This image shows an OCI region that includes two availability domains. The region includes three virtual cloud networks (VCNs) in a hub-and-spoke topology connected by dynamic routing gateway (DRG). The VCNs are arranged as functional layers.
- Includes a Firewall Subnet used to deploy the OCI Network Firewall. You must add the required firewall policy during Network Firewall creation launch.
- Internet gateway: Allows workloads to connect to-from internet and you can route traffic to Network Firewall available in Firewall Subnet for inspection and protection.
- Service gateway: Allows workloads to connect to Oracle Cloud Infrastructure Object Storage, other Oracle services for the region and you can route traffic to Network Firewall available in Firewall Subnet for inspection and protection.
- Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect and you can route traffic to Network Firewall available in Firewall Subnet for inspection and protection.
- NAT Gateway: The NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections and you can route traffic to Network Firewall available in Firewall Subnet for inspection and protection.
Ensure that symmetric routes are used within Secured VCN-A to ensure ingress and egress follow the same path via Network Firewall.
Web or application spoke Secured VCN-B: The VCN contains at least one single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. The Secured VCN-B is connected to the Secured VCN-A over DRG via VCN attachment.
Database spoke Secured VCN-C: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The Secured VCN-C is connected to the Secured VCN-A over DRG via VCN attachment.