The image shows three regions: an on-premises region, an Oracle Cloud Infrastructure (OCI) region, and an Internet region.

The on-premises region contains customer premises equipment (CPE), BRM client applications, and may include other applications hosted in the customer’s data center for integration. Site-to-site connectivity to OCI is provided by a VPN or FastConnect service via the Dynamic Routing Gateway (DRG).

The Internet region contains BRM web clients and external applications requiring integration.

Within the OCI region, there is a virtual cloud network (VCN) that contains public and private subnets for the bastion service and load balancers, and two private subnets for the OKE BRM application cluster and the database tier. The subnets use route tables and security lists.

The public subnet contains a bastion service that sends data to the CPE via a dynamic routing gateway, followed by a secure site-to-site VPN.

One of the public subnets contains a public load balancer that receives requests from BRM web users via an Internet gateway and an Oracle Cloud Infrastructure Web Application Firewall (WAF), both located in the OCI region. The load balancer then connects to the BRM Oracle Container Engine for Kubernetes (OKE) cluster subnet.

The OKE cluster contains the BRM application pods deployed on worker nodes across the fault domains.

The data tier private subnet contains an Oracle Real Application Clusters (RAC) deployment containing two RAC nodes. The OCI region also includes a service gateway that provides access to object storage, as well as policies, identity and access management (IAM), auditing, and logging.