This image shows the Subnet-A to OCI Services traffic flows from a VM in a Secure Private Subnet to OSN Services via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.

Secured VCN-A (10.10.0.0/16) includes the following components:

• Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and associated IP address to it.
• Secured Private Subnet (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP address.
• Service Gateway to support OSN services and a route table attached to that gateway. The service gateway provides access from a VCN to other services, such as OCI Object Storage. The traffic from the VCN to the Oracle Service travels over the Oracle network fabric and never traverses the internet.
• Route tables are associated to Firewall Subnet, Secured Private Subnet and service gateway ensuring that the traffic is routed via Network Firewall.

North-south traffic flow from the Virtual Machine in Secured Private Subnet to on-premises VM:

1. Traffic that moves from the workload VM (10.10.0.10) to OSN address is routed through Secured Subnet Route Table (destination OSN CIDRs).
2. Traffic from Secured Subnet Route Table goes to IP Address of Network Firewall based on the OSN destination.
3. Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP Address through Firewall Subnet Route Table (destination OSN services).
4. Firewall Subnet Route Table sends the traffic to Service Gateway and Object Storage service destination.
5. Return traffic comes from Object Storage to Service Gateway and will follow the same path since we have symmetric routing in place on each route table.