This image shows an OCI region that includes two availability domains. The region includes three virtual cloud networks (VCNs) in a hub-and-spoke topology connected by dynamic routing gateway (DRG). The VCNs are arranged as functional layers.
  • Hub VCN: The hub VCN contains a cluster of two VM Series Firewall virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN can also include management VM (Panorama) to manage VM Series firewalls. The hub VCN includes four subnets: A management subnet, a trust subnet, an untrust subnet, and a network load balancer (NLB) subnet.
    • The management subnet uses the primary interface (vNIC0) to allow end users to connect to the user interface.
    • The untrust subnet uses second interface (vNIC1) for external traffic to or from the VM Series firewall.
    • The trust subnet uses third interface (vNIC2) for internal traffic to or from the VM Series firewall.
    • The NLB subnet allows end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from the internet.
    The hub VCN includes the following communication gateways:
    • Internet gateway: Connects internet and external web clients to the VM Series firewall in availability domain 1 through the untrust subnet.
    • Dynamic routing gateway (DRG): Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect to the VM Series firewall in availability domain 1 through the untrust subnet. The DRG also supports communication between VCNs. Each VCN has an attachment to the DRG.
    • Service gateway: Connects the hub VCN to OCI Object Storage and other Oracle services for the region.
    The hub VCN includes the following flexible network load balancers:
    • External network load balancer
      • The private load balancer has untrust interfaces of VM Series firewalls. The on-premises connects to this load balancer using the DRG.
      • The public load balancer also has untrust interfaces of VM Series firewalls. Internet traffic connects to this load balancer using an internet gateway.
    • The internal network load balancer has trust interfaces of VM Series firewalls. Traffic to and from the spoke VCNs connects to this load balancer using a DRG.
  • Web or application spoke VCN: The VCN contains at least one single subnet. A load balancer manages traffic between web or application VMs in each of the availability domains. The application tier VCN is connected to the hub VCN over DRG.
  • Database spoke VCN: The VCN contains a single subnet. A primary database system resides in availability domain 1 and a standby database system resides in availability domain 2. The database tier VCN is connected to the hub VCN over DRG.