This image shows an Oracle Cloud Infrastructure (OCI) region with 1 availability domain, 1 virtual cloud network (VCN), and 4 subnets.

The VCN provides the following gateways:

• Internet gateway: Provides communications between public subnets and remote users over the internet. In this case, all incoming traffic comes through a web application firewall (WAF).
• Dynamic routing gateway (DRG): Provides private connectivity from on-premises admins, applications, and databases to VCNs by using Site-to-Site VPN .
• Service gateway: VCNs communicate with services such as object storage over the Oracle network fabric without traversing the internet.
• API Gateway: Enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose to the public internet if required. In this case, it provides API access to the Oracle Retail Merchandising SaaS Cloud.

The VCN provides the following subnets, each with their own security list and route table.

• Bastion public subnet: A bastion host and a load balancer handle incoming public traffic.
• App private subnet: Contains integrations, Oracle Rest Data Services (ORDS), custom services, and custom reports, extension apps, and cross-reference apps.
• Database private subnet: Provides Oracle Autonomous Data Warehouse which includes the DAS replica for read access to custom services in the App subnet and other schema which provide read/write access to ORDS.
• GoldeGate private subnet: Provides Oracle Cloud Infrastructure GoldenGate which interfaces between the database subnet and GoldenGate Marketplace in the Oracle Retail SaaS Cloud.

The Oracle Retail SaaS Cloud includes an Autonomous Database instance that includes the RMS database and the original DAS. RMS apps in the SaaS cloud interface with the app private subnet by using the API gateway.