This image shows the north-south outbound traffic flow from a public VM in a Secured
Public Subnet to Internet via Network Firewall through NAT gateway. It includes one
Secure VCN but similarly you can have multiple secured VCNs.
Secured VCN (10.10.0.0/16) includes the following components:
- Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and
Firewall IP address to it. Ensure that the Firewall Subnet is in a public subnet
since we are protecting public subnet workloads. You can still use the same
Firewall to protect east-west, north-south traffic, but if you are protecting
public workloads and want to use internet gateway ingress routing capability,
you must deploy the Firewall in a public subnet.
- Secured Private Subnet (10.10.0.0/24) which includes application
workloads. We have a VM available in this subnet with 10.10.0.10 private
IP.
- NAT Gateway to support egress internet connection.
- Route tables are associated to firewall subnet, secured private
subnet and NAT gateway ensuring that the traffic is routed via Network
Firewall.
North-south traffic flow from the virtual machine to internet using NAT
Gateway is as follows:
- Traffic that moves from the workload VM (10.10.0.10) to internet
destination (8.8.8.8) is routed through Secured Subnet Route Table (destination
0.0.0.0/0).
- Traffic from Secured Subnet Route Table goes to IP address of
Network Firewall based on the internet destination.
- Firewall inspects and protects the traffic as per firewall policy.
Once inspected and protected, traffic exits from Firewall IP Address through
Firewall Subnet Route Table (destination 0.0.0.0/0).
- Firewall Subnet route table sends the traffic to NAT Gateway and
internet destination.
- Return traffic comes from internet to NAT gateway and will follow
the same path since we have symmetric routing in place on each route table.