Scenario 4 – Single Public VCN (Hub) + Single Private VCN (Spoke) with 3-Tier Architecture – OCI & Azure

Objective

Implement a 3-tier architecture (Web, App, DB) where:

• Web Tier is in the Public Hub (internet-facing)
• App Tier is in the Hub Private subnet
• DB Tier is in the Spoke Private subnet (no internet access)
• Private tiers access the internet via Hub NAT Gateway while retaining no-direct-internet policy.

---

OCI Lab Steps

1. Create Hub VCN (Public)

• CIDR: 10.0.0.0/16
• Subnets:
  • Hub-Web (10.0.1.0/24) → Internet Gateway (IGW)
  • Hub-App (10.0.2.0/24) → NAT Gateway
• Gateways:
  • Internet Gateway
  • NAT Gateway
  • DRG

2. Create Spoke VCN (Private)

• CIDR: 10.1.0.0/16
• Subnet:
  • Spoke-DB (10.1.1.0/24)
• Gateways:
  • Service Gateway (SGW) for PaaS
  • DRG Attachment to Hub DRG

3. Routing

• Spoke Route Table:
  • All OCI Services → SGW-SPOKE
  • 0.0.0.0/0 → DRG
• Hub-App Route Table:
  • 0.0.0.0/0 → NAT Gateway
  • Spoke CIDR → DRG
• Hub-Web Route Table:
  • 0.0.0.0/0 → IGW

4. Security

• Web Tier: Allow inbound HTTP/HTTPS from internet
• App Tier: Allow inbound only from Web Tier
• DB Tier: Allow inbound only from App Tier
• Outbound: TCP 443 for patching/updates

---

Azure Lab Steps

1. Create Hub VNet

• Address Space: 10.0.0.0/16
• Subnets:
  • Hub-Web → NSG allowing inbound HTTP/HTTPS
  • Hub-App → Route to NAT Gateway
• Resources:
  • NAT Gateway
  • Public IP for Web VMs

2. Create Spoke VNet

• Address Space: 10.1.0.0/16
• Subnets:
  • Spoke-DB → NSG inbound from Hub-App only
• Peering: Allow forwarded traffic

3. Routing

• Spoke UDR: 0.0.0.0/0 → Hub-App subnet NAT Gateway
• Hub-Web: Internet-bound via default route

4. Security

• Web NSG: Inbound HTTP/HTTPS
• App NSG: Inbound from Web subnet only
• DB NSG: Inbound from App subnet only