This image shows the north-south outbound traffic flow from the web/application (spoke) VCN through the hub VCN in a region that uses Check Point CloudGuard Network Security. The Oracle Cloud Infrastructure region includes two availability domains. The region contains a hub VCN and a single spoke VCN (web/application tier) connected by local peering gateways (LPG).

• Spoke (web/application) VCN (192.168.0.0/24): The VCN contains a single subnet. A load balancer manages traffic between web/application VMs in each of the availability domains. Outbound traffic from the load balancer to the hub VCN is routed over a local peering gateway. The spoke subnet destination CIDR is 0.0.0.0/0 (all addresses).

• Hub VCN (10.0.0.0/24): The Hub VCN contains a high-availability network across two Check Point Security Gateway virtual machines (VMs) with one VM in each of the availability domains. The hub VCN includes two subnets: a frontend subnet and a backend subnet. The frontend subnet uses virtual network card 1 (vNIC1) for external traffic to or from the Check Point Security Gateway. The backend subnet uses vNIC2 for internal traffic to or from the Check Point Security Gateway.

  Outbound traffic from the spoke (web/application) VCN enters the hub VCN backend subnet to the Check Point Security Gateway, and then out through the frontend subnet to external targets.

  • Local peering gateway: Traffic from the spoke VCN to the hub VCN backend subnet is routed over the LPG. The backend subnet destination CIDR is 0.0.0.0/0 (all addresses).
  • Check Point Security Gateway: Traffic from the LPG is routed through the Check Point Security Gateway VM in availability domain 1 and the frontent subnet, through the hub VCN gateways to external targets.
  • Internet gateway: Traffic to internet and external web clients is routed through an internet gateway. The frontent subnet destination CIDR for the internet gateway is 0.0.0.0/0 (all addresses).
  • Dynamic routing gateway: Traffic to the customer data center is routed through a dynamic routing gateway. The frontent subnet destination CIDR for the dynamic routing gateway is 172.16.0.0/12.