This image shows the east-west traffic flow from OCI Object Storage and other Oracle Services Network to the web application in a regional hub and spoke topology that uses a Cisco Threat Defense firewall. It includes two virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The hub VCN houses the Cisco Threat Defense Firewalls and internal network load balancer. The inside subnet uses Gig0/0 for internal traffic to or from the Threat Defense and this interface is part of the backend of the internal network load balancer. The hub VCN communicates with spoke VCNs through dynamic routing gateway. The hub VCN communicates with OCI Object Storage through a service gateway.
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over dynamic routing gateway.

East-west traffic flow from OCI Object Storage to the web or application:

1. Traffic that moves from Object Storage to the web or application VM (10.0.0.10) is routed through the service gateway route table (destination 0.0.0.0/0) in the hub VCN.
2. Traffic moves from the service gateway to the Cisco Threat Defense firewalls in the inside subnet over Gig0/0 through the internal network load balancer. Depending on the different backends of the load balancer, it goes through one of the Threat Defense firewalls.
3. Traffic from Cisco Threat Defense firewall is routed through the inside subnet route table (destination 10.0.0.0/24).
4. Traffic moves from the inside subnet route table to the DRG.
5. Traffic moves from DRG for the web or application tier spoke VCN.
6. Traffic moves from DRG web VCN attachment to the load balancer for the web or application.