This image shows an Oracle Cloud Infrastructure Tenancy with compartments, Management Groups, and the following resources in the Tenancy (Root Compartment): Budget, Policies, IAM Events, Cloud Guard, Budget Events, Notifications, and Topic. Budget Events, Notifications, and Topic appear in a box with a dotted line. The following are in Management Groups: Cost Admins, Storage Admins, Cred Admins, Auditors, IAM Admins, Network Admins, Security Admins, App Admins, Database Admins, and Exadata Admins.

An Enclosing Compartment is located inside the Tenancy (Root Compartment) and contains Policies and the Security Zone. The following compartments reside within the Enclosing Compartment: Network, Security, App, Database, and Exadata. The template provisions Alarms, Events, Notifications, Topic, and Subscriber resources inside the Network, Security, App, Database, and Exadata compartments.

The Network compartment has two Virtual Cloud Networks (VCNs): A VCN and an Exadata VCN. By default, the template deploys a standard three-tier VCN with one regional public subnet and two regional private subnets. The VCN has a Web Subnet, App Subnet, and Database Subnet. The Exadata VCN has two regional private subnets: a Client Subnet and a Backup Subnet. It also has Alarms, Events, Notifications, Topic, and Subscriber resources.

The type of VCN drives which gateways are attached to them. The standard three-tier VCNs can have all VCN gateways, while Exadata VCNs are attached to Dynamic Routing Gateway (DRG) and Service Gateway:
- An internet gateway for connectivity to the public internet.
- A NAT gateway for one-way connectivity from resources in the private subnets to the public internet.
- A DRG for private connectivity to the on-premises network in the Customer Data Center.
- Service gateway for connectivity to the Oracle services network (OSN).
Network access to the resources in each of the subnets is controlled by separate network security groups. The VCN has a Bastion Network Security Group, a Load Balancer (LBR) Network Security Group, and an Apps Network Security Group. The Exadata VCN has a Client Network Security Group, and a Backup Network Security Group.
The public subnet's route table contains rules to direct traffic destined for the public internet through the internet gateway and traffic bound for the on-premises network through the DRG.
The route tables of the private subnets contain a rule to direct traffic destined for the OSN through the service gateway. The route table of the App subnet has an additional rule to direct traffic bound for the public internet through the NAT gateway.
The route tables of Client and Backup subnets in the Exadata VCN do not provide any ingress or egress connectivity to the internet.

The Security compartment is provisioned with Vault and Keys, Vulnerability Scanning, Logging, Service Connector Hub, Bastion, Object Storage Buckets, Alarms, Events, Notifications, Subscriber, and Topic resources.

The App Compartment is provisioned with Object Storage buckets, Alarms, Events, Notifications, Subscriber, and Topic resources. The App Compartment can contain other application-related resources that you might need in addition to those provisioned by the template. For example, the template does not provision the following resources: Functions, Container Engine for Kubernetes clusters, Compute instances, Block Storage, Streaming, and File Storage.

The Database Compartment is for any database resources that you want to provision. It is provisioned with Object Storage buckets, Alarms, Events, Notifications, Subscriber, and Topic resources. The template does not provision the databases, including Oracle Autonomous Transaction Processing (ATP), Oracle Autonomous Data Warehouse, VM Database, and Exadata Cloud Service.

Exadata Compartment is for Exadata resources, including the infrastructure, VM clusters and database systems. It is provisioned with Object Storage buckets, Alarms, Events, Notifications, Subscriber, and Topic resources. The template does not provision the Exadata System. Alternatively, these resources can be deployed in the Database compartment and managed by Database administrators.

The arrows at the top indicate overall admin permissions granted to management groups over resources across the compartments, as follows:

Cost Admins send data to Budget and Budget Events in the Root Compartment.
IAM Admins send data to the Budget Events, Notifications, Topic, and Policies in the Root Compartment and Policies in the Enclosing Compartment. IAM Admins also send data to Network Admins.
Network Admins send data to the Network Compartment.
Security Admins send data to IAM Events and Cloud Guard in the Root Compartment and the Security Zone in the Network Compartment. Security Admins send data to the Security Compartment.
App Admins send data to the App Compartment.
Database Admins send data to the Database Compartment.
Exadata Admins send data to the Exadata Compartment.
Network Admins send data to the Network Compartment.