This image shows an OCI region that includes two availability domains. The region
includes four virtual cloud networks (VCNs) in a hub-and-spoke topology connected by
dynamic routing gateway (DRG). The VCNs are arranged as functional layers.
- North hub VCN: The north hub VCN contains a scalable set of two Check Point
CloudGuard firewall virtual machines (VMs) with one VM in each of the
availability domains. The north hub VCN also includes Check Point Security
Management server platform to manage Check Point CloudGuard Network Security
gateways. The north hub VCN includes three subnets: A frontend subnet, a backend
subnet, and a network load balancer subnet.
- The frontend subnet uses primary interface (vNIC1) for inbound internet traffic to or from the Check Point CloudGuard Network Security gateways.
- The backend subnet uses second interface (vNIC2) for internal traffic to or from the Check Point CloudGuard Network Security gateways.
- The network load balancer subnet allows the end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from the internet.
- Internet gateway: Connects internet and external web clients to the Check Point CloudGuard Network Security gateways in availability domain 1 through the frontend subnet.
- Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the Check Point CloudGuard Network Security gateways in availability domain 1 through the frontend subnet. The DRG also supports communication between VCNs. Each VCN has an attachment to a DRG.
- The north hub VCN includes the following flexible network load
balancers:
- External network load balancer
- The public load balancer also has frontend interfaces of the Check Point CloudGuard Network Security gateways. Internet traffic connects to this load balancer using an internet gateway.
- South hub VCN: The south hub VCN contains a high availability cluster of two
Check Point CloudGuard Network Security VMs with one VM in each of the
availability domains. The south hub VCN firewall VMs are managed by Check Point
Security Management Server deployed in north hub VCN. The hub VCN includes a
frontend subnet and a backend subnet.
- The frontend subnet uses primary interface (vNIC1) for inbound/internet traffic to or from the Check Point CloudGuard Network Security gateways.
- The backend subnet uses second interface (vNIC2) for internal traffic to or from the Check Point CloudGuard Network Security gateways.
- Internet gateway: Connects the internet and external web clients to the Check Point CloudGuard Network Security gateways in availability domain 1 through the frontend subnet.
- Dynamic routing gateway: Connection to DRG as an attachment to support inbound traffic from spoke VCNs inspected by Check Point CloudGuard Network Security gateways.