The image shows an on-premises or third-party cloud zone with two groups (application servers and management agent, and management agent and database servers) sending data via https to a customer proxy with security lists (note that service IP addresses must be allowed) via Oracle Enterprise Manager using a management gateway.

The customer proxy then connects bi-directionally to an OCI region via the internet using IP sec tunnels 1 and 2 and a VPN head. These two paths connect to OCI Object Storage in the OCI region, which sends data via EM bridge to an Oracle services network that contains an Observability and Management group with OCI Ops Insights and a data store, which is accessed by customer-managed keys.