This image shows the east-west traffic flow from OCI Object Storage and other Oracle Services Network to the web application in a regional hub and spoke topology that uses a VM Series firewall. It includes two virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The hub VCN houses the VM Series firewalls and internal network load balancer. The trust subnet uses vNIC2 for internal traffic to or from the VM Series firewall. This interface is part of the backend of the internal network load balancer. The hub VCN communicates with spoke VCNs through a dynamic routing gateway (DRG). The hub VCN communicates with OCI Object Storage through a service gateway.
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over the DRG.

East-west traffic flow from OCI Object Storage to the web or application in the following steps:

1. Traffic that moves from Object Storage to the web or application VM (10.0.0.10) is routed through the service gateway route table (destination 0.0.0.0/0) in the hub VCN.
2. Traffic moves from the service gateway to the VM Series firewalls in the trust subnet over vNIC2 through the internal network load balancer. Depending on the different backends of the load balancer, it goes through one of the VM Series firewalls.
3. Traffic from VM Series firewall is routed through the trust subnet route table (destination 10.0.0.0/24). The firewall performs a source translation on the incoming packet to ensure that it uses trust interface private IP address as the source translation object so that the spoke VCN (web) sees traffic coming from the trust interface of the firewalls.
4. Traffic moves from the trust subnet route table to the DRG.
5. Traffic moves from DRG for the web or application tier spoke VCN.
6. Traffic moves from DRG web VCN attachment to the load balancer for the web or application.