Routing Traffic to a Network Firewall
Scenarios showing how to route network traffic to a firewall.
This topic shows several scenarios for routing traffic to a network firewall. See the following resources for more information about network routing:
Note
Before you begin:
- An Oracle Cloud Infrastructure VCN and subnets. For more information, see VCNs and Subnets.
- Required IAM Service Policy permissions that allow you to work with network resources like VCNs, subnets, and route tables.
- A network firewall with an attached policy in the VCN.
Important
- For better performance, Oracle recommends that you do not add stateful rules to the security list attached to the firewall subnet or include the firewall in a network security group (NSG) containing stateful rules
- Security list or network security group (NSG) rules associated with the firewall subnet and VNICs are evaluated before the firewall. Be sure that any security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
- If the policy you use with the firewall doesn't have any rules specified, the firewall denies all traffic.
To route on-premises traffic through a network firewall
Here's an example of how to set up routing from an on-premises network to your Oracle Cloud Infrastructure VCN using a Dynamic Routing Gateway (DRG) Each step contains a link to specific instructions:
To route internet traffic through a network firewall
In this example, routing is configured from the internet to the firewall. Traffic is routed from the IGW, through the firewall, and then from the firewall subnet to a public subnet.
To route intra-VCN traffic through a network firewall
In this example, traffic is routed from Subnet A, to the firewall. From the firewall, traffic is routed to Subnet B using the implicit 10.0.0.0 to "local" (not shown).