This image shows the north-south outbound traffic flow from a public VM in a Secured Public Subnet to Internet via Network Firewall through NAT gateway. It includes one Secure VCN but similarly you can have multiple secured VCNs.

Secured VCN (10.10.0.0/16) includes the following components:

• Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and Firewall IP address to it. Ensure that the Firewall Subnet is in a public subnet since we are protecting public subnet workloads. You can still use the same Firewall to protect east-west, north-south traffic, but if you are protecting public workloads and want to use internet gateway ingress routing capability, you must deploy the Firewall in a public subnet.
• Secured Private Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP.
• NAT Gateway to support egress internet connection.
• Route tables are associated to firewall subnet, secured private subnet and NAT gateway ensuring that the traffic is routed via Network Firewall.

North-south traffic flow from the virtual machine to internet using NAT Gateway is as follows:

1. Traffic that moves from the workload VM (10.10.0.10) to internet destination (8.8.8.8) is routed through Secured Subnet Route Table (destination 0.0.0.0/0).
2. Traffic from Secured Subnet Route Table goes to IP address of Network Firewall based on the internet destination.
3. Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP Address through Firewall Subnet Route Table (destination 0.0.0.0/0).
4. Firewall Subnet route table sends the traffic to NAT Gateway and internet destination.
5. Return traffic comes from internet to NAT gateway and will follow the same path since we have symmetric routing in place on each route table.