24 ‐ Single Public VCN (Hub) Single Private VCN (Spoke) – OCI & Azure - SanjeevOCI/Study GitHub Wiki

Scenario 3 – Single Public VCN (Hub) + Single Private VCN (Spoke) – OCI & Azure Objective

Connect a Private VCN/VNet (no internet) to a Public VCN/VNet (with internet) so that the private workloads can access the internet via the Hub while preserving a “no-internet” posture.

OCI Lab Steps

Create Hub VCN (Public)

CIDR: 10.0.0.0/16

Subnets:

Hub-Public (10.0.1.0/24) → IGW

Hub-Private (10.0.2.0/24) → NAT Gateway

Gateways:

Internet Gateway

NAT Gateway

DRG

Create Spoke VCN (Private)

CIDR: 10.1.0.0/16

Subnet:

Spoke-Private (10.1.1.0/24)

Gateways:

Service Gateway (SGW) for private PaaS

DRG Attachment to Hub DRG

Routing

Spoke Route Table:

all-oci-services → SGW-SPOKE

0.0.0.0/0 → DRG

Hub Route Table (Private Subnet):

0.0.0.0/0 → NAT GW

Return route to Spoke CIDR → DRG

Hub Route Table (Public Subnet):

0.0.0.0/0 → IGW

Security

Spoke egress: TCP 443 only

Admin access: via Bastion in Hub-Public

Azure Lab Steps

Create Hub VNet

Address Space: 10.0.0.0/16

Subnets:

Hub-Public → NSG allowing inbound RDP/SSH, outbound to internet

Hub-Private → Route to NAT Gateway

Resources:

NAT Gateway

VPN Gateway (optional)

Public IP for Bastion

Create Spoke VNet

Address Space: 10.1.0.0/16

Subnets:

Spoke-Private → NSG outbound TCP 443

Peering to Hub (Allow forwarded traffic)

Routing

Spoke UDR: 0.0.0.0/0 → Hub-Private subnet NAT Gateway

Hub-Public: Internet-bound via default route

Security

Restrict inbound to Bastion only

Outbound TCP 443 for updates