This image shows the east-west traffic flow from the web or application VM in a Secured-B VCN to a database or application VM in Secured-C VCN that uses a Network Firewall. It includes three virtual cloud networks (VCNs):

Secured VCN-A (10.10.0.0/16) includes a Firewall Subnet:
  • The Firewall Subnet (10.10.1.0/24) is used to deploy OCI Network Firewall. You must add the required Firewall Policy during Network Firewall creation launch.
  • Dynamic Routing Gateway attachment: VCN-A is attached to dynamic routing gateway to ensure VCNs can communicate with each other through DRG.
Secured VCN-B (10.20.0.0/16) includes a secured subnet:
  • The Secured Subnet-B (10.20.1.0/24) is used to deploy cloud workloads. Outgoing traffic from workload subnets are routed to the Network Firewall private IP address for inspection and protection through Dynamic Routing Gateway VCN attachment.
  • Dynamic Routing Gateway attachment: VCN-B is attached to dynamic routing gateway to ensure VCNs can communicate with each other through DRG.
Secured VCN-C (10.30.0.0/16) includes a secured subnet:
  • The Secured Subnet-C (10.30.1.0/24) is used to deploy cloud workloads. Outgoing traffic from workload subnets are routed to the Network Firewall private IP address for inspection and protection through Dynamic Routing Gateway VCN attachment.
  • Dynamic Routing Gateway attachment: VCN-C is attached to dynamic routing gateway to ensure VCNs can communicate with each other through DRG.
East-west traffic flow from the Secured VCN-B VM to Secured VCN-C VM.
  1. Traffic that moves from the Secured VCN-B VM (10.20.1.10) to Secured VCN-C VM (10.30.1.10) is routed through Secured Subnet-B Route Table (destination 10.30.1.0/24).
  2. Traffic reaches to DRG via Secured VCN-B attachment and reaches to VCN-A Ingress route table.
  3. Traffic from Secured VCN-A Ingress route table goes to the IP Address of Network Firewall based on the destination (10.30.1.10).
  4. Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected traffic exits from the Firewall IP Address through Firewall Subnet Route Table (destination 10.30.1.0/24 via DRG).
  5. Firewall Subnet Route Table sends the required destination in Secure Subnet-C VM/Workloads.
  6. Return traffic comes from Secured Subnet-C VM to Network Firewall through DRG and will follow the same path since we have symmetric routing in place on each route table.