This image shows the east-west traffic flow from OCI Object Storage and other Oracle Services Network to the web application in a regional hub and spoke topology that uses a Check Point CloudGuard Network Security gateway. It includes two virtual cloud networks (VCNs):

• South hub VCN (192.168.0.0/16): The south hub VCN houses the Check Point CloudGuard Network Security high availability cluster. The backend subnet use vNIC2 interface for internal traffic to or from the CloudGuard Network Security gateway. This interface is part of the backend subnet. The south hub VCN communicates with spoke VCNs through dynamic routing gateway. The south hub VCN communicates with OCI Object Storage through a service gateway.
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the south hub VCN over a dynamic routing gateway (DRG).

East-west traffic flows from OCI Object Storage to the web or application in the following steps:

1. Traffic that moves from Object Storage to the web or application VM (10.0.0.10) is routed through the service gateway route table (destination 0.0.0.0/0) in the south hub VCN.
2. Traffic moves from the service gateway to the Check Point CloudGuard Network Security gateways in the backend subnet over vNIC2 through the secondary floating IP of vNIC2.
3. Traffic from Check Point CloudGuard Network Security gateways is routed through the backend subnet route table (destination 10.0.0.0/24).
4. Traffic moves from the backend subnet route table to the DRG.
5. Traffic moves from DRG for the web or application tier spoke VCN.
6. Traffic moves from DRG web VCN attachment to the load balancer for the web or application.