──────────────────────────────────────────────────────────┐ │ │
│ │ │ Public Subnet (10.0.1.0/24) — Web Tier │ │ │
│ │ │ Load Balancer (public) → routes to App Tier │ │ │
│ │ │ Bastion Host (optional) │ │ │
│ │ └──────────────────────┬───────────────────────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌──────────────────────▼───────────────────────────────────────────┐ │ │
│ │ │ Private Subnet (10.0.2.0/24) — App Tier │ │ │
│ │ │ Compute Instances (VM.Standard.E4.Flex) │ │ │
│ │ │ → NAT GW for outbound internet (patching, APIs) │ │ │
│ │ │ → Service GW for OCI services (Object Storage, etc.) │ │ │
│ │ └──────────────────────┬───────────────────────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌──────────────────────▼───────────────────────────────────────────┐ │ │
│ │ │ Private Subnet (10.0.3.0/24) — DB Tier │ │ │
│ │ │ Autonomous Database (ATP or ADW) │ │ │
│ │ │ → Service GW only (no internet access) │ │ │
│ │ └──────────────────────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ ┌─── DRG ───┐ ← On-premises or cross-region peering │ │
│ │ └────────────┘ │ │
│ └────────────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────────┘
```
### Step 2: Gateway Types Explained
| Gateway | Purpose | Attached To | Use Case |
|---------|---------|-------------|----------|
| **Internet Gateway** | Bidirectional internet access | Public subnet route table | Load balancers, bastion hosts |
| **NAT Gateway** | Outbound-only internet access | Private subnet route table | App servers needing patches, external APIs |
| **Service Gateway** | Access OCI services without internet | Private subnet route table | Object Storage, Autonomous DB, OCI APIs |
| **DRG (Dynamic Routing Gateway)** | On-premises / cross-region connectivity | VCN attachment | VPN, FastConnect, inter-region peering |
| **LPG (Local Peering Gateway)** | VCN-to-VCN within same region | VCN attachment | Shared services VCN, hub-spoke topology |
### Step 3: Create the VCN and Subnets (Python SDK)
```python
import oci
config = oci.config.from_file("~/.oci/config")
network = oci.core.VirtualNetworkClient(config)
# Create VCN
vcn = network.create_vcn(
oci.core.models.CreateVcnDetails(
compartment_id="COMPARTMENT_OCID",
display_name="prod-vcn",
cidr_blocks=["10.0.0.0/16"],
dns_label="prodvcn",
)
).data
print(f"VCN created: {vcn.id}")
# Create public subnet (web tier)
web_subnet = network.create_subnet(
oci.core.models.CreateSubnetDetails(
compartment_id="COMPARTMENT_OCID",
vcn_id=vcn.id,
display_name="web-subnet-public",
cidr_block="10.0.1.0/24",
dns_label="web",
prohibit_internet_ingress=False, # Public subnet
)
).data
# Create private subnet (app tier)
app_subnet = network.create_subnet(
oci.core.models.CreateSubnetDetails(
compartment_id="COMPARTMENT_OCID",
vcn_id=vcn.id,
display_name="app-subnet-private",
cidr_block="10.0.2.0/24",
dns_label="app",
prohibit_internet_ingress=True, # Private subnet
)
).data
# Create private subnet (db tier)
db_subnet = network.create_subnet(
oci.core.models.CreateSubnetDetails(
compartment_id="COMPARTMENT_OCID",
vcn_id=vcn.id,
display_name="db-subnet-private",
cidr_block="10.0.3.0/24",
dns_label="db",
prohibit_internet_ingress=True, # Private subnet
)
).data
print(f"Subnets: web={web_subnet.id}, app={app_subnet.id}, db={db_subnet.id}")
```
### Step 4: Create Gateways and Route Tables
```python
# Internet Gateway (for web tier)
igw = network.create_internet_gateway(
oci.core.models.CreateInternetGatewayDetails(
compartment_id="COMPARTMENT_OCID",
vcn_id=vcn.id,
display_name="prod-igw",
is_enabled=True,
)
).data
# NAT Gateway (for app tier outbound)
nat = network.create_nat_gateway(
oci.core.models.CreateNatGatewayDetails(
compartment_id="COMPARTMENT_OCID",
vcn_id=vcn.id,
display_name="prod-nat",
)
).data
# Service Gateway (for db tier → OCI services)
services = network.list_services().data
all_services = next(s for s in services if "All" in s.name)
sgw = network.create_service_gateway(
oci.core.models.CreateServiceGatewayDetails(
compartment_id="COMPARTMENT_OCID",
vcn_id=vcn.id,
display_name="prod-sgw",
services=[oci.core.models.ServiceIdRequestDetails(service_id=all_services.id)],
)
).data
print(f"Gateways: igw={igw.id}, nat={nat.id}, sgw={sgw.id}")
```
### Step 5: Terraform Deployment
```hcl
# provider.tf
terraform {
required_providers {
oci = {
source = "oracle/oci"
version = ">= 5.0"
}
}
}
provider "oci" {
config_file_profile = "DEFAULT"
}
# vcn.tf
resource "oci_core_vcn" "prod" {
