1. Deploy Ruby on Rails on Oracle Cloud Infrastructure
  2. Deploy Ruby on Rails On Oracle Cloud Infrastructure

Deploy Ruby on Rails On Oracle Cloud Infrastructure

Ruby on Rails is the dominant Web Application Framework for the Ruby programming language. To support the development with Ruby on Rails (RoR) a resilient infrastructure is provided which deploys the necessary networking, VMs and MySQL database instances along with the scripted deployment of Ruby on Rails and associated dependencies.

You can find the Terraform for this deployable architecture, oci-arch-ruby-rails-build, in the DevRel GitHub repository, accessible from the Explore More topic, below.

Architecture

The architecture comprises one VCN with several subnets to allow the isolation of different services. As a result, the public access is through an active/standby load balancer. An additional public subnet provides a Bastion that supports the use of SSH to access the backend services.

The Load Balancer fronts two compute Virtual Machines (VMs) with each hosting a Ruby on Rails server. These servers can access a MySQL database. Both the VMs and MySQL database are in their own separate subnets to address considerations such as access.

The following diagram illustrates this reference architecture.

Description of deploy-ruby-rails-mds-arch.png follows
Description of the illustration deploy-ruby-rails-mds-arch.png

deploy-ruby-rails-mds-arch-oracle.zip

This architecture has the following components:
  • Tenancy

    A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy.

    A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Compartment

    Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

  • Availability domains

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Fault domains

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Load balancer

    The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

    The load balancer provides access to different applications.

  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • NAT gateway

    The NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • MySQL Database Service

    Oracle MySQL Database Service is a fully managed Oracle Cloud Infrastructure (OCI) database service that lets developers quickly develop and deploy secure, cloud native applications. Optimized for and exclusively available in OCI, Oracle MySQL Database Service is 100% built, managed, and supported by the OCI and MySQL engineering teams.

    Oracle MySQL Database Service has an integrated, high-performance analytics engine (HeatWave) to run sophisticated real-time analytics directly against an operational MySQL database.

  • Bastion service

    Oracle Cloud Infrastructure Bastion provides restricted and time-limited secure access to resources that don't have public endpoints and that require strict resource access controls, such as bare metal and virtual machines, Oracle MySQL Database Service Autonomous Transaction Processing (ATP), Oracle Container Engine for Kubernetes (OKE), and any other resource that allows Secure Shell Protocol (SSH) access. With Oracle Cloud Infrastructure Bastion service, you can enable access to private hosts without deploying and maintaining a jump host. In addition, you gain improved security posture with identity-based permissions and a centralized, audited, and time-bound SSH session. Oracle Cloud Infrastructure Bastion removes the need for a public IP for bastion access, eliminating the hassle and potential attack surface when providing remote access.

Recommendations

Use the following recommendations as a starting point when deploying Ruby on Rails on OCI. Your requirements might differ.

  • Security

    Use Oracle Cloud Guard to monitor and maintain the security of your resources in OCI proactively. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

    For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, OCI validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

    If the application is implemented so that it exposes dynamic content or allows clients to submit data through APIs, we recommend adopting an API Gateway as this provides the means to manage interaction with the APIs through the use of API policies.

  • Cloud Guard

    Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

    Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

    You can also use Managed Lists to apply certain configurations to detectors.

  • Security zones

    Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

    Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

    You can also use Managed Lists to apply certain configurations to detectors.

  • Network security groups (NSGs)

    You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

    You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

  • Load balancer bandwidth

    While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth, or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer.

Considerations

Consider the following points when deploying this reference architecture.
  • Performance

    Using this RA as starting point means that performance will be influenced by the number of VM nodes and the type of VM selected for each node. The Terraform does support the tailoring of these to use different specification servers and the number of nodes.

    Additional performance gains can be made by running Ruby and Rails using GraalVM

  • Security

    The basic configuration doesn’t take into account any application authentication and authorization or API support. At the network level, access and routing need to be tuned to address whether the Ruby service is for internal use or external use. With external use, the environment should also be extended to include the use of a Web Application Firewall and Cloud Guard should be considered.

  • Availability

    Availability can be extended by distributing nodes across more Availability Zones and potentially for the most critical availability levels across regions.

    Availability is not only a factor of the existence of compute nodes, but also security so that only legitimate traffic can interact with the deployed applications. This can be addressed through the security recommendations.

  • Cost

    Security can also help with the management of costs by limiting the amount of computing needed to service requests. This comes down to the fact that preventing accidental or malicious traffic from hitting the servers at the WAF or API Gateway reduces the amount of potential workload generated.

Explore More

To learn more about deploying Ruby on Rails on OCI, see the following resources:.

Review these additional resources:

Acknowledgments

  • Authors: Hassan Ajan, Phil Wilkins
  • Contributors: Chiping Hwang, Luke Feldman