This image shows the north-south inbound traffic flow between the hub VCN and the web or application (spoke) VCN in a region that uses Fortinet FortiGate firewall. The OCI region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web/application tier) connected by dynamic routing gateway (DRG).
  • Hub VCN (192.168.0.0/16): The hub VCN contains a high-availability network across two Fortinet FortiGate firewalls with one VM in each of the availability domains. The hub VCN includes four subnets: A management subnet, a trust subnet, an untrust subnet, and a high availability subnet.
    • The management subnet uses the primary interface (port 1) to allow end users to connect to the user interface.
    • The untrust subnet uses virtual second interface (port 2) for external traffic to or from the Fortinet FortiGate firewall.
    • The trust subnet uses third interface (port 3) for internal traffic to or from the Fortinet FortiGate firewall.
    • The high availability subnet uses fourth interface (port 4) for a FortiGate high availability health check.
  • Inbound traffic enters the hub VCN from external sources through the untrust subnet to the primary Fortinet FortiGate firewall, and then through the trust subnet to the DRG.
    • Internet gateway: Traffic from internet and external web clients route to the Fortinet FortiGate VMs in availability domain 1 through the untrust subnet. The untrust subnet has a public address that allows user to connect from outside. The default route allow destination CIDR is 0.0.0.0/0 (all addresses).
    • Dynamic routing gateway: Traffic from the customer data center (172.16.0.0/12) routes to the Fortinet FortiGate VM in availability domain 1 through the untrust subnet. The DRG destination CIDR is 10.0.0.0/24 or 10.0.1.0/24 (the spoke VCNs or application or database).
    • Fortinet FortiGate: Traffic is routed through the Firewall VM and the trust subnet to the DRG. The default destination CIDR for the trust subnet is 10.0.0.0/24 or 10.0.1.0/24 (the spoke VCNs or application or database).
    • Dynamic routing gateway: Traffic from the trust subnet to the spoke VCN is routed over the DRG.
      • Application and web: If traffic is destined to this spoke VCN, it routes through the DRG attachment.
      • Database: If traffic is destined to this spoke VCN, it routes through the DRG attachment.
  • Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic between the web and application VMs in each of the availability domains. Traffic from the hub VCN to the load balancer is routed over the DRG to the load balancer. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).