OCI uses Instance Principal Authorization to allow the instances to access services. The following steps summarize the process flow for setting up and using instances as principals. Upon completing these steps, the OCSBC instance can then obtain a temporary certificate to authenticate itself while invoking the API.

1. Create a Dynamic Group. In the dynamic group definition, you provide the matching rules to specify the instances you want to allow to make API calls for services.
2. Create a policy granting permissions to the dynamic group to access services.

As you deploy, follow these guidelines:

• Create both OCSBC instances in the same Availability Domain
• Oracle recommends that you create OCSBC instances in separate Fault Domains.

As you configure, follow these guidelines:

• Do not configure and use more that 4 secondary private IP addresses per HA deployment. More than 4 IPs causes HA failover to take too long.
• On the primary OCSBC instance, configure Secondary Private IPs (to be used as OCSBC virtual IPs) through the OCI console. Do not use the OCSBC ACLI to configure a sec-utility-addr.
• When required, map your Secondary Private IPs to Reserved Public IPs.