This image shows an OCI region that includes two availability domains. The region includes four virtual cloud networks (VCNs) in a hub-and-spoke topology connected by dynamic routing gateway (DRG). The VCNs are arranged as functional layers.
  • North hub VCN: The north hub VCN contains a scalable set of two Check Point CloudGuard firewall virtual machines (VMs) with one VM in each of the availability domains. The north hub VCN also includes Check Point Security Management server platform to manage Check Point CloudGuard Network Security gateways. The north hub VCN includes three subnets: A frontend subnet, a backend subnet, and a network load balancer subnet.
    • The frontend subnet uses primary interface (vNIC1) for inbound internet traffic to or from the Check Point CloudGuard Network Security gateways.
    • The backend subnet uses second interface (vNIC2) for internal traffic to or from the Check Point CloudGuard Network Security gateways.
    • The network load balancer subnet allows the end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from the internet.
    The North hub VCN includes the following communication gateways:
    • Internet gateway: Connects internet and external web clients to the Check Point CloudGuard Network Security gateways in availability domain 1 through the frontend subnet.
    • Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the Check Point CloudGuard Network Security gateways in availability domain 1 through the frontend subnet. The DRG also supports communication between VCNs. Each VCN has an attachment to a DRG.
    • The north hub VCN includes the following flexible network load balancers:
      • External network load balancer
      • The public load balancer also has frontend interfaces of the Check Point CloudGuard Network Security gateways. Internet traffic connects to this load balancer using an internet gateway.
  • South hub VCN: The south hub VCN contains a high availability cluster of two Check Point CloudGuard Network Security VMs with one VM in each of the availability domains. The south hub VCN firewall VMs are managed by Check Point Security Management Server deployed in north hub VCN. The hub VCN includes a frontend subnet and a backend subnet.
    • The frontend subnet uses primary interface (vNIC1) for inbound/internet traffic to or from the Check Point CloudGuard Network Security gateways.
    • The backend subnet uses second interface (vNIC2) for internal traffic to or from the Check Point CloudGuard Network Security gateways.
    The South hub VCN includes the following communication gateways:
    • Internet gateway: Connects the internet and external web clients to the Check Point CloudGuard Network Security gateways in availability domain 1 through the frontend subnet.
    • Dynamic routing gateway: Connection to DRG as an attachment to support inbound traffic from spoke VCNs inspected by Check Point CloudGuard Network Security gateways.