From fc40c4af38d9c387bbeac8eac5e064ca759f97b9 Mon Sep 17 00:00:00 2001
From: alcampag <alberto.campagna@oracle.com>
Date: Mon, 27 Oct 2025 16:27:04 +0100
Subject: [PATCH] oke-rm-1.1.8

---
 .../oke/oke-rm/README.md                      |   4 +-
 .../oke/oke-rm/infra/infra.zip                | Bin 22875 -> 25769 bytes
 .../oke/oke-rm/infra/local.tf                 |  21 +
 .../oke/oke-rm/infra/main.tf                  |  37 +-
 .../infra/modules/network/bastion-sl.tf       |  51 --
 .../oke-rm/infra/modules/network/cp-nsg.tf    | 348 +++++--------
 .../oke/oke-rm/infra/modules/network/dhcp.tf  |  76 +++
 .../oke/oke-rm/infra/modules/network/drg.tf   |   2 +-
 .../oke-rm/infra/modules/network/fss-nsg.tf   | 108 ++--
 .../oke-rm/infra/modules/network/gateways.tf  |  23 +
 .../infra/modules/network/lb-nsg-frontend.tf  |  71 +++
 .../oke-rm/infra/modules/network/lb-nsg.tf    | 133 +++--
 .../oke/oke-rm/infra/modules/network/local.tf |  12 +-
 .../oke-rm/infra/modules/network/output.tf    |   8 +-
 .../oke-rm/infra/modules/network/pod-nsg.tf   | 280 ++++------
 .../oke-rm/infra/modules/network/routing.tf   | 163 +++++-
 .../infra/modules/network/security-list.tf    | 393 ++++++++++++++
 .../oke-rm/infra/modules/network/subnet.tf    |  53 +-
 .../oke-rm/infra/modules/network/variable.tf  |  21 +-
 .../oke/oke-rm/infra/modules/network/vcn.tf   |  47 --
 .../infra/modules/network/worker-nsg.tf       | 479 +++++++-----------
 .../oke/oke-rm/infra/provider.tf              |   2 +-
 .../oke/oke-rm/infra/schema.yaml              | 160 ++----
 .../oke/oke-rm/infra/variable.tf              |  76 +--
 .../oke/oke-rm/oke/oke.tf                     |   2 +-
 .../oke/oke-rm/oke/oke.zip                    | Bin 14298 -> 14304 bytes
 .../oke/oke-rm/oke/provider.tf                |   2 +-
 .../oke/oke-rm/oke/schema.yaml                |   2 +-
 28 files changed, 1400 insertions(+), 1174 deletions(-)
 delete mode 100644 app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf
 create mode 100644 app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf
 create mode 100644 app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf
 create mode 100644 app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg-frontend.tf
 create mode 100644 app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/security-list.tf

diff --git a/app-dev/devops-and-containers/oke/oke-rm/README.md b/app-dev/devops-and-containers/oke/oke-rm/README.md
index a67e8ec3f..57e397dc4 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/README.md
+++ b/app-dev/devops-and-containers/oke/oke-rm/README.md
