This image shows the east-west traffic flow from the web or application to the database in a regional hub and spoke topology that uses a VM Series firewall. It includes three virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The hub VCN houses the VM Series firewalls. The trust subnet uses vNIC2 for internal traffic to or from the VM Series firewall. The hub VCN communicates with spoke VCNs through a dynamic routing gateway (DRG).
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over dynamic routing gateway.
• Database tier spoke VCN (10.0.1.0/24): The VCN contains a single subnet that contains the primary database system. The database tier VCN is connected to the hub VCN over the DRG.

East-west traffic flow from the web or application to the database:

1. Traffic that moves from the web or application tier to the database tier (10.0.1.10) is routed through the web or application subnet route table (destination 0.0.0.0/0).
2. Traffic moves from the web or application subnet route table to the DRG for the database tier spoke VCN.
3. Traffic moves from the DRG by hub VCN ingress route table to the VM Series Firewall VMs using the internal network load balancer. The network load balancer has more than one backend pointing to the trust interfaces (vNIC2) of the VM Series firewall.
4. Traffic from the VM Series firewall is routed through the trust subnet route table (destination: 10.0.1.0/24). The firewall performs a source translation on the incoming packet to ensure that it uses the trust interface private IP address as source translation object so that the spoke VCN (Database) sees traffic coming from the trust interface of the firewalls.
5. Traffic moves from the trust subnet route table to the DRG for the database spoke VCN.
6. Traffic moves from the DRG for the database system through the database spoke VCN attachment.