25 ‐ Single Public Hub Single Private Spoke (3‐Tier Architecture) – OCI & Azure - SanjeevOCI/Study GitHub Wiki

Scenario 4 – Single Public Hub + Single Private Spoke (3-Tier Architecture) – OCI & Azure

Same as Scenario 3, but Spoke has:

Web Subnet (optional public)

App Subnet (private)

DB Subnet (private, no internet, only App access)

Extra Steps:

Create NSGs to restrict traffic:

Web → App → DB

No direct Web → DB

Route DB subnet only to SGW (no NAT)

In Azure, use NSG + UDR to enforce tier-to-tier rules