Knowesis: Secure APEX Web Application Deployment on Oracle Cloud
Giving its 50-person team of project managers, program directors, and technical administrators a faster and more reliable way to track their projects was a top priority for federal contract services company, Knowesis.
In April 2021, Knowesis migrated the company's project data from a third-party-developed SharePoint app to an APEX Service website, which now runs on Oracle Cloud Infrastructure (OCI).
Founded in 2007 in Fairfax, VA, Knowesis provides research, data analytics, and federal advisory services to US contractors and government agencies serving the military, veterans health facilities, civilian and military emergency response teams, and diversity, equity, and inclusion programs. Following the migration to OCI, Knowesis users can immediately log into the new website, update their project plans, analyze project performance, and deliver client reports with less latency, higher availability, and tighter security than they had using the Sharepoint app.
Architecture
To help clients get immediate insight into project status reports, budget considerations, and labor utilization rates, Knowesis deployed an Apache Tomcat server and Oracle REST Data services (ORDS) on an Oracle Cloud Infrastructure virtual machine (VM). As users are authenticated with Oracle Cloud Infrastructure Identity and Access Management (IAM), they can instantly access their project information in a public subnet using an internet gateway.
Knowesis also deployed an Oracle 19c database, which is hosted on a VM within a private subnet. The database's data persistence layer is accessed from Tomcat's application layer by making REST API calls through ORDS. Contractual information and project reporting information is then rendered through an Oracle APEX Application Development web application. The database exists in a private subnet, which can access the public internet using secure NAT gateway. The APEX Service metadata and database backups are stored in Oracle Cloud Infrastructure Object Storage, which can be accessed using a service gateway.
The following diagram illustrates this reference architecture.
The architecture has the following components:
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Availability domain
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
- Internet gateway
The internet gateway allows traffic between the public subnets in a VCN and the public internet.
- Service gateway
The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.
- Network address translation (NAT) gateway
A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.
- Compute
The Oracle Cloud Infrastructure Compute service enables you to provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.
- VM DB System
Oracle VM Database System is an Oracle Cloud Infrastructure (OCI) database service that enables you to build, scale, and manage full-featured Oracle databases on virtual machines. A VM database system uses OCI Block Volumes storage instead of local storage and can run Oracle Real Application Clusters (Oracle RAC) to improve availability.
- APEX Service
Oracle APEX Application Development (APEX) is a low-code development platform that enables you to build scalable, feature-rich, secure, enterprise apps that can be deployed anywhere that Oracle Database is installed. You don't need to be an expert in a vast array of technologies to deliver sophisticated solutions. APEX Service includes built-in features such as user interface themes, navigational controls, form handlers, and flexible reports that accelerate the application development process.
- Object storage
Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.