The image depicts the flow of outbound traffic from OCI VMs to the Oracle Services Network (OSN). All VMs in OCI will use Palo Alto’s SNAT and OCI gervice gateway to access OSN. Palo Alto’s SNAT is needed to make the return path symmetric. On the Oracle Services Network, if you need to whitelist the VCN, it will be the Hub VCN ranges.

The image shows an OCI Region that includes two VCNs and an Oracle Services Network containing OCI Object Storage.

The first VCN contains these public subnets:

hub-tok-publiclb-01-sn containing app2-ext-nlb01 and app1-ext-nlb01
hub-tok-shared-01-sn
hub-tok-inbound-01-sn
hub-tok-untrust-01-sn
hub-tok-trust-01-sn containing Trust NLB
hub-tok-mgmt-01-sn containing Active/Active firewall cluster

The first VCN connects to the internet via NAT gateway and internet gateway, Oracle Services Network via service gateway and on-premises setup with VCN Attachement RT via DRG using FastConnect and Site-to-Site VPN.

The second VCN contains these subnets:

spoke1-prd-tok-web-sn containing web01
spoke1-prd-tok-app-sn
spoke1-prd-tok-db-sn

The second VPN connects to the on-premises setup via DRG using FastConnect and Site-to-Site VPN.

The detailed flow on each hop is described in the text following the image.