The image shows how a wall garden is implemented. It shows five different entities that try to access EU Sovereign Cloud, an EU Sovereign Cloud realm, and three connection source/destinations.
Requests to access service endpoints inside EU Sovereign Cloud from these entities is filtered through a firewall. Access requests from the untrusted/unverified user sand the non-EU actors are denied. The remained are allowed access to the service endpoint.
Inside EU Sovereign Cloud, beyond the service endpoints is a DMZ/WAF/Firewall and a Provided Services Infrastructure.