Scenario 5 – Single Public VCN (Hub) is Protected + Single Private VCN (Spoke) with 3-Tier Architecture – OCI & Azure

Objective

Same as Scenario 4, but with perimeter protection for the public Hub using Firewall/NSG rules/WAF before allowing internet traffic.

---

OCI Lab Steps

1. Create Hub VCN (Public, Protected)

• CIDR: 10.0.0.0/16
• Subnets:
  • Hub-Web (10.0.1.0/24) → Internet Gateway via Firewall
  • Hub-App (10.0.2.0/24) → NAT Gateway
• Gateways:
  • Internet Gateway
  • NAT Gateway
  • DRG
• Security Appliance:
  • OCI Network Firewall or 3rd-party NVA in DMZ subnet

2. Create Spoke VCN (Private)

• CIDR: 10.1.0.0/16
• Subnet:
  • Spoke-DB (10.1.1.0/24)
• Gateways:
  • Service Gateway (SGW) for PaaS
  • DRG Attachment to Hub DRG

3. Routing

• Spoke Route Table:
  • All OCI Services → SGW-SPOKE
  • 0.0.0.0/0 → DRG
• Hub-App Route Table:
  • 0.0.0.0/0 → NAT Gateway
  • Spoke CIDR → DRG
• Hub-Web Route Table:
  • 0.0.0.0/0 → Firewall → IGW

4. Security

• Web Tier: Inbound only via Firewall/WAF
• App Tier: Inbound only from Web Tier
• DB Tier: Inbound only from App Tier
• Outbound: TCP 443 for updates

---

Azure Lab Steps

1. Create Hub VNet (Protected)

• Address Space: 10.0.0.0/16
• Subnets:
  • Hub-Web → Internet via Azure Firewall/WAF
  • Hub-App → Route to NAT Gateway
• Resources:
  • NAT Gateway
  • Azure Firewall/WAF in DMZ subnet
  • Public IP for Firewall

2. Create Spoke VNet

• Address Space: 10.1.0.0/16
• Subnets:
  • Spoke-DB → NSG inbound from Hub-App only
• Peering: Allow forwarded traffic

3. Routing

• Spoke UDR: 0.0.0.0/0 → Hub-App subnet NAT Gateway
• Hub-Web UDR: 0.0.0.0/0 → Azure Firewall

4. Security

• Web NSG: Inbound only via Firewall/WAF public IP
• App NSG: Inbound from Web subnet only
• DB NSG: Inbound from App subnet only