compartment_id = var.compartment_id
display_name = "prod-vcn"
cidr_blocks = ["10.0.0.0/16"]
dns_label = "prodvcn"
}
resource "oci_core_internet_gateway" "prod" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.prod.id
display_name = "prod-igw"
enabled = true
}
resource "oci_core_nat_gateway" "prod" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.prod.id
display_name = "prod-nat"
}
resource "oci_core_subnet" "web" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.prod.id
display_name = "web-subnet-public"
cidr_block = "10.0.1.0/24"
dns_label = "web"
prohibit_internet_ingress = false
route_table_id = oci_core_route_table.public.id
security_list_ids = [oci_core_security_list.web.id]
}
resource "oci_core_subnet" "app" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.prod.id
display_name = "app-subnet-private"
cidr_block = "10.0.2.0/24"
dns_label = "app"
prohibit_internet_ingress = true
route_table_id = oci_core_route_table.private.id
security_list_ids = [oci_core_security_list.app.id]
}
resource "oci_core_route_table" "public" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.prod.id
display_name = "public-rt"
route_rules {
destination = "0.0.0.0/0"
network_entity_id = oci_core_internet_gateway.prod.id
}
}
resource "oci_core_route_table" "private" {
compartment_id = var.compartment_id
vcn_id = oci_core_vcn.prod.id
display_name = "private-rt"
route_rules {
destination = "0.0.0.0/0"
network_entity_id = oci_core_nat_gateway.prod.id
}
}
```
### Step 6: Component Mapping (AWS/Azure → OCI)
| Concept | AWS | Azure | OCI |
|---------|-----|-------|-----|
| Virtual network | VPC | VNet | VCN |
| Subnet | Subnet (AZ-scoped) | Subnet | Subnet (regional) |
| Internet access | Internet Gateway | — (default) | Internet Gateway |
| Outbound only | NAT Gateway | NAT Gateway | NAT Gateway |
| Private service access | VPC Endpoint | Private Endpoint | Service Gateway |
| Cross-network peering | VPC Peering | VNet Peering | LPG / DRG |
| Firewall rules | Security Group | NSG | NSG + Security List |
| Load balancer | ALB/NLB | Azure LB | OCI Load Balancer |
| Managed database | RDS/Aurora | Azure SQL | Autonomous Database |
## Output
Successful completion produces:
- A 3-tier VCN architecture with public (web), private (app), and private (db) subnets
- Internet Gateway, NAT Gateway, and Service Gateway correctly routed to their respective subnets
- Route tables with proper rules (public → IGW, private → NAT/SGW)
- Terraform code deployable with `terraform plan && terraform apply`
- Component mapping table for teams coming from AWS or Azure
## Error Handling
| Error | Code | Cause | Solution |
|-------|------|-------|----------|
| NotAuthorizedOrNotFound | 404 | Missing IAM policy for VCN creation | Add `allow group netadmins to manage virtual-network-family in compartment prod` |
| InvalidParameter | 400 | Overlapping CIDR blocks | Ensure VCN CIDR does not overlap with existing VCNs or on-premises networks |
| LimitExceeded | 400 | Hit VCN or subnet service limit | Request limit increase via Console > Governance > Service Limits |
| TooManyRequests | 429 | Rate limited during bulk creation | Add 2-second delays between resource creation calls |
| InternalError | 500 | OCI service issue during provisioning | Retry after 60 seconds; check https://ocistatus.oraclecloud.com |
| Terraform provider crash | — | OCI provider version incompatibility | Pin provider: `version = "~> 5.0"` (see `oraclecloud-upgrade-migration`) |
## Examples
**Quick VCN validation (CLI):**
```bash
# List VCNs in a compartment
oci network vcn list \
--compartment-id "$COMPARTMENT_OCID" \
--query 'data[].{name:"display-name", cidr:"cidr-blocks", state:"lifecycle-state"}' \
--output table
# List subnets in a VCN
oci network subnet list \
--compartment-id "$COMPARTMENT_OCID" \
--vcn-id "$VCN_OCID" \
--query 'data[].{name:"display-name", cidr:"cidr-block", public:"prohibit-internet-ingress"}' \
--output table
```
**Validate route table connectivity:**
```bash
# Verify public subnet routes to Internet Gateway
oci network route-table get --rt-id "$PUBLIC_RT_OCID" \
--query 'data."route-rules"[].{dest:destination, target:"network-entity-id"}' \
--output table
```
## Resources
- [OCI Networking Overview](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm) — VCN, subnets, gateways, and route tables
- [OCI Terraform Provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) — infrastructure as code for OCI
