This post will be checklist for items you’ll need when you have Firewall (or Hub) VCN where you route traffic to and have 3rd party firewall appliance (such as Palo Alto) inspecting traffic. You have to understand different route tables which are associated and which routes you have to set to them.
What this post will NOT be is to show how the Firewall routing is done. That’s just because it’s outside of my expertise!
We’ll be using Dynamic Routing Gateway heavily on this one, so just as a reminder, I’ve written some posts on DRG earlier as well.
DRG Attachment Basics here.
DRG Attachments and Dynamic Route Import Distributions here.
DRG attachment and Remote Peering Connections here.
It’s important to understand which route tables have impact and where, I have made a very basic diagram below trying to explain this so it’ll be easier to understand why some route is needed.
In short, there are three route tables we’re interested on. Subnet route table for traffic leaving the subnet/VCN, DRG VCN attachment route table for traffic arriving to DRG from VCN which tells where traffic should go and finally VCN route table which is on the VCN (not subnet!) which is for traffic arriving for VCN.
It all might seem really overwhelming at first but once you’ve done it few times, it’s really easy to logically think what needs to be and where.
In this example, I want all traffic coming and going from VCNs go through Firewall. Similarly, any traffic leaving to public Internet (or incoming) should go through Firewall. Therefor there will be no NAT or Internet Gateways on any other VCN than Firewall (Hub) VCN.
I’ll need the following setup as shown in below diagram.
Let’s drill down to this, we’re looking what will happen when traffic leaves from VCN C.
One thing I use to validate all looks good, is going to the DRG attachment route table and click on the Get All Route Rules. That will show what routes the attachments knows (static and dynamic). For the VCN C (Spoke) attachment route table, remember you want to have static route towards Firewall (Hub) VCN attachment. That can be either all traffic or only public internet traffic, depending on your use case.
This came as a lengthy post and large part of this is also available in OCI documentation, they have good examples there as well. What this post aims to explain is why some route table is needed and where some routing needs to be so everything works.
Hope this helps!
I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI…
Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…
I bet few years back folks didn't expect that by 2024 we would be able…
This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…