This image shows how traffic flows from an Oracle Cloud Infrastructure (OCI) region to external cloud provider on the internet.

At the top of the image is an external cloud provider on the internet. Beneath that is a primary OCI region. This region contains a Palo Alto Hub virtual cloud network (VCN) and an Application Spoke VCN.

The Palo Alto Hub VCN contains these subnets:

• An untrust private subnet. Traffic is routed between this subnet and the internet gateway via an untrust vNIC.
• A Palo Alto Management public subnet, containing to Palo Alto virtual machines (VM).
• A Palo Alto high-availability subnet.
• A trust private subnet. Traffic is routed between this subnet and the internet gateway via a trust vNIC.

The Application Spoke VCN contains these subnets:

• A load balancer public subnet, containing an active application load balancer and an inactive default second load balancer, which is created by OCI.
• An Oracle E-Business Suite (EBS) private subnet, containing two EBS applications and one Enterprise Command Center. The Application traffic in this subnet flows from the second EBS app to the first EBS app and is then directed to a file system astride the subnet and the region.
• An Exadata Cloud Service private subnet that contains an Exadata Cloud Service VM cluster and an associated file system.
• An Exadata Cloud Service private backup subnet.

Access to each subnet is controlled by individual routing tables and security lists.

In this scenario, traffic flows from the Application Spoke VCN, through the DRG, to the trust subnet. From there, it is routed to the Palo Alto Management public subnet and then on to the untrust private subnet and finally through the internet gateway to the external cloud provider on the internet.