This image shows the north-to-south traffic flow to an Oracle Cloud Infrastructure region from another cloud provider on the internet through a Palo Alto Networks firewall.

At the top of the image is an on-premises customer data center. Beneath that is a primary OCI region. This region contains a Palo Alto Hub virtual cloud network (VCN) and an Application Spoke VCN.

The Palo Alto Hub VCN contains these subnets:

• An untrust private subnet. Traffic is routed between this subnet and the internet gateway via an untrust vNIC.
• A Palo Alto Management public subnet, containing to Palo Alto virtual machines (VM).
• A Palo Alto high-availability subnet.
• A trust private subnet. Traffic is routed between this subnet and the internet gateway via a trust vNIC.

The Application Spoke VCN contains these subnets:

• A load balancer public subnet, containing an active application load balancer and an inactive default second load balancer, which is created by OCI.
• An Oracle E-Business Suite (EBS) private subnet, containing two EBS applications and one Enterprise Command Center. The Application traffic in this subnet flows from the second EBS app to the first EBS app and is then directed to a file system astride the subnet and the region.
• An Exadata Cloud Service private subnet that contains an Exadata Cloud Service VM cluster and an associated file system.
• An Exadata Cloud Service private backup subnet.

Access to each subnet is controlled by individual routing tables and security lists.

In this scenario, traffic flows from the internet/other cloud provider through an internet gateway to the untrust private subnet in the Palo Alto Hub VCN. Traffic is then passed to the Palo Alto Management public subnet, then to the trust private subnet, whence it flows back through the DRG to the Application Spoke VCN.