This image shows an Oracle Cloud Infrastructure region that includes two availability domains. The region includes three virtual cloud networks (VCNs) in a hub and spoke topology connected by local peering gateways (LPGs). The VCNs are arranged here as functional layers.

• Hub VCN: The Hub VCN contains a high-availability network across two Check Point Security Gateway virtual machines (VMs) with one VM in each of the availability domains. The hub VCN includes two subnets: a frontend subnet and a backend subnet. The frontend subnet uses virtual network card 1 (vNIC1) for external traffic to or from the Check Point Security Gateway. The backend subnet uses vNIC2 for internal traffic to or from the Check Point Security Gateway.

  The hub VCN includes the following communication gateways:

  • Internet gateway: Connects internet and external web clients to the Check Point Security Gateway VM in availability domain 1 through the frontend subnet.
  • Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the Check Point Security Gateway VM in availability domain 1 through the frontend subnet.
  • Service gateway: Connects the hub VCN to Oracle Cloud Infrastructure Object Storage and other Oracle services for the region.
  • Local peering gateway: Connects the Check Point Security Gateway VM in availability domain 1 to the application tier VCN and the database tier VCN through the backend subnet.
  • Check Point Security Management: Connects external management services directly to the Check Point Security Gateway VMs in availability domains 1 and 2 through the backend subnet.

• Web/Application spoke VCN: The VCN contains a single subnet. A load balancer manages traffic between web/application VMs in each of the availability domains. The application tier VCN is connected to the hub VCN over a local peering gateway.

• Database spoke VCN: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over a local peering gateway.