Livoa LogoLivoa
Internet
Cloudflare (WAF + DDoS)
OCI Load Balancer (Public)


NSG: Allow only Cloudflare

published egress IPs

Shard VCN(s) - Public LB
Shard VCNs
CD VCN


10.227.32.0/20

Deltek-CD OKE

(K8s API, nodes)

Integration


10.226.64.0/18

Shard OKE

(API, nodes, LB, file sharing)

Pre-Prod


10.226.128.0/18

Shard OKE

(API, nodes, LB, file sharing)

Prod


10.225.128.0/18

Shard OKE

(API, nodes, LB, file sharing)

All shard egress -> Palo Alto Firewalls (in VCN or NGFW cluster)


Managed by Panorama (automated allow/remove)

Internet
Special: Kubernetes API access from CD cluster to CD cluster's API


- Phase 1: OCI NSG (restricted source CIDRs / security team controlled)

- Phase 2: Host-based proxy VM inside the CD VCN w/ host firewall -> forwards requests to OKE API endpoint

diagrams

by dheraj

0
0 uses