This image shows an Oracle Cloud Infrastructure region that includes two availability domains. The region includes three Secured virtual cloud networks (VCNs) which are deployed in a distributed model. Each Secured VCN is acting as its own environment and includes the following components.

Secured VCN-A: The secured VCNs include at minimum two subnets: a firewall subnet and a secured subnet.

• The firewall subnet is used to deploy OCI Network Firewall. You must add the required firewall policy during Network Firewall creation launch.
• The secured subnet is used to deploy cloud workloads. Outgoing traffic from workload subnets are routed to the Network Firewall IP address for inspection and protection.

The secured VCNs include the following communication gateways:

• Internet gateway: Allows workloads to connect to-from internet and you can route traffic to the Network Firewall available in Firewall subnet for inspection and protection.
• Service gateway: Allows workloads to connect to Oracle Cloud Infrastructure Object Storage, other Oracle services for the region and you can route traffic to the Network Firewall available in Firewall subnet for inspection and protection.

Additional Gateways can be deployed:

• NAT Gateway: The NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections and you can route traffic to the Network Firewall available in Firewall subnet for inspection and protection.
• Dynamic routing gateway: Connects the customer data center and customer premises equipment over IPSec VPN or FastConnect and you can route traffic to the Network Firewall available in Firewall subnet for inspection and protection.

Ensure that symmetric routes are used within Secured VCNs to ensure ingress and egress follow the same path via Network Firewall. Similar to Secured VCN-A, you should deploy the required resources in Secured VCN-B and Secured VCN-C.