This image shows an OCI region that includes two availability domains. The region includes three virtual cloud networks (VCNs) in a hub-and-spoke topology connected by dynamic routing gateway (DRG). The VCNs are arranged here as functional layers.
  • Hub VCN: The hub VCN contains a cluster of two Fortinet FortiGate Firewall virtual machines (VMs) with one VM in each of the availability domains and cluster is in high availability mode. The hub VCN also includes FortiManager to manage FortiGate firewalls. The hub VCN includes four subnets: A management subnet, a trust subnet, an untrust subnet, and a high availability subnet.
    • The management subnet uses the primary interface (port 1) to allow end users to connect to the user interface.
    • The untrust subnet uses a virtual second interface (port 2) for external traffic to or from the Fortinet FortiGate firewall.
    • The trust subnet uses a third interface (port 3) for internal traffic to or from the Fortinet FortiGate firewall.
    • The high availability subnet uses the fourth interface (port 4) for high availability in a FortiGate high availability health check.
    The hub VCN includes the following communication gateways:
    • Internet gateway: Connects internet and external web clients to the Fortinet FortiGate firewall in availability domains through the untrust subnet.
    • Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the primary Fortinet FortiGate firewall in availability domain through the untrust subnet. The DRG also supports communication between VCNs. Each VCN has an attachment to dynamic routing gateway.
    • Service gateway: Connects the hub VCN to OCI Object Storage and other Oracle services for the region.
  • Web or application spoke VCN: The VCN contains at least one single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. The application tier VCN is connected to the hub VCN over dynamic routing gateway.
  • Database spoke VCN: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over dynamic routing gateway.