This image shows the north-south outbound traffic flow from the web or application (spoke) VCN through the hub VCN in a region that uses a Fortinet FortiGate firewall.

The OCI region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by dynamic routing gateway (DRG).
  • Spoke (web or application) VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. Outbound traffic from the load balancer to the hub VCN is routed over a DRG. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).
  • Hub VCN (192.168.0.0/16): The hub VCN contains a high availability network across two Fortinet FortiGate VMs with one VM in each of the availability domains. The hub VCN includes four subnets: A management subnet, a trust subnet, an untrust subnet, and a high availability subnet.
    • The management subnet uses the primary interface (port 1) to allow end users to connect to the user interface.
    • The untrust subnet uses a virtual second interface (port 2) for external traffic to or from the Fortinet FortiGate firewall.
    • The trust subnet uses the third interface (port 3) for internal traffic to or from the Fortinet FortiGate Firewall.
    • The high availability subnet uses the fourth interface (port 4) for a FortiGate high availability health check.
Outbound traffic from the spoke (web or application) VCN enters the hub VCN trust subnet to the Fortinet FortiGate firewall, and then out through the untrust subnet to external targets.
  • Dynamic routing gateway: Traffic from the spoke VCN to the hub VCN trust subnet is routed over the DRG. The trust subnet destination CIDR is 0.0.0.0/0 (all addresses).
    • Traffic to the customer data center is routed through a DRG. The untrust subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12.
  • Fortinet FortiGate: Traffic from the DRG is routed through the Fortinet FortiGate VM in availability domain 1 and the trust subnet, through the hub VCN gateways to external targets.
  • Internet gateway: Traffic to internet and external web clients is routed through an internet gateway. The untrust subnet destination CIDR for the internet gateway is 0.0.0.0/0 (all addresses).
  • Dynamic routing gateway: Traffic to the customer data center is routed through a DRG. The untrust subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12.