This image shows the north-south inbound traffic flows from an on-premises VM to a VM in a Secure Private subnet via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.

Secured VCN-A (10.10.0.0/16) includes the following components:

• Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and associated IP address to it. Ensure that Firewall Subnet is in a private subnet since we are protecting private subnet workloads.
• Secured Private Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP address.
• Dynamic Routing Gateway to support on-premises connectivity to Secured VCN via FastConnect and/or VPN. DRG has an attachment to Secured VCN and associated VCN Ingress Route Table attached to that attachment.
• Route tables are associated to Firewall Subnet, Secured Private Subnet and internet gateway ensuring that the traffic is routed via Network Firewall.

North-south traffic flow from the on-premises VM to Virtual Machine in Secured Private Subnet:

1. Traffic that moves from the on-premises destination (172.16.10.10) to workload VM (10.10.0.10) is routed through Dynamic Routing Gateway (destination 10.10.0.0/24).
2. Traffic from DRG Secured VCN attachment and through VCN Ingress Route Table goes to IP Address of Network Firewall based on the destination (10.10.0.10).
3. Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP address through Firewall Subnet Route Table (destination 10.10.0.0/24).
4. Firewall Subnet route table sends the required destination.
5. Return traffic comes from Secured Private VM to Network Firewall and will follow the same path since we have symmetric routing in place on each route table.