This image shows a network architecture in which the public-facing and private resources are isolated in separate subnets, 10.0.1.0/24 and 10.0.2.0/24 within the VCN 10.0.0.0/16.

• Traffic between 10.0.1.0/24 and the internet flows through an internet gateway. A routing rule directs traffic destined for the public internet through the internet gateway. A stateful security rule allows ingress traffic from any host to port 80. Another stateful security rule allows TCP/1521 egress traffic to 10.0.2.0/24.
• The resources in 10.0.2.0/24 have no direct connectivity to the public internet. A routing rule directs outbound traffic to the NAT gateway, service gateway, or dynamic routing gateway (DRG). A stateful security rule allows TCP/1521 ingress traffic from 10.0.1.0/24.