This image shows the north-south outbound traffic flow from the web or application (spoke) VCN through the hub VCN in a region that uses a cluster of Check Point CloudGuard Network Security gateways.

The OCI region includes two availability domains. The region contains a south hub VCN and a single spoke VCN (web or application tier) connected by dynamic routing gateway (DRG) attachments.
  • Spoke (web or application) VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic between the web or application VMs in each of the availability domains. Outbound traffic from the application load balancer to the south hub VCN is routed over the DRG. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses) through the DRG.
  • South hub VCN (192.168.0.0/16): The south hub VCN contains a high availability cluster of two Check Point CloudGuard Network Security gateway virtual machines (VMs) with one VM in each of the availability domains.
  • The south hub VCN includes two subnets:
    • A frontend subnet and a backend subnet. The frontend subnet uses the primary interface (vNIC1) to allow end users to connect to the user interface and support outbound traffic through this subnet.
    • The backend subnet uses secondary interface vNIC2 for internal traffic to or from the Check Point CloudGuard Network Security gateways.
Traffic from spoke VCNs to outbound goes as follows: Outbound traffic from the spoke (web or application) VCN enters the south hub VCN, which sends the traffic to the active
  • Check Point CloudGuard Network Security gateway backend interface, and then out through the frontend subnet to external targets. Check Point CloudGuard Network Security gateways: Traffic from the DRG is routed through the secondary virtual IP (VIP) of vNIC2 to the active Check Point CloudGuard Network Security gateways backend interfaces through the backend subnet and the south hub VCN gateways to external targets.
  • Internet gateway: Traffic to internet and external web clients is routed through an internet gateway. The frontend subnet destination CIDR for the internet gateway is 0.0.0.0/0 (all addresses).
  • Dynamic routing gateway: Traffic to the customer data center and between VCNs is routed through a dynamic routing gateway. The frontend subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12. The DRG also supports communication between VCNs. Each VCN has an attachment to a DRG.