This image shows a simple hub and spoke architecture in single Oracle Cloud Infrastructure region with a hub virtual cloud network (VCN) and 2 spoke VCNs. The VCN are connected to each other by using a dynamic routing gateway (DRG). The DRG also provides private connectivity with on-premises and other cloud networks by using FastConnect or site-to-site VPN.

Each VCN provides one or more subnets, each with their own security list and a route table. The DMZ (hub) VCN also provides an internet gateway for communications between public subnets and internet hosts. The DMZ VCN provides a public management subnet with a bastion host to process incoming traffic and a services subnet with a single service virtual machine (VM).

Each of the two spoke VCNs has a workloads subnet containing a single workload VM.