60_2 ‐ 3_Tier_Architecture_Complete - SanjeevOCI/Ocidocs GitHub Wiki
Last updated: 2025-10-10
Estimated time: 60–90 minutes
Platform: Oracle Cloud Infrastructure (OCI) Console (Identity Domains Enabled)
Architecture: Web (Public) → App (Private via NAT) → DB (Private, No Internet)
Build a secure 3-tier application architecture in OCI, covering all foundational steps including:
- Compartment creation
- VCN with 3 subnets (Web / App / DB)
- Internet & NAT Gateways
- Route Tables and Security Lists / NSGs
- Compute instances for each tier
- Bastion for secure access to private subnets
- Sample application deployment in App tier connecting to DB tier
- Validation and cleanup
- Access to OCI Console with admin privileges
- Default Identity Domain enabled
- Basic understanding of OCI Networking and Compute
Recommended screenshot folder:
images/oci-3tier/
- Create a Compartment
- Create a VCN and Subnets
- Create and Attach Internet Gateway
- Create NAT Gateway
- Configure Route Tables
- Configure Security Lists / NSGs
- Create Bastion Host
- Launch Compute Instances (Web / App / DB)
- Deploy Sample Application on App Tier
- Validate the Architecture
- Cleanup
- Troubleshooting
- ☰ → Identity & Security → Compartments → Create Compartment
- Enter:
- Name:
comp-3tier - Description:
Compartment for 3-Tier Architecture Lab - Parent Compartment:
root
- Name:
- Click Create Compartment
Expected Result: A new compartment comp-3tier is created.
- ☰ → Networking → Virtual Cloud Networks → Start VCN Wizard
- Select VCN with Internet Connectivity → Start Workflow
- Name:
vcn-3tier - CIDR Block:
10.0.0.0/16 - Compartment:
comp-3tier - Leave defaults for DNS
Click Next.
Create three subnets:
| Subnet | Name | CIDR | Type | Purpose |
|---|---|---|---|---|
| 1 | web-subnet |
10.0.1.0/24 |
Public | Web Tier |
| 2 | app-subnet |
10.0.2.0/24 |
Private | Application Tier |
| 3 | db-subnet |
10.0.3.0/24 |
Private | Database Tier |
- Place web-subnet in Public subnet group (with IGW route)
- Place app-subnet and db-subnet in Private subnet group
Click Next → Create
Expected Result: A VCN with 3 subnets (web / app / db) is created.
-
☰ → Networking → Virtual Cloud Networks → Select
vcn-3tier -
In the left menu → Internet Gateways → Create Internet Gateway
- Name:
igw-3tier - Compartment:
comp-3tier - Click Create Internet Gateway
- Name:
-
Edit the Default Route Table of the VCN:
- Add route rule:
- Target Type: Internet Gateway
- Destination CIDR:
0.0.0.0/0 - Target:
igw-3tier
- Add route rule:
Expected Result: Internet Gateway is attached and routing enabled for Web subnet.
- ☰ → Networking → NAT Gateways → Create NAT Gateway
- Name:
natgw-3tier - Compartment:
comp-3tier - VCN:
vcn-3tier - Click Create NAT Gateway
- Name:
Expected Result: NAT Gateway created for private subnets outbound traffic.
We need:
- Web subnet → Internet Gateway
- App subnet → NAT Gateway
- DB subnet → no Internet
- ☰ → Networking → Virtual Cloud Networks →
vcn-3tier -
Route Tables → Create Route Table
- Name:
rt-app - Compartment:
comp-3tier - Add rule:
- Destination:
0.0.0.0/0 - Target Type: NAT Gateway
- Target:
natgw-3tier
- Destination:
- Name:
- Save
Associate with App Subnet:
- In Subnets → Edit
app-subnet→ Change Route Table →rt-app
DB Subnet Route Table:
- DB subnet can keep the default route (no Internet)
Expected Result: App subnet has outbound via NAT; Web via IGW; DB isolated.
Use Network Security Groups (NSGs) for tiered control.
