This image shows the north-south inbound traffic flow between the north hub VCN and the web or application (spoke) VCN in a region that uses Check Point CloudGuard Network Security gateways. The OCI region includes two availability domains. The region contains a north hub VCN and a single spoke VCN (web or application tier) connected by dynamic routing gateway (DRG).
  • North Hub VCN (10.1.0.0/16): The north hub VCN contains a cluster of two Check Point CloudGuard Network Security gateways virtual machines (VMs) with one VM in each of the availability domains. The north hub VCN also includes Check Point Security Management server platform to manage Check Point CloudGuard Network Security gateways. The north hub VCN includes three subnets: A frontend subnet, a backend subnet and a network load balancer subnet.
    • The frontend subnet uses primary interface (vNIC1) for inbound internet traffic to or from the Check Point CloudGuard Network Security gateways.
    • The backend subnet uses second interface (vNIC2) for internal traffic to or from the Check Point CloudGuard Network Security gateways.
    • The network load balancer subnet allows an end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from the internet.
    Inbound traffic enters the hub VCN from external sources through the external network load balancer public IP to the Check Point CloudGuard Network Security gateways:
    • Internet gateway: Traffic from the internet and external web clients routes to the external public network load balancer and then it goes to one of the Check Point CloudGuard Network Security gateways. The network load balancer has a public address, which allows you to connect from the outside. The default route allow destination CIDR is 0.0.0.0/0 (all addresses) and the first host IP address in the outside subnet CIDR).
    • One of Check Point CloudGuard Network Security gateways inspects traffic, and you need to configure the source NAT so that traffic existing from the firewall has the backend interface IP address of the firewall interfaces. The destination is the spoke VCN VMs and load balancer where you want to send the traffic.
    • Based on the backend route table, traffic goes to the DRG because the spoke VCN has a DRG attachment.
    • DRG: Traffic from the inside subnet to the spoke VCN is routed over the DRG.
      • Application or web: If traffic is destined to this spoke VCN, it’s routed through the DRG application or web VCN attachment connection.
      • Database: If traffic is destined to this spoke VCN, it’s routed through the DRG database VCN attachment connection.
  • Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic between web and application VMs in each of the availability domains. Traffic from the north hub VCN to the application load balancer is routed over dynamic routing gateway to the application load balancer. The spoke subnet destination CIDR is routed through the DRG as the default subnet 0.0.0.0/0 (all addresses).