This image shows the north-south inbound traffic flow between the hub VCN and the web/application (spoke) VCN in a region that uses Palo Alto Networks VM-Series Firewall. The Oracle Cloud Infrastructure region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by local peering gateways (LPGs).
-
Hub VCN (192.168.0.0/16): The Hub VCN contains a cluster of two Palo Alto Networks virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN includes four subnets: a management subnet, a trust subnet, an untrust subnet, and a nlb subnet.
- The management subnet uses the management interface (primary interface - VNIC0) to allow end users to connect to the user interface.
- The untrust subnet uses virtual network card 1 (VNIC1) for external traffic to or from the Palo Alto Networks VM-Series Firewall.
- The trust subnet uses VNIC2 for internal traffic to or from the Palo Alto Networks VM-Series Firewall.
- The nlb subnet allows end user to create private/public flexible network load balancer which allows on-premises and/or inbound connection from the Internet.
- Internet gateway: Traffic from internet and external web clients routes to the external public network load balancer and then it goes to one of the Palo Alto Networks VM-Series Firewall through the untrust subnet. The untrust subnet has a public address which allows user to connect from outside. There is a default route allow destination CIDR is 0.0.0.0/0 (all addresses).
- Dynamic routing gateway: Traffic from the customer data center (172.16.0.0/12) is routed to external private load balancer and then it goes to one of the Palo Alto Networks VM-Series Firewall through the untrust subnet. The DRG destination CIDR is 10.0.0.0/24 or 10.0.1.0/24 (the spoke VCNs: application and database).
- Palo Alto Networks: Traffic is routed through the gateway VM and the trust subnet to the LPG. Source Address translation happens on VM-Series Firewall. The default destination CIDR for the trust subnet is 10.0.0.0/24 and/or 10.0.1.0/24 (the spoke VCNs: application/database).
- Local peering gateway: Traffic from the trust subnet to the spoke VCN is routed over the LPG.
- Application or web: If traffic is destined to this spoke VCN, it’s routed through LPG connection.
- Database: If traffic is destined to this spoke VCN, it’s routed through LPG connection.
-
Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A application load balancer manages traffic between web and application VMs in each of the availability domains. Traffic from the hub VCN to the application load balancer is routed over a local peering gateway to the application load balancer. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).