This image shows the north-south inbound traffic flow between the hub VCN and the web or application (spoke) VCN in a region that uses Cisco Threat Defense firewalls. The OCI region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by dynamic routing gateway(DRG).

  • Hub VCN (192.168.0.0/16):

    The hub VCN contains a cluster of two Cisco Threat Defense firewall virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN also includes Management Center VM (FMC) to manage Cisco Threat Defense firewalls. The hub VCN includes four subnets: A management subnet, a trust subnet, an untrust subnet, and an nlb subnet.
    • The management subnet uses the primary interface (mgmt) to allow end users to connect to the user interface.
    • The diagnostic subnet uses secondary interface (diag) for diagnostic purpose for Cisco Threat Defense firewall.
    • The inside subnet uses third interface gig0/0 for internal traffic to or from the Cisco Threat Defense firewall.
    • The outbound subnet uses virtual fourth interface (gig0/1) for external traffic to or from the Cisco Threat Defense firewall.
    • The nlb subnet allows end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from Internet.
  • Inbound traffic enters the hub VCN from external sources through the external network load balancer public IP to the Cisco Threat Defense firewalls:
    • Internet gateway: Traffic from the internet and external web clients routes to the external public network load balancer and then it goes to one of the Cisco Threat Defense firewalls through the outside subnet. The nlb public load balanacer has a public address, which allows you to connect from the outside. The default route allow destination CIDR is 0.0.0.0/0 (all addresses) and the first host IP address in the outside subnet CIDR).
    • Dynamic routing gateway (DRG): Traffic from the customer data center (172.16.0.0/12) is routed to external private load balancer and then it goes to one of the Cisco Threat Defense firewalls through the outside subnet. The DRG destination CIDR is 10.0.0.0/24 or 10.0.1.0/24 or the spoke VCNs. DRG is also used to support communication between VCNs. Each VCN has an attachment to dynamic routing gateway.
    • Cisco Threat Defense: Traffic is routed through the gateway VM and the inside subnet to the DRG. Source address translation happens on Cisco Threat Defense, using the inside interface IP address. The default destination CIDR for the inside subnet associated with spoke VCNs (10.0.0.0/24 or 10.0.1.0/24 or the spoke VCNs for application or database. This address is the first host IP address in the inside subnet CIDR.
    • Dynamic Routing Gateway: Traffic from the inside subnet to the spoke VCN is routed over the DRG.
      • Application or web: If traffic is destined to this spoke VCN, it’s routed through DRG Application/Web VCN attachment connection.
      • Database: If traffic is destined to this spoke VCN, it’s routed through DRG Database VCN attachment connection.
  • Web or application tier spoke VCN (10.0.0.0/24):

    The VCN contains a single subnet. An application load balancer manages traffic between web and application VMs in each of the availability domains. Traffic from the hub VCN to the application load balancer is routed over dynamic routing gateway to the application load balancer. The spoke subnet destination CIDR is routed through the DRG as the default subnet 0.0.0.0/0 (all addresses).