This image shows the north-south inbound traffic flow between the hub VCN and the web or application (spoke) VCN in a region that uses VM Series firewalls. The OCI region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by dynamic routing gateway (DRG).
  • Hub VCN (192.168.0.0/16): The hub VCN contains a cluster of two VM Series Firewall virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer. The hub VCN can also include a management VM (Panorama) to manage VM Series firewalls. The hub VCN includes four subnets:
    • A management subnet, a trust subnet, an untrust subnet, and an NLB subnet. The management subnet uses the primary interface (vNIC0) to allow end users to connect to the user interface.
    • The untrust subnet uses second interface (vNIC1) for external traffic to or from the VM Series firewall.
    • The trust subnet uses third interface (vNIC2) for internal traffic to or from the VM Series firewall.
    • The NLB subnet allows end user to create a private or public flexible network load balancer, which allows on-premises and inbound connection from the internet.
  • Inbound traffic enters the hub VCN from external sources through the external network load balancer public IP to the VM Series firewalls:
    • Internet gateway: Traffic from the internet and external web clients routes to the external public network load balancer and then goes to one of the VM Series firewalls through the untrust interfaces. The NLB public load balancer has a public address, which allows you to connect from the outside. The default route allow destination CIDR is 0.0.0.0/0 (all addresses) and the first host IP address in the untrust subnet CIDR.
    • Dynamic routing gateway (DRG): Traffic from the customer data center (172.16.0.0/12) is routed to external private load balancer and then goes to one of the VM Series firewalls through the untrust interface. The DRG destination CIDR is 10.0.0.0/24 or 10.0.1.0/24 or the spoke VCNs. The DRG also supports communication between VCNs. Each VCN has an attachment to the DRG.
    • VM Series Firewall: Traffic is routed through the gateway VM and the trust subnet to the DRG. Source address translation happens on the VM Series firewall, using the trust interface IP address. The default destination CIDR for the trust subnet associated with spoke VCNs (10.0.0.0/24 or 10.0.1.0/24 or the spoke VCNs for application or database. This address is the first host IP address in the trust subnet CIDR.
    • DRG: Traffic from the trust subnet to the spoke VCN is routed over the DRG.
      • Application or web: If traffic is destined to this spoke VCN, it’s routed through the DRG application or web VCN attachment connection.
      • Database: If traffic is destined to this spoke VCN, it’s routed through the DRG database VCN attachment connection.
  • Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic between web and application VMs in each of the availability domains. Traffic from the hub VCN to the application load balancer is routed over the DRG to the application load balancer. The spoke subnet destination CIDR is routed through the DRG as the default subnet 0.0.0.0/0 (all addresses) .