Routing Network Traffic to a Firewall
Scenarios showing how to route network traffic to a firewall.
This topic shows scenarios for routing traffic to a network firewall. For more information about network routing, see VCN Route Tables and Intra-VCN Routing.
For better performance, consider not adding stateful rules to the security list attached to the firewall subnet, or include the firewall in a network security group (NSG) that contains stateful rules.
Security list or network security group (NSG) rules associated with the firewall subnet and VNICs are evaluated before the firewall. Be sure that any security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
If the policy you use with the firewall doesn't have any rules specified, the firewall denies all traffic.
An example of how to set up routing from an on-premises network to your VCN using a Dynamic Routing Gateway (DRG).
-
Update the DMZ subnet to route traffic to on-premise or another VCN in the same
or different regions through the DRG.
Callout 1: Dynamic routing gateway (DRG) route table Destination CIDR Route target 0.0.0.0/0 Network Firewall (10.0.2.2) Callout 2: DMZ subnet route table Destination CIDR Route target 0.0.0.0/0 DRG Callout 3: DMZ subnet route table Destination CIDR Route target 0.0.0.0/0 Network Firewall (10.0.2.2)
In this example, routing is configured from the internet to the firewall. Traffic is routed from the IGW, through the firewall, and then from the firewall subnet to a public subnet.
-
Update the DMZ subnet to route traffic to the internet through the IGW.
Callout 1: Internet gateway (IGW) route table Destination CIDR Route target VCN (10.0.0.0/16) Network Firewall (10.0.2.2) Callout 2: DMZ subnet route table Destination CIDR Route target 0.0.0.0/0 IGW Callout 3: Public subnet route table Destination CIDR Route target 0.0.0.0/0 Network Firewall (10.0.2.2)
In this example, traffic is routed from Subnet A, to the firewall. From the firewall, traffic is routed to Subnet B using the implicit 10.0.0.0 to "local" (not shown).
-
Add a route rule to Subnet B that specifies the destination with the VCN (10.0.3.0/24) through the firewall.
Callout 1: Regional private subnet A route table Destination CIDR Route target Subnet B (10.0.1.0/24) Network Firewall (10.0.2.2) Callout 2: Regional private subnet B route table Destination CIDR Route target Subnet A (10.0.3.0/24) Network Firewall (10.0.2.2)