23 ‐ OCI Hub‐and‐Spoke: Public Hub VCN Private Spoke VCN (with DRG, NGW, SGW, Bastion) - SanjeevOCI/Study GitHub Wiki
Design a secure, scalable architecture where:
- The Hub VCN has internet connectivity for management and outbound services.
- The Spoke VCN has no internet but can access Object Storage privately and perform OS updates via the Hub.
- Use Dynamic Routing Gateway (DRG) for transitive routing.
- Include OCI Bastion in the Hub to manage the private Spoke instance.
- Reflect OCI best practices and highlight interview-relevant insights.
[On-Prem / Admin Network] | (VPN/FC optional) | [DRG] in Hub VCN (Transit) / \
-
Subnets:
- Public Subnet (e.g., 10.0.1.0/24) for Bastion and NAT tools.
- Private Subnet (e.g., 10.0.2.0/24) for internal services.
-
Gateways:
- Internet Gateway (IGW) for outbound internet.
- NAT Gateway (NAT GW) for egress from Spokes.
- Service Gateway (SGW-HUB) optionally, for Hub workloads.
- Dynamic Routing Gateway (DRG).
-
Routing:
- Public Subnet RT:
0.0.0.0/0 → IGW - Private Subnet RT:
0.0.0.0/0 → NAT GW-
all-oci-services-in-oracle-services-network → SGW-HUB(optional)
- Public Subnet RT:
- Place OCI Bastion in the Hub Public Subnet.
- Use it to SSH/RDP into the Spoke Private VM—no public IP required on the Spoke VM.
- Private Subnet only (e.g., 10.1.1.0/24).
- Service Gateway (SGW-SPOKE) for Object Storage and OSMS access.
- Attach to Hub’s DRG.
- Create DRG attachments for both Hub and Spoke VCNs.
- Configure DRG Route Tables and Route Distributions:
- Spoke DRG RT: send Spoke 0.0.0.0/0 via Hub attachment.
- Hub DRG RT: advertise Spoke CIDR (10.1.0.0/16) and optionally default route to Hub.
-
Spoke Private Subnet:
all-oci-services-in-oracle-services-network → SGW-SPOKE-
0.0.0.0/0 → DRG(for NAT through Hub)
-
Hub Private Subnet:
- If using SGW-HUB:
all-oci-services-in-oracle-services-network → SGW-HUB - Ensure return paths for Spoke CIDR route to Spoke VM.
- If using SGW-HUB:
-
Spoke:
- Egress: allow TCP 443 to SGW-SPOKE (Service Tag) and NAT (0.0.0.0/0)
- Ingress: allow from Bastion subnet (TCP 22/3389) as needed
-
Hub:
- Public Subnet: allow SSH from admin sources
- Private Subnet: allow inbound from Spoke for NAT path (TCP 443)
- Bastion subnet: only necessary ports inbound from trusted sources
- No public IP.
- Access it via Bastion in Hub (session over DRG).
- Validate Object Storage access (
oci os ns get). - Validate OS updates (NAT via Hub).
# On Spoke VM (via Bastion tunnel):
oci os ns get --region <region> # should succeed via SGW
curl https://ifconfig.me # should show Hub NAT IP
sudo yum check-update # update via NAT
ping 8.8.8.8 # should fail (no public internet inbound)
---
**Why This Design Shows Hands-On Knowledge (Interview Nuggets)**
* Gateways are VCN-level in OCI—SGW and NAT GW must be created first, then referenced in route tables.
* DRG is the proper hub—supports transit, multi-VN routing, and future on-prem/VPN attachments.
* SGWs are not transitive—each VCN needs its own if it needs private OCI service access.
* Bastion in public subnet (instead of VM jump-boxes) keeps your architecture secure and maintenance-free.
* Route Table and Security List discipline—only required paths open, egress limited to TCP/443, zero inbound from internet.
* DRG Transit Control with DRG route tables/distributions demonstrates deep transit knowledge.
* Future-ready: easy to add spokes, scale NAT, attach on-prem, or split PEs into separate subnets.
**Optional Enhancements (Best Practices)**
* Use Azure-like naming conventions (HUB-VCN, SPOKE-VCN, DRG-HQ, SGW-HUB, etc.) for consistency.
* Use NSGs instead of raw Security Lists for VM-level granularity.
* Implement VCN Flow Logs and OCI Monitoring for auditing and visibility.
* Add optional OCI Network Firewall in Hub for deep inspection.
* If needed: Deploy dedicated PEs in Spoke (e.g., for Database), ensuring route tables include them appropriately.
**Summary Checklist**
* Hub VCN: IGW, NAT GW, optional SGW, DRG, Bastion.
* Spoke VCN: Private subnet, SGW-SPOKE, DRG attachment.
* DRG with appropriate route tables/transits.
* Route Tables: Spoke → SGW + DRG; Hub → NAT GW + SGW-Basic.
* Security: restricted egress, Bastion in Hub, NSG discipline.
* Verification: Object Storage, NAT egress, no public access.
Bookmark interview talking points: DRG transit, gateway roles, secure access with Bastion, scalable hub-and-spoke pattern.
This gives you a polished, complete, and interview-ready blueprint merging both earlier scenarios into a full Hub-and-Spoke with Bastion, DRG, NAT & Service Gateways—and is fully aligned to OCI best practices.
---
### Why NAT Gateway Instead of Internet Gateway for Spoke Outbound?
1. **Spoke VCN is Private by Design**
- No direct inbound internet connectivity should exist.
- Routing Spoke traffic via Hub → Internet Gateway would expose an inbound path (unless heavily firewalled).
2. **Outbound-Only Security with NAT Gateway**
- NAT Gateway allows only outbound connections initiated by the Spoke VM.
- It drops all unsolicited inbound connections automatically.
3. **OCI Best Practice**
- **Public subnets** → Internet Gateway (controlled inbound/outbound).
- **Private subnets** → NAT Gateway (outbound-only).
- This ensures workloads remain isolated from unsolicited internet traffic.
4. **Consistency with Security Posture**
- Original "Private VCN with No Internet" design used NAT Gateway for controlled outbound.
- Extending the same to Hub-and-Spoke maintains a consistent security posture.
---
### 📌 Interview-Ready Answer:
> "While we could route Spoke traffic through the Hub’s Internet Gateway, this would technically allow inbound access paths from the internet. Using a NAT Gateway ensures outbound-only traffic from private workloads while maintaining OCI’s recommended security model, aligning with the principle of least exposure."
---