The image depicts the flow of outbound internet traffic from OCI. All the VMs in OCI will use Palo Alto's SNAT and OCI NAT gateway to access the internet. Palo Alto’s SNAT is needed to make the return path symmetric. The outbound public IP address will be the IP address of the NAT gateway.

The image shows an OCI Region that includes two VCNs and an Oracle Services Network containing OCI Object Storage.

The first VCN contains these public subnets:

hub-tok-publiclb-01-sn containing app2-ext-nlb01 and app1-ext-nlb01
hub-tok-shared-01-sn
hub-tok-inbound-01-sn
hub-tok-untrust-01-sn
hub-tok-trust-01-sn containing Trust NLB
hub-tok-mgmt-01-sn containing Active/Active firewall cluster

The first VCN connects to the internet via NAT gateway and internet gateway, Oracle Services Network via service gateway and on-premises setup with VCN Attachement RT via DRG using FastConnect and Site-to-Site VPN.

The second VCN contains these subnets:

spoke1-prd-tok-web-sn containing web01
spoke1-prd-tok-app-sn
spoke1-prd-tok-db-sn

The second VPN connects to the on-premises setup via DRG using FastConnect and Site-to-Site VPN.

The detailed flow on each hop is described in the text following the image.