This image shows an Oracle Cloud Infrastructure region that includes two availability domains. The region includes three virtual cloud networks (VCNs) in a hub and spoke topology connected by local peering gateways (LPGs). The VCNs are arranged here as functional layers.
-
Hub VCN: The Hub VCN contains a cluster of two Palo Alto Networks virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN includes four subnets: a management subnet, a trust subnet, an untrust subnet, and a nlb subnet.
- The management subnet uses the management interface (primary interface – vNIC0) to allow end users to connect to the user interface.
- The untrust subnet uses virtual network card 1 (vNIC1) for external traffic to or from the Palo Alto Networks VM-Series Firewall.
- The trust subnet uses vNIC2 for internal traffic to or from the Palo Alto Networks VM-Series Firewall.
- The nlb subnet allows end user to create private/public flexible network load balancer which allows on-prem and/or inbound connection from Internet.
The hub VCN includes the following communication gateways:
- Internet gateway: Connects internet and external web clients to the Palo Alto Networks VM-Series Firewall in availability domain 1 through the untrust subnet.
- Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the Palo Alto Networks VM-Series Firewall in availability domain 1 through the untrust subnet. •
- Service gateway: Connects the hub VCN to Oracle Cloud Infrastructure Object Storage and other Oracle services for the region.
- Local peering gateway: Connects the Palo Alto Networks VM-Series Firewall in availability domain 1 to the web or application tier VCN and the database tier VCN through the trust subnet.
The hub VCN includes the following flexible network load balancers:
- External Network Load Balancer
- Private load balancer which has untrust interfaces of Palo Alto Networks VM Series Firewalls. On-Prem connects to this load balancer using Dynamic Routing Gateway.
- Public load balancer which also has untrust interfaces of Palo Alto Networks VM Series Firewalls. This should be public load balancer. Internet traffic connects to this load balancer using Internet Gateway.
- Internal Network Load Balancer which has trust interfaces of Palo Alto Networks VM Series Firewalls. Traffic to/from spoke VCNs connects to this load balancer using Local Programming Gateways (LPGs).
-
Web or application spoke VCN: The VCN contains at least one single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. The application tier VCN is connected to the hub VCN over a local peering gateway.
-
Database spoke VCN: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over a local peering gateway.