Scenario 3 – Single Public VCN (Hub) + Single Private VCN (Spoke) – OCI & Azure

Objective

Connect a Private VCN/VNet (no internet) to a Public VCN/VNet (with internet) so that the private workloads can access the internet via the Hub while preserving a “no-internet” posture.

---

OCI Lab Steps

1. Create Hub VCN (Public)

• CIDR: 10.0.0.0/16
• Subnets:
  • Hub-Public (10.0.1.0/24) → Internet Gateway (IGW)
  • Hub-Private (10.0.2.0/24) → NAT Gateway
• Gateways:
  • Internet Gateway
  • NAT Gateway
  • DRG (Dynamic Routing Gateway)

2. Create Spoke VCN (Private)

• CIDR: 10.1.0.0/16
• Subnet:
  • Spoke-Private (10.1.1.0/24)
• Gateways:
  • Service Gateway (SGW) for private PaaS
  • DRG Attachment to Hub DRG

3. Routing

• Spoke Route Table:
  • All OCI Services → SGW-SPOKE
  • 0.0.0.0/0 → DRG
• Hub Route Table (Private Subnet):
  • 0.0.0.0/0 → NAT Gateway
  • Return route to Spoke CIDR → DRG
• Hub Route Table (Public Subnet):
  • 0.0.0.0/0 → IGW

4. Security

• Spoke egress: TCP 443 only
• Admin access: via Bastion in Hub-Public

---

Azure Lab Steps

1. Create Hub VNet

• Address Space: 10.0.0.0/16
• Subnets:
  • Hub-Public → NSG allowing inbound RDP/SSH, outbound to internet
  • Hub-Private → Route to NAT Gateway
• Resources:
  • NAT Gateway
  • VPN Gateway (optional)
  • Public IP for Bastion

2. Create Spoke VNet

• Address Space: 10.1.0.0/16
• Subnets:
  • Spoke-Private → NSG outbound TCP 443
• Peering to Hub: Allow forwarded traffic

3. Routing

• Spoke UDR: 0.0.0.0/0 → Hub-Private subnet NAT Gateway
• Hub-Public: Internet-bound via default route

4. Security

• Restrict inbound to Bastion only
• Outbound TCP 443 for updates