This image shows the east-west traffic flows from a VM in Subnet-A to a VM in Subnet-B via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.
Secured VCN-A (10.10.0.0/16) includes the following components:
- Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and associated IP address to it. Ensure that Firewall Subnet is in a private subnet since we are protecting private subnet workloads.
- Secured Private Subnet-A (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP address.
- Secured Private Subnet-B (10.10.2.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.2.10 private IP address.
- Route tables are associated to Firewall Subnet and secured private subnets ensuring that the traffic is routed via Network Firewall.
East-west traffic flow from the Secure Subnet-A VM to Secured Subnet-B
VM:
- Traffic that moves from the Secured Subnet-A VM (10.10.0.10) to Secured Subnet-B VM (10.10.2.10) is routed through Secured Subnet-A Route Table (destination 10.10.2.0/24).
- Traffic from Secured Subnet-A Route Table goes to IP Address of Network Firewall based on the destination (10.10.2.10).
- Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP address through Firewall Subnet Route Table (destination 10.10.2.0/24).
- Firewall Subnet Route Table sends the required destination in Secure Subnet-B VM/Workloads.
- Return traffic comes from Secured Private VM to Network Firewall and will follow the same path since we have symmetric routing in place on each route table.