This image shows the north-south outbound traffic flow from the web or application (spoke) VCN through the hub VCN in a region that uses Palo Alto Networks VM-Series Firewall.
The Oracle Cloud Infrastructure region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by local peering gateways (LPG).
- Spoke (web or application) VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic between the web or application VMs in each of the availability domains. Outbound traffic from the load balancer to the hub VCN is routed over a local peering gateway. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).
- Hub VCN (192.168.0.0/16): The Hub VCN contains a high-availability network across two Palo Alto Networks virtual machines (VMs) with one VM in each of the availability domains. The hub VCN includes four subnets: a management subnet, a trust subnet, an untrust subnet and a HA subnet.
- The management subnet uses management interface (primary interface) to allow end users to connect to the user interface from outside or through a proxy VM.
- The untrust subnet uses virtual network card 1 (vNIC1) for external traffic to or from the Palo Alto Networks VM series firewall.
- The trust subnet uses vNIC2 for internal traffic to or from the Palo Alto Networks VM series firewall.
- The high availability subnet uses vNIC3 interface to make sure VM series firewall are in high availability.
Outbound traffic from the spoke (web or application) VCN enters the hub VCN trust subnet to the Palo Alto Networks VM series firewall, and then out through the untrust subnet to external targets.- Local peering gateway: Traffic from the spoke VCN to the hub VCN trust subnet is routed over the LPG. The trust subnet destination CIDR is 0.0.0.0/0 (all addresses).
- Palo Alto Networks: Traffic from the LPG is routed through the Palo Alto Networks VM in availability domain 1 and the trust subnet, through the hub VCN gateways to external targets.
- Internet gateway: Traffic to internet and external web clients is routed through an internet gateway. The untrust subnet destination CIDR for the internet gateway is 0.0.0.0/0 (all addresses).
- Dynamic routing gateway: Traffic to the customer data center is routed through a dynamic routing gateway. The untrust subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12.