This image shows the east-west traffic flow from the database to the web or application in a regional hub and spoke topology that uses Palo Alto Networks VM Series firewall.

It includes three virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The Hub VCN houses the Palo Alto Networks VM series firewall. The trust subnet uses VNIC2 for internal traffic to or from the Palo Alto Networks VM series firewall. The hub VCN communicates with spoke VCNs through a local peering gateway (LPG).
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic to the web/application VMs. The application tier VCN is connected to the hub VCN over a local peering gateway.
• Database tier spoke VCN (10.0.1.0/24): The VCN contains a single subnet that contains the primary database system. The database tier VCN is connected to the hub VCN over a local peering gateway.

East-west traffic flow from the database to the web or application.

1. Traffic that moves from the database tier to the web or application load balancer (10.0.0.10) is routed through the database subnet route table (destination 0.0.0.0/0).
2. Traffic moves from the database subnet route table to the LPG for the database tier spoke VCN.
3. Traffic moves from the database LPG to the LPG for the hub VCN (destination 0.0.0.0/0).
4. Traffic moves from the hub LPG to the Palo Alto Networks VM series firewall VMs using internal network load balancer. Network load balancer has more than one backends pointing to trust interfaces (VNIC2) of VM Series Firewall.
5. Traffic from the Palo Alto Networks VM Series Firewall is routed through the trust subnet route table (destination 10.0.0.0/16).
6. Traffic moves from the trust subnet route table to the LPG for the hub VCN (destination 0.0.0.0/0).
7. Traffic moves from the hub LPG to the LPG for the web or application tier spoke VCN.
8. Traffic moves from the web/application LPG to the load balancer for the web or application.