This image shows the north-south inbound traffic flow from internet to a public VM in a Secured Public Subnet via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.

Secured VCN (10.10.0.0/16) includes the following components:

• Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and Firewall IP address to it. Ensure that the Firewall Subnet is in a public subnet since we are protecting public subnet workloads. You can still use the same Firewall to protect east-west, north-south traffic, but if you are protecting public workloads and want to use internet gateway ingress routing capability, you must deploy the Firewall in a public subnet.
• Secured Public Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP and a public IP associated to it.
• Internet Gateway to support to-from internet connection.
• Route tables associated to Firewall Subnet, Secured Public Subnet and internet gateway ensuring that the traffic is routed via Network Firewall.

North-south traffic flow from the internet to virtual machine as follows:

1. Traffic that moves from the internet to workload VM (10.10.0.10) using public IP of VM is routed through Internet Gateway Route Table (destination 10.10.0.0/24).
2. Traffic from Internet Gateway Route Table goes to IP Address of Network Firewall based on the workload VM destination (10.10.0.10).
3. Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP Address through Firewall Subnet Route Table (destination 10.10.0.0/24).
4. Firewall Subnet route table sends the traffic to workload VM.
5. Return traffic comes from workload VM and will follow the same path since we have symmetric routing in place on each route table.