This topic explains how to set up Scenario C, which is a simple example of a multi-tier setup. It consists of a virtual cloud network (VCN) with a regional public subnet to hold public servers (such as web servers), and a regional private subnet to hold private servers (such as database servers). Servers are in separate availability domains for redundancy.
The VCN has a dynamic routing gateway (DRG) and Site-to-Site VPN for connectivity to your on-premises network. Instances in the public subnet have direct access to the internet by way of an internet gateway. Instances in the private subnet can initiate internet connections by way of a NAT gateway (for example, to get software updates), but cannot receive inbound connections from the internet through that gateway.
Each subnet uses the default security list, which has default rules that are designed to make it easy to get started with Oracle Cloud Infrastructure. The rules enable typical required access (for example, inbound SSH connections and any type of outbound connections). Remember that security list rules only allow traffic. Any traffic not explicitly covered by a security list rule is denied.
Tip
Security lists are one way to control traffic in and out of the VCN's resources. You can also use network security groups, which let you apply a set of security rules to a set of resources that all have the same security posture.
This scenario can use a legacy or upgraded DRG.
Each subnet also has its own custom security list and custom route table with rules specific to the needs of the subnet's instances. In this scenario, the VCN's default route table (which is always empty to start with) is not used.
See the following figure.
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | NAT Gateway |
| 10.0.0.0/16 | DRG |
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | Internet Gateway |
Tip
The scenario uses Site-to-Site VPN for connectivity. However, you could instead use Oracle Cloud InfrastructureFastConnect.
