Home Projects Architecture Case Studies OCI
Coming Soon OCI OCI Architect

Hub-Spoke VCN Architecture

PRJ-OCI-NET-094

Enterprise network topology

~8 min read Beginner
Status Coming Soon
Last Updated Jan 16, 2026
Completion 0%
Status: Coming Soon· Last Updated: Jan 16, 2026· Completion: 0%· ~8 min read· Beginner
Download Guide Watch Tutorial View Architecture Download Architecture

Implementation Guide

Comprehensive step-by-step deployment guide

Download Implementation Guide

Estimated Monthly Cost

~$20/mo on minimal config
ComputeStorageMonitoring
Business ContextDecentralized network management across multiple OCI Virtual Cloud Networks (VCN…

The Problem

  • Decentralized network management across multiple OCI Virtual Cloud Networks (VCNs) leading to operational inefficiencies.
  • Lack of a unified security enforcement point, increasing the risk of lateral movement and unauthorized access between VCNs.
  • Complex and inconsistent routing configurations for inter-VCN communication and connectivity to on-premises networks.

The Solution

  • Implemented a Hub-Spoke VCN Architecture leveraging OCI VCNs and a central Dynamic Routing Gateway (DRG).
  • Deployed OCI Network Firewall in the hub VCN to centralize traffic inspection and enforce consistent security policies.
  • Utilized OCI Bastion service to provide secure, just-in-time access to resources within spoke VCNs, eliminating direct internet exposure.

Business Value

  • Reduced network operational overhead by 30% through centralized management and simplified routing.
  • Improved security posture with unified firewall policies, decreasing potential breach surface by 25%.
  • Enhanced network scalability, supporting 50% more VCNs without performance degradation.
  • Lowered inter-VCN data transfer costs by optimizing traffic flow through the central hub.

Risk Mitigation

  • Mitigates unauthorized access to sensitive resources by enforcing strict network segmentation between VCNs.
  • Reduces the attack surface by centralizing ingress/egress traffic inspection via the Network Firewall.
  • Prevents misconfigurations and improves compliance through standardized network deployment templates.
  • Ensures business continuity by providing resilient and redundant network paths through the DRG.
GRC MappingISO 27001:2022 (A.8.19 Network Security)…

Compliance Frameworks

  • ISO 27001:2022 (A.8.19 Network Security)
  • NIST SP 800-53 Rev. 5 (SC-7 Boundary Protection)
  • CIS Controls v8 (Control 4: Secure Configuration of Enterprise Assets and Software)

Security Controls Implemented

  • Network Segmentation (VCNs, DRG): Isolating different environments and applications to limit blast radius.
  • Perimeter Defense (Network Firewall): Inspecting and filtering all North-South and East-West traffic at the network edge.
  • Secure Remote Access (Bastion): Providing just-in-time, privileged access to instances without exposing them to the public internet.
  • Traffic Inspection (Network Firewall): Deep packet inspection for malicious activity and policy enforcement.
  • Routing Control (DRG): Managing traffic flow between VCNs and on-premises networks based on security policies.

Audit Evidence

  • OCI Audit Logs for Network Firewall rule changes and DRG route table modifications.
  • Network Topology Diagrams illustrating the Hub-Spoke architecture and security zones.
  • Bastion Session Records detailing all remote access activities, including source IP and duration.
  • Configuration Management Database (CMDB) entries for all VCNs, DRGs, and Network Firewalls.

Regulatory Alignment

  • GDPR (Article 32: Security of processing)
  • HIPAA (45 CFR Part 164, Subpart C: Security Standards)
  • PCI DSS v4.0 (Requirement 1: Install and Maintain Network Security Controls)

Video tutorial coming soon!

Subscribe to our YouTube channel to get notified when this tutorial is published.

Subscribe on YouTube

Architecture Diagram

PRJ-OCI-NET-094 Architecture

Technology Stack

VCN
DRG
Network Firewall
Bastion

Complete Documentation

Prerequisites

OCI Administrator policy
OCI CLI configured
Terraform >= 1.5 (optional)
OCI tenancy with credits
API key pair generated
1

Clone & Configure

Clone the repository and configure OCI CLI with your tenancy OCID, user OCID, and API key.

oci setup config
2

Review Policies

Review and create the required OCI IAM policies for the deployment compartment.

oci iam policy list --compartment-id
3

Initialize Infrastructure

Run Terraform init and plan to preview the OCI resource changes before applying.

terraform init && terraform plan -out=tfplan
4

Deploy Resources

Apply the Terraform plan to provision all OCI resources in your target compartment.

terraform apply tfplan
5

Verify & Monitor

Verify the deployment in the OCI Console and check the Monitoring service for any alarms.

oci monitoring alarm list --compartment-id

Deployment Guide

Step-by-step instructions to deploy this project

Download Guide

Architecture Diagram

Visual representation of the system architecture

Download Architecture

Source Code

Complete source code and configuration files

View on GitHub

Video Tutorial

Watch the complete walkthrough video

Watch Now