This image shows the Subnet-A to OCI Services traffic flows from a VM in a Secure Private Subnet to OSN Services via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.
Secured VCN-A (10.10.0.0/16) includes the following components:
- Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and associated IP address to it.
- Secured Private Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP address.
- Service Gateway to support OSN services and a route table attached to that gateway. The service gateway provides access from a VCN to other services, such as OCI Object Storage. The traffic from the VCN to the Oracle Service travels over the Oracle network fabric and never traverses the internet.
- Route tables are associated to Firewall Subnet, Secured Private Subnet and service gateway ensuring that the traffic is routed via Network Firewall.
North-south traffic flow from the Virtual Machine in Secured Private Subnet
to on-premises VM:
- Traffic that moves from the workload VM (10.10.0.10) to OSN address is routed through Secured Subnet Route Table (destination OSN CIDRs).
- Traffic from Secured Subnet Route Table goes to IP Address of Network Firewall based on the OSN destination.
- Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP Address through Firewall Subnet Route Table (destination OSN services).
- Firewall Subnet Route Table sends the traffic to Service Gateway and Object Storage service destination.
- Return traffic comes from Object Storage to Service Gateway and will follow the same path since we have symmetric routing in place on each route table.