The image shows how a wall garden is implemented. It shows five different entities that try to access EU Sovereign Cloud, an EU Sovereign Cloud realm, and three connection source/destinations.

The five entities trying to access EU Sovereign Cloud are:

Untrusted/unverified users
Trusted/versified users
Trusted/verified services
Public EU-only consumers
Non-EU actors

Requests to access service endpoints inside EU Sovereign Cloud from these entities is filtered through a firewall. Access requests from the untrusted/unverified user sand the non-EU actors are denied. The remained are allowed access to the service endpoint.

Inside EU Sovereign Cloud, beyond the service endpoints is a DMZ/WAF/Firewall and a Provided Services Infrastructure.

The three connection source/destinations connect to EU Sovereign Cloud as follows:

On-premises environment belonging to the EU Sovereign Cloud tenancy owner access EU Sovereign Cloud over a EU Sovereign Cloud FastConnect.
Two EU Sovereign Cloud to satellite sites connect over EU Sovereign Cloud CPE/VPN.