This image shows an Oracle Cloud Infrastructure region that includes two availability domains. The region includes three virtual cloud networks (VCNs) in a hub-and-spoke topology connected by dynamic routing gateway (DRG). The VCNs are arranged here as functional layers.
  • Hub VCN: The hub VCN contains a cluster of two Cisco Threat Defense firewall virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN also includes Management Center VM (FMC) to manage Cisco Threat Defense Firewalls.
    The hub VCN includes four subnets:
    • A management subnet, a trust subnet, an untrust subnet, and an nlb subnet.
      • The management subnet uses the primary interface (mgmt) to allow end users to connect to the user interface.
      • The diagnostic subnet uses secondary interface (diag) for diagnostic purpose for Cisco Threat Defense firewall.
      • The inside subnet uses third interface gig0/0 for internal traffic to or from the Cisco Threat Defense firewall.
      • The outbound subnet uses virtual fourth interface (gig0/1) for external traffic to or from the Cisco Threat Defense firewall.
      • The nlb subnet allows end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from Internet.
      The hub VCN includes the following communication gateways:
      • Internet gateway: Connects internet and external web clients to the Cisco Threat Defense firewall in availability domain 1 through the outside subnet.
      • Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the Cisco Threat Defense firewall in availability domain 1 through the outside subnet. DRG is also used to support communication between VCNs. Each VCN has an attachment to dynamic routing gateway.
      • Service gateway: Connects the hub VCN to OCI Object Storage and other Oracle services for the region.
      The hub VCN includes the following flexible network load balancers:
      • External network load balancer
        • The private load balancer has outside interfaces of Cisco Threat Defense firewalls. On-premises connects to this load balancer using the DRG.
        • The public load balancer also has outside interfaces of Cisco Threat Defense firewalls. Internet traffic connects to this load balancer using an internet gateway.
      • The internal network load balancer has inside interfaces of Cisco Threat Defense firewalls. Traffic to and from the spoke VCNs connects to this load balancer using dynamic routing gateway (DRG).
  • Web or application spoke VCN: The VCN contains at least one single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. The application tier VCN is connected to the hub VCN over dynamic routing gateway.
  • Database spoke VCN: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over dynamic routing gateway.