This image shows the north-south inbound traffic flow between the hub VCN and the web/application (spoke) VCN in a region that uses Palo Alto Networks VM-Series Firewall. The Oracle Cloud Infrastructure region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by local peering gateways (LPGs).
- Hub VCN (192.168.0.0/16): The Hub VCN contains a high-availability network across two Palo Alto Networks virtual machines (VMs) with one VM in each of the availability domains. The hub VCN includes four subnets: a management subnet, a trust subnet, an untrust subnet, and a high availability subnet.
- The management subnet uses management interface (primary interface–vNIC0) to allow end users to connect to the user interface.
- The untrust subnet uses virtual network card 1 (vNIC1) for external traffic to or from the Palo Alto Networks VM-Series Firewall.
- The trust subnet uses vNIC2 for internal traffic to or from the Palo Alto Networks VM-Series Firewall.
- The high availability subnet uses vNIC3 interface to make sure VM-Sseries firewalls are in high availability.
Inbound traffic enters the hub VCN from external sources through the untrust subnet to the Palo Alto Networks VM-Series Firewall, and then through the trust subnet to the local peering gateway (LPG):
- Internet gateway: Traffic from internet and external web clients routes to the Palo Alto Networks VM-Series Firewall in availability domain 1 through the untrust subnet. The untrust subnet has a public address which allows user to connect from outside. There is a default route allow destination CIDR is 0.0.0.0/0 (all addresses).
- Dynamic routing gateway: Traffic from the customer data center (172.16.0.0/12) is routed to the Palo Alto Networks VM-Series Firewall in availability domain 1 through the untrust subnet. The DRG destination CIDR is 10.0.0.0/24 or 10.0.1.0/24 (the spoke VCNs; application and database).
- Palo Alto Networks: Traffic is routed through the gateway VM and the trust subnet to the LPG. The default destination CIDR for the trust subnet is 10.0.0.0/24 and/or 10.0.1.0/24 (the spoke VCNs; application/database).
- Local peering gateway: Traffic from the trust subnet to the spoke VCN is routed over the LPG.
- Application or web: If traffic is destined to this spoke VCN, it’s routed through LPG connection.
- Database: If traffic is destined to this spoke VCN, it’s routed through LPG connection.
- Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic between web and application VMs in each of the availability domains. Traffic from the hub VCN to the load balancer is routed over a local peering gateway to the load balancer. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).