This image shows the east-west traffic flow from the database to the web or application in a regional hub and spoke topology that uses a uses a Check Point CloudGuard Network Security gateway. It includes three virtual cloud networks (VCNs):

• South hub VCN (192.168.0.0/16): The south hub VCN houses the Check Point CloudGuard Network Security gateways. The backend subnet uses vNIC2 for internal traffic to or from the Check Point CloudGuard Network Security gateway. The south hub VCN communicates with spoke VCNs through a dynamic routing gateway (DRG).
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over the DRG.
• Database tier spoke VCN (10.0.1.0/24): The VCN contains a single subnet that contains the primary database system. The database tier VCN is connected to the hub VCN over the DRG.

East-west traffic flows from the database to the web or application in the following steps:

1. Traffic that moves from the database tier to the web or application load balancer (10.0.0.10) is routed through the database subnet route table (destination 0.0.0.0/0).
2. Traffic moves from the database subnet route table to the DRG for the database tier spoke VCN.
3. Traffic moves from the DRG through the south hub VCN ingress route table to Check Point CloudGuard Network Security gateway VMs using the secondary IP of vNIC2.
4. Traffic from the active Check Point CloudGuard Network Security gateway is routed through the backend subnet route table (destination 10.0.0.0/16).
5. Traffic moves from the backend subnet route table to the DRG for the web spoke VCN.
6. Traffic moves from the DRG for the web or application load balancer for the web or application through the web spoke VCN attachment.