Working Example of Hub & Spoke

Logo

In this example, there are two discrete workloads deployed in the Oracle Cloud region. Each workload has different networking requirements. They each have a team of administrators that can make changes to their local resources.

There are two groups of distinct users (Spoke 1 users and Spoke 2 users) and Administrators that connect via a VPN connection.

The VPN Connection is attached to the Dynamic Routing Gateway (DRG) in the Hub Compartment.

There are three DRG Attachments; one to the Hub VCN, one to the Spoke 1 VCN (inside the Spoke 1 Compartment), and one to the Spoke 2 VCN (inside the Spoke 2 Compartment).

Inside each of the Spoke VCNs there are several Subnets that are used to provide separation between the various tiers of each workload (Web, Application, Database).

Because each of the Spoke VCNs is attached to the DRG, the DRG route tables can be configured to allow local peering between the VCNs in the tenancy. This enables network traffic to route between each VCN as appropriate.

Only administrators who have privileges in the Hub Compartment can change shared critical resources such as the DRG. They can execute the DRG attachments and configure the routing tables appropriately.

Local administrators of the spokes can make changes to the VCNs (routing, security lists) within their compartment without making a request to the Hub administration team.

Important:

This model protects critical shared resources while allowing flexibility to enable non-hub network resources to be managed efficiently.