This image shows the north-south outbound traffic flow from the web or application (spoke) VCN through the hub VCN in a region that uses Palo Alto Networks VM-Series Firewall.

The Oracle Cloud Infrastructure region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by local peering gateways (LPG).

• Spoke (web or application) VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic between the web or application VMs in each of the availability domains. Outbound traffic from the application load balancer to the hub VCN is routed over a local peering gateway. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).
• Hub VCN (192.168.0.0/16): The Hub VCN contains a high-availability network across two Palo Alto Networks virtual machines (VMs) with one VM in each of the availability domains. The hub VCN includes four subnets: a management subnet, a trust subnet, an untrust subnet and a nlb subnet.
  • The management subnet uses management interface (primary interface) to allow end users to connect to the user interface from outside or through a proxy VM.
  • The untrust subnet uses virtual network card 1 (VNIC1) for external traffic to or from the Palo Alto Networks VM series firewall.
  • The trust subnet uses V for internal traffic to or from the Palo Alto Networks VM series firewall.
  • The nlb subnet allows end user to create private/public flexible network load balancer which allows on-premises and/or inbound connection from the Internet.

  Outbound traffic from the spoke (web or application) VCN enters the hub VCN internal network load balancer which sends the traffic to the Palo Alto Networks VM series firewall trust interfaces, and then out through the untrust subnet to external targets.

  • Local peering gateway: Traffic from the spoke VCN to the hub VCN trust subnet is routed over the LPG. The trust subnet destination CIDR is 0.0.0.0/0 (all addresses).
  • Palo Alto Networks: Traffic from the LPG is routed through internal network load balancer to the Palo Alto Networks VM firewall trust interfaces through the trust subnet, through the hub VCN gateways to external targets.
  • Internet gateway: Traffic to internet and external web clients is routed through an internet gateway. The untrust subnet destination CIDR for the internet gateway is 0.0.0.0/0 (all addresses).
  • Dynamic routing gateway: Traffic to the customer data center is routed through a dynamic routing gateway. The untrust subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12.