This image shows the north-south outbound traffic flow from the web or application (spoke) VCN through the hub VCN in a region that uses a Cisco Threat Defense firewall.

The OCI region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by dynamic routing gateway attachments.
  • Spoke (web or application) VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic between the web or application VMs in each of the availability domains. Outbound traffic from the application load balancer to the hub VCN is routed over dynamic routing gateway. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses) through the DRG.
  • Hub VCN (192.168.0.0/16): The hub VCN contains a cluster of two Cisco Threat Defense firewall virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN also includes Management Center VM (FMC) to manage Cisco Threat Defense firewalls. The hub VCN includes four subnets: A management subnet, a trust subnet, an untrust subnet, and an nlb subnet.
    • The management subnet uses the primary interface (mgmt) to allow end users to connect to the user interface.
    • The diagnostic subnet uses secondary interface (diag) for diagnostic purposes of the Cisco Threat Defense firewall.
    • The inside subnet uses third interface gig0/0 for internal traffic to or from the Cisco Threat Defense firewall.
    • The outbound subnet uses virtual fourth interface (gig0/1) for external traffic to or from the Cisco Threat Defense firewall.
    • The nlb subnet allows end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from the internet.
Outbound traffic from the spoke (web or application) VCN enters the hub VCN internal network load balancer, which sends the traffic to the Cisco Threat Defense firewall inside interfaces, and then out through the outside subnet to external targets.
  • Cisco Threat Defense: Traffic from the DRG is routed through internal network load balancer to the Cisco Threat Defense firewall inside interfaces through the inside subnet, through the hub VCN gateways to external targets.
  • Internet gateway: Traffic to internet and external web clients is routed through an internet gateway. The outside subnet destination CIDR for the internet gateway is 0.0.0.0/0 (all addresses).
  • Dynamic routing gateway: Traffic to the customer data center is routed through a dynamic routing gateway. The outside subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12. DRG is also used to support communication between VCNs. Each VCN has an attachment to dynamic routing gateway.