The image shows an Oracle Cloud Infrastructure (OCI) region with a public subnet and a private subnet. OCI API Gateway is in the public subnet, while the custom web application hosted on a virtual machine (VM) is in the private subnet.

Users access the web application using the internet to send requests to OCI API Gateway. OCI API Gateway sends a request to the identity provider (Oracle Cloud Infrastructure Identity and Access Management) to authenticate the user. If successfully authenticated, OCI API Gateway then communicates with the custom web app to return the requested resource.

Users on the internet may also authenticate with a third-party identity provider such as Okta or Microsoft Active Directory. The third-party identity provider exchanges codes and tokens with OCI API Gateway to authenticate the user, before returning the requested resource.

On-premises, Amazon Web Services, and Microsoft Azure implementations follow a similar data flow. On-premises uses OCI FastConnect, Amazon Web Services uses Megaport, and Microsoft Azure uses Interconnect to communicate with the OCI region before returning the requested resource to OCI API Gateway.