Deployments Supported on OCI

Use the VM-Series firewall on OCI to secure your cloud environment in the following scenarios:
  • North-South Traffic—You can use the VM-Series firewall to secure traffic entering your cloud network from an untrusted source or exiting your cloud network to reach an untrusted source. For either type of traffic, you must configure route table rules in your VCN and NAT policy rules on the firewall.
    In this example, outbound traffic is exiting the trust subnet in your VCN. You must configure source address translation policy onto a public IP address and a route table rule that redirects that traffic to the firewall. The route rule points outgoing traffic to the firewall’s interface in the trust subnet of the VCN. When the firewall receives this traffic, it performs the source address translation on the traffic and applies any other security policy you have configured.
    secure-north-south-traffic.png
  • Inter-VCN Traffic (East-West)—The VM-Series firewall allows you to secure traffic moving within your cloud environment between Virtual Cloud Networks (VCN). Each subnet must belong to a different VCN because, by default, no route rules are used to enable traffic within a VCN. In this scenario, you configure an interface on the firewall connected to a subnet in each VCN.
    In the example below, a user in the Trust Subnet wants to access data in the DB Subnet. Configure a route on OCI that reaches DB Subnet CIDR next hop, which points to the interface Trust Subnet network on the VM-Series firewall.
    secure-east-west-traffic.png
OCI uses a series of route tables to send traffic out of your VCN and one route table is added to each subnet. A subnet is a division of your VCN. If you do not specify a route table, the subnet uses the VCN’s default route table.
Each route table rule specifies a destination CIDR block and a next hop (target) for any traffic that matches the CIDR. OCI only uses a subnet’s route table if the destination IP address is outside the VCN’s specified CIDR block; route rules are not required to enable traffic within the VCN. And, if traffic has overlapping rules, OCI use the most specific rule in the route table to route traffic.
If there is no route rule that matches the traffic that is attempting to leave the VCN, the traffic is dropped.
Each subnet requires a route table and once you have added a route table to a subnet, you cannot change it. However, you can add, remove, or edit rules in a route table after it has been created.

Related Documentation