This architecture diagram shows a single Oracle Cloud Infrastructure (OCI) regional architecture and multiple paths through the architecture. First we'll describe the physical architecture followed by a description of the multiple paths.

Micro-batch data is ingested into Oracle Cloud Infrastructure Data Integration from on-premises sources such as databases, enterprise applications, and software-as-a-service (SaaS) applications by using APIs. File data is ingested into the data lake (Oracle Cloud Infrastructure Object Storage). Federated data from third-party clouds, such as AWS, Azure, and Google Cloud uses a network address translation (NAT) gateway and is stored in Oracle Autonomous Data Warehouse. Customer premises equipment (CPE) access the OCI region by using a dynmaic routing gateway (DRG).

The following services and features are provided for the region by the Oracle Services Network:

• Compartments
• Oracle Cloud Infrastructure Data Catalog
• Oracle Cloud Infrastructure Data Science Model Deployment
• Oracle Cloud Infrastructure Identity and Access Management
• Oracle Cloud Infrastructure Object Storage data lake with bronze, silver, and gold data collections
• Oracle Cloud Infrastructure Vault
• Policies

The region includes 2 virtual cloud networks (VCNs): a hub VCN and a workload VCN. It also includes a dynamic routing gateway (DRG), which provides private connectivity between on-premises networks and VCNs by using site-to-site VPN. A DRG can also route traffic between VCNs for remote peering. The DRG is connected to VCN-0 (Hub VCN) and VCN-1 (Workload VCN).

The Hub VCN includes the following gateways:

• Internet gateway: Provides communications between public subnets and internet hosts.
• Service gateway: Allows the VCN to communicate with services such as object storage over the Oracle network fabric without traversing the internet.

The Hub VCN has a public subnet with a security list and route table that includes an Oracle Cloud Infrastructure Web Application Firewall instance to handle incoming requests from the internet, and public and standby load balancers to distribute traffic to Oracle Analytics Cloud in the workload VCN.

The workload VCN provides the following gateways:

• Network address translation (NAT) gateway: Enables private resources in a VCN to access hosts on the internet without exposing those resources to incoming internet connections. In this architecture, data from third-party clouds uses a network address translation (NAT) gateway and is stored in Oracle Autonomous Data Warehouse.
• Service gateway: Allows the VCN to communicate with services such as object storage over the Oracle network fabric without traversing the internet.

The workload VCN has three private subnets, each with its own security list and route table:

• Application private subnet: Includes an Oracle Cloud Infrastructure Bastion instance to handle incoming requests from customer premises equipment (CPE) that come through the DRG, Oracle Analytics Cloud and Oracle Cloud Infrastructure API Gateway.
• Mid-tier private subnet: Includes Oracle Cloud Infrastructure Data Integration, Oracle Cloud Infrastructure Data Flow, and Oracle Cloud Infrastructure Data Science.
• Data private subnet: Includes Oracle Autonomous Data Warehouse.