The image shows an OCI region with a VCN that spans three availability domains labeled Availability Domain 1, Availability Domain 2, and Availability Domain 3, representing high-availability zones. The VCN hosts a public load balancer, an Oracle Kubernetes Engine (OKE) cluster, and an Oracle Autonomous AI Database. The region hosts Oracle Services Network with an OCI Container Registry

The VCN includes five subnets as follows:

1. Service Load Balancer public subnet Used for customer traffic and includes a Public Load Balancer located in Availability Domain 2, responsible for receiving and distributing incoming traffic to application components.
2. OKE API/Service public subnet : Contains an OCI Kubernetes Engine (OKE) Cluster that spans all three availability domains.
3. Node private subnets: OKE worker nodes run workloads and pull container images from Oracle Cloud Infrastructure Container Registry (OCIR) by using the Oracle Services Network.
4. Pod Private Subnet: Pods run Dify services and call the Oracle Autonomous AI Database for persistence.
5. Database private subnet: Hosts the Oracle Autonomous AI Database as the application data store.

Connectivity and traffic flow are shown by directional arrows:

• Users reach the application through the Public Load Balancer.
• The Load Balancer routes requests to Kubernetes services running in pods on the worker nodes.
• Administrators access the cluster through the Kubernetes API endpoint.
• Worker nodes and pods pull container images from OCI Container Registry via the service gateway.
• Private subnets use NAT gateways for outbound updates and package retrieval without exposing private IP addresses.
• Application pods connect privately to the Autonomous Database for reads and writes.

Security and Connectivity:

• Only the public load bBalancer and OKE control plane are exposed publicly; nodes, pods, and the database remain in private subnets.
• Private service connectivity and restricted egress reduce exposure to the public internet.
• Use of multiple availability domains supports high availability and resilience.