This image shows the north-south outbound traffic flow from a public VM in a Secured Public Subnet to Internet via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.
Secured VCN (10.10.0.0/16) includes the following components:
- Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and associated IP address to it. Ensure that the Firewall Subnet is in a public subnet since we are protecting public subnet workloads.
- Secured Public Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP and a public IP.
- Internet Gateway to support to-from internet connection.
- Route tables are associated to the Firewall Subnet, Secured Public Subnet and internet gateway ensuring that the traffic is routed via Network Firewall.
North-south traffic flow from the virtual machine to internet as follows:
- Traffic that moves from the workload VM (10.10.0.10) to internet destination (8.8.8.8) is routed through Secured Subnet Route Table (destination 0.0.0.0/0).
- Traffic from Secured Subnet Route Table goes to IP Address of Network Firewall based on the internet destination.
- Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP Address through Firewall Subnet Route Table (destination 0.0.0.0/0).
- Firewall Subnet route table sends the traffic to Internet Gateway and internet destination.
- Return traffic comes from internet to Internet gateway and will follow the same path since we have symmetric routing in place on each route table.