OCI Open LZ - Hub A
Table of Contents
1. Overview
2. Components
3. Specifications and Considerations
4. Routing
5. Deploy
Hub A is equipped with two OCI Network Firewalls - a next-generation managed network firewall and an intrusion detection and prevention service. The first firewall is dedicated to inbound traffic, while the second is responsible for outbound and East-West traffic control and inspection.
- VCN (Virtual Cloud Network)
- Two regional public subnets (depicted in green)
- public-subnet for DMZ/external OCI Network Firewall (note: even though DMZ-FW is in a public subnet, it hasn't public interface, it has only single private interface with private IP address)
- public-subnet for Public Load Balancers
- Four regional private subnets (depicted in dark-orange)
- private-subnet for Internal OCI Network Firewall
- private-subnet for management workloads
- private-subnet for logs
- private-subnet for DNS (for OCI DNS resolver endpoints)
- Internet Gateway
- NAT Gateway
- Service Gateway
- DMZ-FW - first OCI Network Firewall: responsible for Inbound network traffic control and inspection.
- Internal-FW - second OCI Network Firewall: responsible for Outbound and East-West network traffic control and inspection.
- Public Load Balancer (LBaaS)
- Segmentation of network traffic and increased throughput: ensures efficient traffic management and higher data transfer rates.
- Visibility into Inbound traffic source on DMZ-FW: enables detailed control over traffic entering the Hub VCN.
- SSL Decryption Policy configuration on DMZ-FW to allow inspect SSL traffic before sending it to the Public Load Balancer.
- Higher cost compared to the Hub B model: 2 x price of the OCI Network Firewall.
The following diagram presents a Hub & Spoke architecture diagram with corresponding routing tables and routing rules.
For a comprehensive understanding of how network packets flow within Hub A and Spoke VCNs refer to the Network packet flow animation - Hub A.
Note
The CIDR ranges shown in the architecture diagram are for illustrative purposes only and should be adjusted to align with each specific use case.
Follow the deployment sheet below to have Hub A deployed in your tenancy with IaC declarations.
| OPERATION | Hub A Deployment (Light Version - No Cost) | Hub A Deployment (Complete Version - With Cost) |
TARGET RESOURCES  |
This operation creates the resources described in Section 2 without Firewall and with 1 always free Load Balancer. |
This operation creates all the resources described in Section 2. Note that some resources, such as Network Firewalls and Load Balancers incur costs. |
INPUT CONFIGURATIONS  +  |
IAM Configuration as input to the OCI Landing Zone IAM module. Network Configuration as input to the OCI Landing Zone Network module. |
IAM Configuration as input to the OCI Landing Zone IAM module. Network Configuration as input to the OCI Landing Zone Network module. |
| DEPLOY WITH ORM - STEP #1  |
 And follow these steps: a. Accept terms, wait for the configuration to load. b. Set the working directory to “rms-facade”. c. Set the stack name you prefer. d. Set the terraform version to 1.5.x. Click Next. e. Accept the default files. Click Next. Optionally, replace with your json/yaml config files. f. Un-check run apply. Click Create. |
And follow these steps: a. Accept terms, wait for the configuration to load. b. Set the working directory to “rms-facade”. c. Set the stack name you prefer. d. Set the terraform version to 1.5.x. Click Next. e. Accept the default files. Click Next. Optionally, replace with your json/yaml config files. f. Un-check run apply. Click Create. |
| POST DEPLOYMENT - STEP #2 |
Optionally, you can deploy a "dummy VM" as a firewall and complete the routing with the following steps: a. Deploy a dummy FW VM for the DMZ and Internal FWs following these steps How to create a dummy FW VM. b. Identify the Private IP OCID of your firewalls following these steps How to identify the Private IP OCID of a VM VNIC. c. Update the POST network JSON configuration oci_open_lz_hub_a_network_light_post.auto.tfvars.json and replace the "DMZ FW PRIVATE IP OCID" with the OCID of the Public DMZ Firewall Private IP OCID identified in the previous steps. You can use the find & replace of the IDE of your choice. d. Update the network JSON configuration and replace the "INT FW PRIVATE IP OCID" with the OCID of the Private Internal Firewall Private IP OCID identified in the previous steps. e. Edit the ORM stack and replace the original Network JSON configuration file with the new one oci_open_lz_hub_a_network_light_post.auto.tfvars.json. f. Run Plan & Apply. NOTE: To upgrade your light version to the complete one, remove the dummy FW VMs, deploy the firewalls by using the Network Configuration of the complete version, and update the routing as described in step 2. |
This step focuses on updating the routing after the DMZ and Internal Firewalls have been provisioned: a. Identify the Private IP OCID of your firewalls following these steps How to identify the Private IP OCID of a OCI Network Firewall. b. Update the POST network JSON configuration oci_open_lz_hub_a_network_post.auto.tfvars.json and replace the "DMZ FW PRIVATE IP OCID" with the OCID of the Public DMZ Firewall Private IP OCID identified in the previous steps. You can use the find & replace of the IDE of your choice. c. Update the network JSON configuration and replace the "INT FW PRIVATE IP OCID" with the OCID of the Private Internal Firewall Private IP OCID identified in the previous steps. d. Edit the ORM stack and replace the original Network JSON configuration file with the new one oci_open_lz_hub_a_network_post.auto.tfvars.json. e. Run Plan & Apply. |
Copyright (c) 2025 Oracle and/or its affiliates.
Licensed under the Universal Permissive License (UPL), Version 1.0.
See LICENSE for more details.