Use the VM-Series firewall on OCI to
secure your cloud environment in the following scenarios:
North-South Traffic—You can use the VM-Series firewall
to secure traffic entering your cloud network from an untrusted
source or exiting your cloud network to reach an untrusted source.
For either type of traffic, you must configure route table rules
in your VCN and NAT policy rules on the firewall.
example, outbound traffic is exiting the trust subnet in your VCN.
You must configure source address translation policy onto a public
IP address and a route table rule that redirects that traffic to
the firewall. The route rule points outgoing traffic to the firewall’s
interface in the trust subnet of the VCN. When the firewall receives
this traffic, it performs the source address translation on the
traffic and applies any other security policy you have configured.
Inter-VCN Traffic (East-West)—The VM-Series firewall allows
you to secure traffic moving within your cloud environment between
Virtual Cloud Networks (VCN). Each subnet must belong to a different
VCN because, by default, no route rules are used to enable traffic
within a VCN. In this scenario, you configure an interface on the
firewall connected to a subnet in each VCN.
In the example
below, a user in the Trust Subnet wants to access data in the DB Subnet.
Configure a route on OCI that reaches DB Subnet CIDR next hop, which
points to the interface Trust Subnet network on the VM-Series firewall.
OCI uses a series of route tables to send traffic out of your
VCN and one route table is added to each subnet. A subnet is a division
of your VCN. If you do not specify a route table, the subnet uses
the VCN’s default route table.
Each route table rule specifies a destination CIDR block and
a next hop (target) for any traffic that matches the CIDR. OCI only
uses a subnet’s route table if the destination IP address is outside
the VCN’s specified CIDR block; route rules are not required to
enable traffic within the VCN. And, if traffic has overlapping rules,
OCI use the most specific rule in the route table to route traffic.
If there is no route rule that matches the traffic that
is attempting to leave the VCN, the traffic is dropped.
Each subnet requires a route table and once you have added a
route table to a subnet, you cannot change it. However, you can
add, remove, or edit rules in a route table after it has been created.