This image shows the east-west traffic flows from a VM in Subnet-A to a VM in Subnet-B via Network Firewall. It includes one Secure VCN but similarly you can have multiple secured VCNs.

Secured VCN-A (10.10.0.0/16) includes the following components:

• Firewall Subnet (10.10.1.0/24) which includes a Network Firewall and associated IP address to it. Ensure that Firewall Subnet is in a private subnet since we are protecting private subnet workloads.
• Secured Private Subnet-A (10.10.0.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.0.10 private IP address.
• Secured Private Subnet-B (10.10.2.0/24) which includes application workloads. We have a VM available in this subnet with 10.10.2.10 private IP address.
• Route tables are associated to Firewall Subnet and secured private subnets ensuring that the traffic is routed via Network Firewall.

East-west traffic flow from the Secure Subnet-A VM to Secured Subnet-B VM:

1. Traffic that moves from the Secured Subnet-A VM (10.10.0.10) to Secured Subnet-B VM (10.10.2.10) is routed through Secured Subnet-A Route Table (destination 10.10.2.0/24).
2. Traffic from Secured Subnet-A Route Table goes to IP Address of Network Firewall based on the destination (10.10.2.10).
3. Firewall inspects and protects the traffic as per firewall policy. Once inspected and protected, traffic exits from Firewall IP address through Firewall Subnet Route Table (destination 10.10.2.0/24).
4. Firewall Subnet Route Table sends the required destination in Secure Subnet-B VM/Workloads.
5. Return traffic comes from Secured Private VM to Network Firewall and will follow the same path since we have symmetric routing in place on each route table.