- [OCI Reference Architectures](https://docs.oracle.com/solutions/) — Oracle-published architecture patterns
- [OCI Python SDK Reference](https://docs.oracle.com/en-us/iaas/tools/python/latest/) — VirtualNetworkClient API
- [OCI CLI Reference](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm) — network commands
- [OCI Pricing](https://www.oracle.com/cloud/pricing/) — VCN and gateway pricing (VCN, IGW, and LPG are free)
## Next Steps
After deploying the architecture, run `oraclecloud-prod-checklist` to validate production readiness, or see `oraclecloud-migration-deep-dive` for translating existing AWS/Azure workloads into this architecture pattern.Related Skills
workhuman-reference-architecture
Workhuman reference architecture for employee recognition and rewards API. Use when integrating Workhuman Social Recognition, or building recognition workflows with HRIS systems. Trigger: "workhuman reference architecture".
wispr-reference-architecture
Wispr Flow reference architecture for voice-to-text API integration. Use when integrating Wispr Flow dictation, WebSocket streaming, or building voice-powered applications. Trigger: "wispr reference architecture".
windsurf-reference-architecture
Implement Windsurf reference architecture with optimal project structure and AI configuration. Use when designing workspace configuration for Windsurf, setting up team standards, or establishing architecture patterns that maximize Cascade effectiveness. Trigger with phrases like "windsurf architecture", "windsurf project structure", "windsurf best practices", "windsurf team setup", "optimize for cascade".
windsurf-architecture-variants
Choose workspace architectures for different project scales in Windsurf. Use when deciding how to structure Windsurf workspaces for monorepos, multi-service setups, or polyglot codebases. Trigger with phrases like "windsurf workspace strategy", "windsurf monorepo", "windsurf project layout", "windsurf multi-service", "windsurf workspace size".
webflow-reference-architecture
Implement Webflow reference architecture — layered project structure, client wrapper, CMS sync service, webhook handlers, and caching layer for production integrations. Trigger with phrases like "webflow architecture", "webflow project structure", "how to organize webflow", "webflow integration design", "webflow best practices".
vercel-reference-architecture
Implement a Vercel reference architecture with layered project structure and best practices. Use when designing new Vercel projects, reviewing project structure, or establishing architecture standards for Vercel applications. Trigger with phrases like "vercel architecture", "vercel project structure", "vercel best practices layout", "how to organize vercel project".
vercel-architecture-variants
Choose and implement Vercel architecture blueprints for different scales and use cases. Use when designing new Vercel projects, choosing between static, serverless, and edge architectures, or planning how to structure a multi-project Vercel deployment. Trigger with phrases like "vercel architecture", "vercel blueprint", "how to structure vercel", "vercel monorepo", "vercel multi-project".
veeva-reference-architecture
Veeva Vault reference architecture for REST API and clinical operations. Use when working with Veeva Vault document management and CRM. Trigger: "veeva reference architecture".
vastai-reference-architecture
Implement Vast.ai reference architecture for GPU compute workflows. Use when designing ML training pipelines, structuring GPU orchestration, or establishing architecture patterns for Vast.ai applications. Trigger with phrases like "vastai architecture", "vastai design pattern", "vastai project structure", "vastai ml pipeline".
twinmind-reference-architecture
Production architecture for meeting AI systems using TwinMind: transcription pipeline, memory vault, action item workflow, and calendar integration. Use when implementing reference architecture, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind reference architecture", "twinmind reference architecture".
together-reference-architecture
Together AI reference architecture for inference, fine-tuning, and model deployment. Use when working with Together AI's OpenAI-compatible API. Trigger: "together reference architecture".
techsmith-reference-architecture
TechSmith reference architecture for Snagit COM API and Camtasia automation. Use when working with TechSmith screen capture and video editing automation. Trigger: "techsmith reference architecture".