This image shows.a primary OCI region. This region contains a Palo Alto Hub virtual cloud network (VCN) and two Application Environment Spoke VCNs.

The Palo Alto Hub VCN contains these subnets:
  • An untrust private subnet. Traffic is routed between this subnet and the internet gateway via an untrust vNIC.
  • A Palo Alto Management public subnet, containing to Palo Alto virtual machines (VM), connected by a floating VIP in the trust private subnet.
  • A Palo Alto high-availability subnet.
  • A trust private subnet. Traffic is routed between this subnet and the internet gateway via a trust vNIC.
The Application Environment-1 Spoke VCN contains these subnets:
  • A load balancer public subnet, containing an active application load balancer and an inactive default second load balancer, which is created by OCI.
  • An Oracle E-Business Suite (EBS) private subnet, containing two EBS applications and one Enterprise Command Center. The Application traffic in this subnet flows from the second EBS app to the first EBS app and is then directed to a file system straddling the subnet and the region.
  • An Exadata Cloud Service private subnet that contains an Exadata Cloud Service VM cluster and an associated file system.
  • An Exadata Cloud Service private backup subnet.
The Application Environment-2 Spoke VCN contains these subnets:
  • A load balancer public subnet, containing an active application load balancer and an inactive default second load balancer, which is created by OCI.
  • An Oracle E-Business Suite (EBS) private subnet, containing four EBS applications (EBS App-1 through EBS App-4) and one Enterprise Command Center. The Application traffic in this subnet flows from the fourth EBS app to the first EBS app and is then directed to a file system straddling the subnet and the region.
  • An Exadata Cloud Service private subnet that contains an Exadata Cloud Service VM cluster and an associated file system.
  • An Exadata Cloud Service private backup subnet.

Access to each subnet is controlled by individual routing tables and security lists.

In this scenario, traffic flows from Application Environment-2 Spoke VCN through the DRG to the trust private subnet in the Palo Alto Hub VCN. It's then exchanged between the trust private subnet and the Palo Alto Management public subnet, then back to the DRG. The DRG then routes the traffic to the Application Environment-2 Spoke VCN.