Set Up a Hub-and-Spoke Network Topology by Using Local Peering Gateways

This reference architecture shows an Oracle Cloud
Infrastructure region with a hub VCN connected to two spoke VCNs. Each spoke VCN is peered with the hub VCN by using a pair of local peering gateways (LPGs).

The architecture shows a few sample subnets and VMs. Security lists are used to control network traffic to and from each subnet. Every subnet has a route table that contains rules to direct traffic bound for targets outside the VCN.

The hub VCN has an internet gateway for network traffic to and from the public internet; it also has a dynamic routing gateway (DRG) to enable private connectivity with your on-premises network, which you can implement by using Oracle Cloud
Infrastructure FastConnect, or Site-to-Site VPN, or both.

You can use either Bastion host or OCI Bastion service to provide secure access to your resources. This architecture uses Bastion host.

The following diagram illustrates the reference architecture.

hub-and-spoke-oci.zip

On-premises network

This network is the local network used by your organization. It is one of the spokes of the topology.
Region

An Oracle Cloud
Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
Virtual cloud network (VCN)

A VCN is a customizable, software-defined network that you set up in an Oracle Cloud
Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don’t overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

This architecture has a hub VCN and one or more spoke VCNs.
Security list

For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.
Route table

Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.
Dynamic routing gateway (DRG)

The DRG is a virtual router that provides a path for private network traffic between a VCN and a network outside the region, such as a VCN in another Oracle Cloud
Infrastructure region, an on-premises network, or a network in another cloud provider.
Bastion host

The bastion host is a compute instance that serves as a secure, controlled entry point to the topology from outside the cloud. The bastion host is provisioned typically in a demilitarized zone (DMZ). It enables you to protect sensitive resources by placing them in private networks that can’t be accessed directly from outside the cloud. The topology has a single, known entry point that you can monitor and audit regularly. So, you can avoid exposing the more sensitive components of the topology without compromising access to them.
Bastion service

Oracle Cloud
Infrastructure Bastion provides restricted and time-limited secure access to resources that don’t have public endpoints and that require strict resource access controls, such as bare metal and virtual machines, Oracle MySQL Database Service, Autonomous Transaction
Processing (ATP), Oracle Container Engine for
Kubernetes (OKE), and any other resource that allows Secure Shell Protocol (SSH) access. With Oracle Cloud
Infrastructure Bastion service, you can enable access to private hosts without deploying and maintaining a jump host. In addition, you gain improved security posture with identity-based permissions and a centralized, audited, and time-bound SSH session. Oracle Cloud
Infrastructure Bastion removes the need for a public IP for bastion access, eliminating the hassle and potential attack surface when providing remote access.
Local peering gateway (LPG)

An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.
Site-to-Site VPN

Site-to-Site VPN provides IPSec VPN connectivity between your on-premises network and VCNs in Oracle Cloud
Infrastructure. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.
FastConnect

Oracle Cloud
Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud
Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.