This image shows an Oracle Cloud Infrastructure region that includes two availability domains. The region includes three virtual cloud networks (VCNs) in a hub and spoke topology connected by local peering gateways (LPGs). The VCNs are arranged here as functional layers.
- Hub VCN: The Hub VCN contains a high-availability network across two Palo Alto Networks virtual machines (VMs) with one VM in each of the availability domains. The hub VCN includes four subnets: a management subnet, a trust subnet, an untrust subnet, and a high availability subnet.
- The management subnet uses the management interface (primary interface – vNIC0) to allow end users to connect to the user interface.
- The untrust subnet uses virtual network card 1 (vNIC1) for external traffic to or from the Palo Alto Networks VM-Series Firewall.
- The trust subnet uses vNIC2 for internal traffic to or from the Palo Alto Networks VM-Series Firewall.
- The high availability subnet uses vNIC3 interface to make sure that VM-Series firewalls are in high availability.
The hub VCN includes the following communication gateways:
- Internet gateway: Connects internet and external web clients to the Palo Alto Networks VM-Series Firewall in availability domain 1 through the untrust subnet.
- Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the Palo Alto Networks VM-Series Firewall in availability domain 1 through the untrust subnet.
- Service gateway: Connects the hub VCN to Oracle Cloud Infrastructure Object Storage and other Oracle services for the region.
- Local peering gateway: Connects the Palo Alto Networks VM-Series Firewall in availability domain 1 to the web or application tier VCN and the database tier VCN through the trust subnet.
- Web or application spoke VCN: The VCN contains at least one single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. The application tier VCN is connected to the hub VCN over a local peering gateway.
- Database spoke VCN: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over a local peering gateway.