This image shows the north-south outbound traffic flows from a VM in a Secure Private Subnet to on-premises VM via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.

Secured VCN-A (10.10.0.0/16) includes the following components:

• Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and associated IP address to it. Ensure that Firewall Subnet is in a private subnet since we are protecting private subnet workloads.
• Secured Private Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP address.
• Dynamic Routing Gateway to support on-premises connectivity to Secured VCN via FastConnect and/or VPN. DRG has an attachment to Secured VCN and associated VCN Ingress Route Table attached to that attachment.
• Route tables are associated to Firewall Subnet, Secured Private Subnet and internet gateway ensuring that the traffic is routed via Network Firewall.

North South traffic flow from the Virtual Machine in Secured Private Subnet to On-Prem VM:

1. Traffic that moves from the workload VM (10.10.0.10) to On-Prem destination (172.16.10.10) is routed through Secured Subnet Route Table (destination 172.16.10.0/24).
2. Traffic from Secured Subnet Route Table goes to IP Address of Network Firewall based on the internet destination.
3. Firewall inspect and protect the traffic as per Firewall Policy. Once inspected and protected traffic exits from Firewall IP Address through Firewall Subnet Route Table (destination 172.16.10.0/24).
4. Firewall Subnet route table send the traffic to DRG and On-Prem destination.
5. Return traffic comes from On-Prem to DRG and will follow the same path since we have symmetric routing in place on each route table.