This image shows the east-west traffic flow from the web or application VM in a Secured-B VCN to a database or application VM in Secured-C VCN that uses a Network Firewall. It includes three virtual cloud networks (VCNs):
Secured VCN-A (10.10.0.0/16) includes a Firewall Subnet:
- The Firewall Subnet (10.10.1.0/24) is used to deploy OCI Network Firewall. You must add the required Firewall Policy during Network Firewall creation launch.
- Dynamic Routing Gateway attachment: VCN-A is attached to dynamic routing gateway to ensure VCNs can communicate with each other through DRG.
Secured VCN-B (10.20.0.0/16) includes a secured subnet:
- The Secured Subnet-B (10.20.1.0/24) is used to deploy cloud workloads. Outgoing traffic from workload subnets are routed to the Network Firewall private IP address for inspection and protection through Dynamic Routing Gateway VCN attachment.
- Dynamic Routing Gateway attachment: VCN-B is attached to dynamic routing gateway to ensure VCNs can communicate with each other through DRG.
Secured VCN-C (10.30.0.0/16) includes a secured subnet:
- The Secured Subnet-C (10.30.1.0/24) is used to deploy cloud workloads. Outgoing traffic from workload subnets are routed to the Network Firewall private IP address for inspection and protection through Dynamic Routing Gateway VCN attachment.
- Dynamic Routing Gateway attachment: VCN-C is attached to dynamic routing gateway to ensure VCNs can communicate with each other through DRG.
East-west traffic flow from the Secured VCN-B VM to Secured VCN-C VM.
- Traffic that moves from the Secured VCN-B VM (10.20.1.10) to Secured VCN-C VM (10.30.1.10) is routed through Secured Subnet-B Route Table (destination 10.30.1.0/24).
- Traffic reaches to DRG via Secured VCN-B attachment and reaches to VCN-A Ingress route table.
- Traffic from Secured VCN-A Ingress route table goes to the IP Address of Network Firewall based on the destination (10.30.1.10).
- Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected traffic exits from the Firewall IP Address through Firewall Subnet Route Table (destination 10.30.1.0/24 via DRG).
- Firewall Subnet Route Table sends the required destination in Secure Subnet-C VM/Workloads.
- Return traffic comes from Secured Subnet-C VM to Network Firewall through DRG and will follow the same path since we have symmetric routing in place on each route table.