This image shows the north-south outbound traffic flow from the web or application (spoke) VCN through the hub VCN in a region that uses a VM Series firewall.

The OCI region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web or application tier) connected by dynamic routing gateway (DRG) attachments.
  • Spoke (web or application) VCN (10.0.0.0/24): The VCN contains a single subnet. An application load balancer manages traffic between the web or application VMs in each of the availability domains. Outbound traffic from the application load balancer to the hub VCN is routed over dynamic routing gateway (DRG). The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses) through the DRG.
  • Hub VCN (192.168.0.0/16): The hub VCN contains a cluster of two VM Series firewall virtual machines (VMs) with one VM in each of the availability domains as a sandwich between internal and external flexible network load balancer (NLB). The hub VCN can also include a management VM (Panorama) to manage VM Series firewalls. The hub VCN includes four subnets:
    • A management subnet, a trust subnet, an untrust subnet, and an NLB subnet. The management subnet uses the primary interface (vNIC0) to allow end users to connect to the user interface.
    • The untrust subnet uses second interface (vNIC1) for external traffic to or from the VM Series firewall.
    • The trust subnet uses third interface (vNIC2) for internal traffic to or from the VM Series firewall.
    • The NLB subnet allows end users to create a private or public flexible network load balancer, which allows on-premises and inbound connection from the internet.
Outbound traffic from the spoke (web or application) VCN enters the hub VCN internal network load balancer, which sends the traffic to the VM Series firewall trust interfaces, and then out through the untrust subnet to external targets.
  • VM Series firewall: Traffic from the DRG is routed through the internal network load balancer to the VM Series firewall trust interfaces through the trust subnet, through the hub VCN gateways to external targets. The source translation happens here using the untrust interface private IP on each firewall to support outbound traffic.
  • Internet gateway: Traffic to the internet and external web clients is routed through an internet gateway. The untrust subnet destination CIDR for the internet gateway is 0.0.0.0/0 (all addresses).
  • Dynamic routing gateway: Traffic to the customer data center is routed through a DRG. The untrust subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12. DRG is also used to support communication between VCNs. Each VCN has an attachment to a DRG.