This image shows an Oracle Cloud Infrastructure region that includes two
availability domains. The region includes three virtual cloud networks (VCNs) in a
hub-and-spoke topology connected by dynamic routing gateway (DRG). The VCNs are arranged
here as functional layers.
- Hub VCN: The hub VCN contains a cluster of two Cisco Threat Defense firewall
virtual machines (VMs) with one VM in each of the availability domains as a
sandwich between internal and external flexible network load balancer. The hub
VCN also includes Management Center VM (FMC) to manage Cisco Threat Defense
Firewalls.
The hub VCN includes four subnets:
- A management subnet, a trust subnet, an untrust subnet, and an nlb
subnet.
- The management subnet uses the primary interface (mgmt) to allow end users to connect to the user interface.
- The diagnostic subnet uses secondary interface (diag) for diagnostic purpose for Cisco Threat Defense firewall.
- The inside subnet uses third interface gig0/0 for internal traffic to or from the Cisco Threat Defense firewall.
- The outbound subnet uses virtual fourth interface (gig0/1) for external traffic to or from the Cisco Threat Defense firewall.
- The nlb subnet allows end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from Internet.
- Internet gateway: Connects internet and external web clients to the Cisco Threat Defense firewall in availability domain 1 through the outside subnet.
- Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the Cisco Threat Defense firewall in availability domain 1 through the outside subnet. DRG is also used to support communication between VCNs. Each VCN has an attachment to dynamic routing gateway.
- Service gateway: Connects the hub VCN to OCI Object Storage and other Oracle services for the region.
- External network load balancer
- The private load balancer has outside interfaces of Cisco Threat Defense firewalls. On-premises connects to this load balancer using the DRG.
- The public load balancer also has outside interfaces of Cisco Threat Defense firewalls. Internet traffic connects to this load balancer using an internet gateway.
- The internal network load balancer has inside interfaces of Cisco Threat Defense firewalls. Traffic to and from the spoke VCNs connects to this load balancer using dynamic routing gateway (DRG).
- A management subnet, a trust subnet, an untrust subnet, and an nlb
subnet.
- Web or application spoke VCN: The VCN contains at least one single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. The application tier VCN is connected to the hub VCN over dynamic routing gateway.
- Database spoke VCN: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over dynamic routing gateway.