This image shows a simple hub and spoke architecture in single Oracle Cloud Infrastructure (OCI) region with a hub virtual cloud network (VCN) and 2 spoke VCNs. The VCN are connected to each other by using a dynamic routing gateway (DRG). The DRG also provides private connectivity with on-premises and other cloud networks by using OCI FastConnect or OCI Site-to-Site VPN.

Each VCN provides one or more subnets, each with their own security list and a route table. The DMZ (hub) VCN also provides an internet gateway for communications between public subnets and internet hosts. The DMZ VCN provides a public management subnet with Oracle Cloud Infrastructure Bastion to process incoming traffic and a services subnet with a single service virtual machine (VM).

Each of the two spoke VCNs has a workloads subnet containing a single workload VM.