This image shows the east-west traffic flow from the web or application to OCI Object Storage and other Oracle Services Network in a regional hub and spoke topology that uses a Cisco Threat Defense firewall. It includes two virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The hub VCN houses the Cisco Threat Defense firewall and internal network load balancer. The trust subnet uses Gig0/0 for internal traffic to or from the Cisco Threat Defense firewall and this interface is part of the backend of internal network load balancer. The hub VCN communicates with spoke VCNs through dynamic routing gateway. The hub VCN communicates with OCI Object Storage through a service gateway.
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over dynamic routing gateway.

East-west traffic flow from the web or application to OCI Object Storage:

1. Traffic that moves from the web or application tier to Object Storage is routed through the web or application subnet route table (destination 0.0.0.0/0).
2. Traffic moves from the web or application subnet route table to the DRG for the Object Storage Traffic.
3. Traffic moves from the DRG through the hub VCN Ingress route table to the Cisco Threat Defense firewall in the inside subnet over Gig0/0 through the internal network load balancer. Depending on the different backend of the load balancer, it goes through one of the Threat Defense firewalls.
4. Traffic from the Cisco Threat Defense Firewall is routed through the inside subnet route table (destination Oracle Network Services).
5. Traffic moves from the inside subnet route table to the service gateway.
6. Traffic moves from the service gateway to Oracle Services Network, such as OCI Object Storage.