This image shows the north-south inbound traffic flow between the hub VCN and the web/application (spoke) VCN in a region that uses Palo Alto Networks VM-Series Firewall. The Oracle Cloud Infrastructure region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by local peering gateways (LPGs).

• Hub VCN (192.168.0.0/16): The Hub VCN contains a cluster of two Palo Alto Networks virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN includes four subnets: a management subnet, a trust subnet, an untrust subnet, and a nlb subnet.

  • The management subnet uses the management interface (primary interface - VNIC0) to allow end users to connect to the user interface.
  • The untrust subnet uses virtual network card 1 (VNIC1) for external traffic to or from the Palo Alto Networks VM-Series Firewall.
  • The trust subnet uses VNIC2 for internal traffic to or from the Palo Alto Networks VM-Series Firewall.
  • The nlb subnet allows end user to create private/public flexible network load balancer which allows on-premises and/or inbound connection from the Internet.

  Inbound traffic enters the hub VCN from external sources through the external network load balancer to the Palo Alto Networks VM-Series Firewall, and then through the trust subnet to the local peering gateway (LPG):

  • Internet gateway: Traffic from internet and external web clients routes to the external public network load balancer and then it goes to one of the Palo Alto Networks VM-Series Firewall through the untrust subnet. The untrust subnet has a public address which allows user to connect from outside. There is a default route allow destination CIDR is 0.0.0.0/0 (all addresses).
  • Dynamic routing gateway: Traffic from the customer data center (172.16.0.0/12) is routed to external private load balancer and then it goes to one of the Palo Alto Networks VM-Series Firewall through the untrust subnet. The DRG destination CIDR is 10.0.0.0/24 or 10.0.1.0/24 (the spoke VCNs: application and database).
  • Palo Alto Networks: Traffic is routed through the gateway VM and the trust subnet to the LPG. Source Address translation happens on VM-Series Firewall. The default destination CIDR for the trust subnet is 10.0.0.0/24 and/or 10.0.1.0/24 (the spoke VCNs: application/database).
  • Local peering gateway: Traffic from the trust subnet to the spoke VCN is routed over the LPG.
  • Application or web: If traffic is destined to this spoke VCN, it’s routed through LPG connection.
  • Database: If traffic is destined to this spoke VCN, it’s routed through LPG connection.

• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A application load balancer manages traffic between web and application VMs in each of the availability domains. Traffic from the hub VCN to the application load balancer is routed over a local peering gateway to the application load balancer. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).