This image shows the north-south inbound traffic flow from internet to a public VM in a Secured Public Subnet via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.
Secured VCN (10.10.0.0/16) includes the following components:
- Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and Firewall IP address to it. Ensure that the Firewall Subnet is in a public subnet since we are protecting public subnet workloads. You can still use the same Firewall to protect east-west, north-south traffic, but if you are protecting public workloads and want to use internet gateway ingress routing capability, you must deploy the Firewall in a public subnet.
- Secured Public Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP and a public IP associated to it.
- Internet Gateway to support to-from internet connection.
- Route tables associated to Firewall Subnet, Secured Public Subnet and internet gateway ensuring that the traffic is routed via Network Firewall.
North-south traffic flow from the internet to virtual machine as follows:
- Traffic that moves from the internet to workload VM (10.10.0.10) using public IP of VM is routed through Internet Gateway Route Table (destination 10.10.0.0/24).
- Traffic from Internet Gateway Route Table goes to IP Address of Network Firewall based on the workload VM destination (10.10.0.10).
- Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP Address through Firewall Subnet Route Table (destination 10.10.0.0/24).
- Firewall Subnet route table sends the traffic to workload VM.
- Return traffic comes from workload VM and will follow the same path since we have symmetric routing in place on each route table.