- ☰ → Networking → Network Security Groups → Create NSG
- Names:
nsg-web,nsg-app,nsg-db - Compartment:
comp-3tier - VCN:
vcn-3tier
- Names:
nsg-web
- Ingress:
- Source:
0.0.0.0/0 - Protocol: TCP
- Port: 80 (HTTP)
- Source:
- Egress: Allow all
nsg-app
- Ingress:
- Source: CIDR of Web Subnet (
10.0.1.0/24) - Port: 8080 (or app port)
- Source: CIDR of Web Subnet (
- Egress: Allow DB subnet and Internet (via NAT)
nsg-db
- Ingress:
- Source: CIDR of App Subnet (
10.0.2.0/24) - Port: 3306 (MySQL) or relevant DB port
- Source: CIDR of App Subnet (
- Egress: Restrict to internal if needed
- Web Subnet →
nsg-web - App Subnet →
nsg-app - DB Subnet →
nsg-db
Expected Result: Tiered traffic rules enforced via NSGs.
-
☰ → Networking → Bastion → Create Bastion
- Name:
bastion-3tier - VCN:
vcn-3tier - Subnet:
web-subnet(public) - CIDR Block for allowed clients: your IP (e.g.,
x.x.x.x/32)
- Name:
-
Upload your SSH public key or use OCI Vault secrets.
Expected Result: Bastion host deployed for SSH access to private subnets.
☰ → Compute → Instances → Create Instance
Create 3 instances in comp-3tier:
| Tier | Name | Subnet | NSG | Public IP | Use |
|---|---|---|---|---|---|
| Web | vm-web |
web-subnet | nsg-web | Yes | Frontend |
| App | vm-app |
app-subnet | nsg-app | No | Business logic |
| DB | vm-db |
db-subnet | nsg-db | No | Database |
- Shape: VM.Standard.E2.1.Micro (Free Tier)
- Image: Oracle Linux / Ubuntu
- Add SSH Key
- Boot volume: default
Expected Result: 3 VMs created and reachable according to subnet/NSG configuration.
Use OCI Bastion session to reach App VM.
ssh -i ~/.ssh/id_rsa opc@<app-private-ip>
Step 2: Install Web Server / App
Example: simple Python Flask app
sudo yum install -y python3
cat <<EOF > app.py
from flask import Flask
app = Flask(__name__)
@app.route('/')
def hello():
return "Hello from App Tier"
app.run(host='0.0.0.0', port=8080)
EOF
python3 app.py &
Step 3: Configure DB (Optional)
SSH into vm-db, install MySQL / Postgres and create a small table. Update app.py to connect to DB using DB private IP.
Expected Result: App tier serves content and can connect to DB tier privately.
10. Validate the Architecture
Web Access
Access Web VM Public IP via browser → should load NGINX/Apache or app
Tier Communication
From Web VM:
From Web VM:
curl http://10.0.2.10:8080
From App VM:
mysql -h 10.0.3.10 -u root -p
✅ Expected Results:
Internet → Web works
Web → App works via private IP
App → DB works privately
DB is isolated (no Internet access)
11. Cleanup
Delete Compute Instances (Web, App, DB)
Delete Bastion
Delete Gateways and Route Tables
Delete VCN
Delete Compartment
☰ → Governance & Administration → Compartment → Select comp-3tier → Delete
Expected Result: All resources cleaned up.
12. Troubleshooting
Cannot SSH to App/DB: Check Bastion target subnet and NSG ingress from Bastion
No outbound from App: Check NAT Gateway and App Route Table
Web not reachable: Check IGW route + NSG ingress 80/443
App cannot reach DB: Check NSG rules on both sides and DB service binding
Policy issues: Ensure you are in Administrators group or have required IAM policies
📌 References
VCN Overview
NAT Gateway
Bastion Service
Compute Instances
Network Security Groups
📝 Screenshot Checklist
Compartment creation
VCN and Subnets
IGW, NAT, Route Tables
NSGs configuration
Bastion creation
VM provisioning (Web, App, DB)
App deployment and DB connectivity
Validation (Web→App, App→DB)
✅ Outcome: You have built a complete 3-tier application architecture on OCI from scratch, including network, security, compute, app deployment, and validation. This lab now stands independently — no need to reference the 2-tier lab.