The image shows a secure architecture within an OCI tenancy, organized by compartments and network segregation to enable secure operations.

The Tenancy (Root Compartment) includes administrative and governance components: a tag namespace, auditing capability, Clean Room Admins, Vault Admins, a dynamic group, and a root-level IAM policy. Additional elements include policies for Clean Room Admins, Vault Admins, and dynamic groups, along with a scripts bucket for the Clean Room Architecture (CRA). A Parent compartment within the Tenancy compartment has two main secure environments: Safe Room and Vault.

The Safe Room environment contains a virtual cloud network (VCN) and a subnet with the address range 192.168.1.0/24, which is marked as not currently used.

The Vault environment has its own VCN and a subnet with the address range 10.01.0.0/24. Within this environment, there are several resources: an orchestration server, one or more worker nodes, and file storage with a mount target for each availability domain if file storage protection is enabled.

Also included in the Vault environment are several services and security features: Cloud Guard Security Zone, an OCI Queue, a Bastion service for secure access, a logging group, a service gateway, an immutable object storage bucket, OCI notifications, and Cloud Guard detector recipes.