This image shows the east-west traffic flow from Oracle Cloud Infrastructure Object Storage and other Oracle Services Network to the web application in a regional hub and spoke topology that uses Palo Alto Networks VM Series virtual Firewall.

It includes two virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The Hub VCN houses the Palo Alto Networks VM series virtual firewall. The trust subnet uses vNIC2 for internal traffic to or from the Palo Alto Networks. The hub VCN communicates with spoke VCNs through a local peering gateway (LPG). The hub VCN communicates with Oracle Cloud Infrastructure Object Storage through a service gateway.
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over a local peering gateway.

East-west traffic flow from Oracle Cloud Infrastructure Object Storage to the web or application:

1. Traffic that moves from object storage to the web or application VM (10.0.0.10) is routed through the service gateway route table (destination 0.0.0.0/0) in the hub VCN.
2. Traffic moves from the service gateway to the Palo Alto Networks VM series virtual firewall in the trust subnet over vNIC2.
3. Traffic from Palo Alto Networks VM series virtual firewall is routed through the trust subnet route table (destination 10.0.0.0/24).
4. Traffic moves from the trust subnet route table to the LPG for the hub VCN.
5. Traffic moves from the hub LPG to the LPG for the web or application tier spoke VCN.
6. Traffic moves from the web or application LPG to the load balancer for the web or application.