Where should I deploy the Network Firewall in my network architecture?

Deploy the Network Firewall in a dedicated firewall subnet within a hub VCN in a hub-and-spoke architecture. Configure DRG route tables to direct inter-VCN and internet-bound traffic through the firewall subnet. The firewall inspects traffic inline, so it must be in the data path. For north-south (internet) traffic, place it between the internet gateway and your application subnets. For east-west (VCN-to-VCN) traffic, place it in the hub VCN with DRG route tables directing spoke traffic through it.

Does OCI Network Firewall support TLS inspection?

Yes. OCI Network Firewall can decrypt TLS/SSL traffic for inspection using a decryption profile with your certificate authority (CA) certificate. Inbound decryption uses your server's certificate to inspect traffic destined for your applications. Outbound (forward proxy) decryption generates dynamic certificates signed by your CA to inspect traffic initiated by your workloads. TLS inspection is essential for detecting threats in encrypted traffic but requires careful certificate management.

OCI Network Firewall Policy Builder

NetworkingOCI

Build OCI Network Firewall policy rules with IP lists, URL filtering, and TLS inspection.

Network Firewall Policy

Display Name

Security Rule 1

Rule Name

Action

source Address

destination Address

service

Display name is required
Rule 1: Name is required

Generated Firewall Policy JSON

Output will appear here...

About This Tool

OCI Network Firewall is a managed next-generation firewall service that provides deep packet inspection, intrusion detection and prevention (IDS/IPS), URL filtering, and TLS inspection for traffic flowing through your VCNs. Firewall policies define security rules, application lists, URL lists, and decryption profiles. This builder helps you configure Network Firewall policies with hierarchical rule sets, service lists, application groups, and inspection profiles for comprehensive network security.

When to Use This Tool

•Building a Network Firewall policy for a hub VCN that inspects all east-west traffic between spoke VCNs in a hub-and-spoke topology
•Configuring intrusion detection and prevention (IDS/IPS) rules using Snort-compatible signatures to detect known exploit patterns
•Creating URL filtering rules that block access to malicious domains and restrict outbound traffic to approved SaaS services
•Setting up TLS inspection profiles that decrypt and inspect HTTPS traffic to detect threats hidden in encrypted communications

Frequently Asked Questions

Where should I deploy the Network Firewall in my network architecture?: Deploy the Network Firewall in a dedicated firewall subnet within a hub VCN in a hub-and-spoke architecture. Configure DRG route tables to direct inter-VCN and internet-bound traffic through the firewall subnet. The firewall inspects traffic inline, so it must be in the data path. For north-south (internet) traffic, place it between the internet gateway and your application subnets. For east-west (VCN-to-VCN) traffic, place it in the hub VCN with DRG route tables directing spoke traffic through it.
Does OCI Network Firewall support TLS inspection?: Yes. OCI Network Firewall can decrypt TLS/SSL traffic for inspection using a decryption profile with your certificate authority (CA) certificate. Inbound decryption uses your server's certificate to inspect traffic destined for your applications. Outbound (forward proxy) decryption generates dynamic certificates signed by your CA to inspect traffic initiated by your workloads. TLS inspection is essential for detecting threats in encrypted traffic but requires careful certificate management.

Related Learning Guides

OCI Security Best Practices24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.