This image shows the east-west traffic flow from the web or application to the database in a regional hub and spoke topology that uses a Fortinet FortiGate firewall. It includes three virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The hub VCN houses the Fortinet FortiGate Firewall VMs. The trust subnet uses port 3 for internal traffic to or from the Fortinet FortiGate Firewall VM. The hub VCN communicates with spoke VCNs through a dynamic routing gateway (DRG).
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over dynamic routing gateway attachment.
• Database tier spoke VCN (10.0.1.0/24): The VCN contains a single subnet that contains the primary database system. The database tier VCN is connected to the hub VCN over dynamic routing gateway attachment.

East-west traffic flows from the web or application to the database in the following steps:

1. Traffic that moves from the web or application tier to the database tier (10.0.1.10) is routed through the web or application subnet route table (destination 0.0.0.0/0).
2. Traffic moves from the web or application subnet route table to the DRG for the database tier spoke VCN.
3. Traffic moves from the DRG to the Fortinet FortiGate firewall in the trust subnet over por t3 through the hub VCN ingress route table.
4. Traffic from the Fortinet FortiGate firewall is routed through the trust subnet route table (destination 10.0.0.0/24, 10.0.1.0/24).
5. Traffic moves from the trust subnet route table to the DRG (destination 10.0.0.0/16).
6. Traffic moves from the DRG to the database tier spoke VCN.
7. Traffic moves from the database spoke route table to the database system.