This image shows two Oracle Cloud Infrastructure Regions that include two availability domains. Each region includes at minimum three virtual cloud networks (VCNs) required to deploy this architecture. The VCNs are arranged here as functional layers.

Management VCN:

The Management VCN contains two Cisco ASA Virtual Firewall virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. You can also deploy management server within the Management VCN to manager firewall configuration. The Management VCN includes a single management subnet. Each Firewall has a dedicated VPN pool and the end user gets an IP address from that Pool.

The management subnet uses the primary interface (nic0/0) to allow end users to connect to the user interface.

The Management VCN uses an Internet Gateway to connect Internet and external web clients to the Cisco ASA Virtual Firewall to manage configuration. The Management VCN also contains two Cisco ASA Virtual Firewall virtual machines (VMs) with one VM in each of the availability domains, between the flexible network load balancer. The Mmgt VCN includes a single management subnet. Each Firewall also has a dedicated VPN pool and end user gets an IP address from that Pool.

Outside VCN:

The VCN contains at least one outside subnet, which uses the secondary interface (nic0/1) to allow end users to send VPN traffic to this interface via Network Load Balancer. The outside VCN includes the following flexible external network load balancer. This public network load balancer also has outside interfaces of Cisco ASA Virtual Firewall. This ensures that any traffic coming via Flexible network load balancer goes to one of the Firewall behind it. End users use this network load balancer VIP IP as VPN head end. It uses 2-tuple-Hash to ensure load balances the traffic to one of Cisco ASA Virtual Firewall. This would keep the stickiness for both AnyConnect clients and applications traffic.

Inside VCN:

The VCN contains at least one inside subnet. The inside subnet uses the secondary interface (nic0/2) to allow end users to send VPN traffic to this interface via Network Load Balancer. You can also deploy another set of Network Load Balancer to steer traffic from Spoke VCNs routed to Internal NLB and respective ASAv firewall.

Spoke or Application VCN (Optional): The VCN could be an application VCN acting as a Spoke VCN. Once you connect from outside and get an IP from a dedicated VPN pool, you could reach to spoke VCN via Local Peering Gateway or Dynamic Routing Gateway. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over dynamic routing gateway.