This image shows the north-south inbound traffic flow between the hub VCN and the web/application (spoke) VCN in a region that uses Check Point CloudGuard Network Security. The Oracle Cloud Infrastructure region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web/application tier) connected by local peering gateways (LPGs).
-
Hub VCN (10.0.0.0/24): The Hub VCN contains a high-availability network across two Check Point Security Gateway virtual machines (VMs) with one VM in each of the availability domains. The hub VCN includes two subnets: a frontend subnet and a backend subnet. The frontend subnet uses virtual network card 1 (vNIC1) for external traffic to or from the Check Point Security Gateway. The backend subnet uses vNIC2 for internal traffic to or from the Check Point Security Gateway.
Inbound traffic enters the hub VCN from external sources through the frontend subnet to the Check Point Security Gateway, and then through the backend subnet to the local peering gateway (LPG):- Internet gateway: Traffic from internet and external web clients routes to the Check Point Security Gateway VM in availability domain 1 through the frontend subnet. The frontent subnet destination CIDR is 0.0.0.0/0 (all addresses).
- Dynamic routing gateway: Traffic from the customer data center (172.16.0.0/12) routes to the Check Point Security Gateway VM in availability domain 1 through the frontend subnet. The DRG destination CIDR is 192.168.0.0/24 (the spoke VCN).
- Check Point Security Gateway: Traffic is routed through the gateway VM and the backend subnet to the LPG. The default destination CIDR for the backend subnet is 192.168.0.0/24 (the spoke VCN).
- Local peering gateway: Traffic from the backend subnet to the spoke VCN is routed over the LPG.
-
Web/application tier spoke VCN (192.168.0.0/24): The VCN contains a single subnet. A load balancer manages traffic between web/application VMs in each of the availability domains. Traffic from the hub VCN to the load balancer is routed over a local peering gateway to the load balancer. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).