@@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * By default, everything is private, but there is the possibility to create public subnets
 * Be careful when modifying the default values, as inputs are not validated
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.7/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.8/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.7/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.8/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip
index 263a7e621e3907573be28b53118eba6aa129275a..6bf90d212e2cc6cbc6510cb67e845c9ed4ac9718 100644
GIT binary patch
literal 25769
zcmc(HbyU^c6EEE*Atln?B_N2jbR*p@-5^MJiF7L|-QC?GBHdk*()rH$y`R5(@T&LT
z_s6?@*ICQE)?G9EvuF0q?AbFTD**|G2?huF0yWju!9f1tz=*)it@L%x8SIT5oDspm
zp-#ZTzySX<7?_eGG8inl)SZbz=>Pr2L`qrtFd_Nx-(Wp#EI`-ub+q7smr|${WK7Q1
z%7*ugkdiA$d(ib#>So`L>c(@8j|;8a{YJ;U-&@Xf(Fuyle~?Bj>SNr=I+rH78Cu?Q
zR=WHipCS>Gn|z@Q$`{Yi2(0nwXo6DxV1*UarYJT@T7!ytCgiX7T1lOAP8QQh+cjwQ
zNEk;YADWv*e0znZd4`WLsGRL=2wf$5O(i0O4W_wj?Y>OmCR%$j{LSkeO<L^`$NAvF
z`Qke!B7Pj-YJ;W9$^G=%BU>iN?e>8%@{!Np`)_p;vaUBiO%N}V$MRUw?s;ugEt@!k
z^P-qD#n-fELb`LTC!%mH_8^BpT?|bW$9#3LS<>tDAVKEQVlMRi*8^-C3O0yZHLd*^
z&I=88hOc)5Xy3lDvisyxqT$p1Vc=jrQ4^zm#_(z+;6=05ro~_g;S0*qjn`)xH=C%k
z60mUEI@W};fE{0j1Ot=(rIauLQqtCz;un-rP+?@y{yPHG4ZAbZ*TK>^*3r{Bkdl0P
zfci2}))OKE2a*yEAKZo*&F4G>HxMG6n3!LdLbMx+XkA31Ef5V`YG`;&f{v<3Y>bww
zk5OV!Vn9OLP{%;8MAh2ETW%?l2(V08xHw#-pqBt0$pHNRShk7sedU4$EZaiY)bba)
z<sk5fZiT&U4Nqc1YuuofJsooAM<tU`Rw51b+^wSQ$DtIK0K=u+%G+*sLV8lgT;f_9
ze>Ok)jly7H{WIo7@avhxBiHu%s`-Vm4Tr&)2itEBt8Q0_HXp};nOp>l+L<!1V5`|F
zJ|t?^T_28$=-jL|f0c^|!6&9kayuW~p69>V2Me|cyWh==&Xy6cU{6XT2iek=hx!;I
zX#89NS;IGy*sxU=#kkR7B>_W&CZtXfYsl2loK5dd*i}Yc)7NyS(U{1G4ik?Obtbsm
z1aecaSi4DJ3cf*aMvbE<W=+1*$<}MHM^?*=jp4`{cp&cfX*uuJUIkw}V%l~LJgdP%
zOuMur`ItqT2d5!>k!;NHY4;lO1XP?lbSApAE$>(Z>S&lFL&>y}YVnM{OAmXiQj$1l
z??u7jiGBMz#LQhyvCYvl$>a&G>ow}66LYx;-A-D6*p#ReOFQCTrVaGQV*TsY_*Y4K
z<L|oo^L?-wiORBe7#`Ki-9hb!EI^x{(uY5S<l5s5ol?bk0?YNJL{9`^F4{pM#MHkQ
zw`*)B$}IKk%n`d(N^El7&>kdMOWS3s&5JtA$#?i7lqTAHb`gHXt&IAwQgv%r&cr$q
zusE34Y1k}v5HTmX467q$mABAG<wUv**I^Qj0(O|f%gA`0y9Lqww9Z)(qo_FHI1$d4
zp$QmbY=Q;SE}t;VeL9H?f#Gk#<xLSMVSVW0(v=`*Qu;<0S4Vqa;fPMeJ?vX>x_8Q0
zG$HsL^582l6%_}L0KW7tt3m-Y4qvYB)#`H|+b2&rnPI3xY0pn(ty*!cZf{_LT1%Gc
z52p(O2G#`sJFP{(f7t$p0{{O$Ye4%Qs>JdqLvCSZ;9zcO$M`ctZrasv^8NS6iT#nv
zkJ$e&!QavQH?XgJ-M2GnKs)na?3RZ1PFA*NKivaQfFt|<`(qD&q=pA7|L<fOwEs)^
zXM6FT=Kt@#06KIugZq0y@RPj&Zit~Ry``P;FD$W~%AJYff4%%}qPo>GC#L7Z1=hm`
zd%|htEyI_zVJ}&cSbfwgu`0NyDQTgqg?u^7QXKQguFon{5N+VdFayA%!q>ebR?m+P
z*ODip<Q}2ndp)TlFwyt^5HLwg!7BQW04<=g)z}-d8F_k{isVzqu*HEkA{hSgn~)N&
zBOH5*MN;R|9#yx>OY-Meou?hDhYK$j^=52`+uE<Mf&|}8y!J_De{pn0rB#1YKDO=o
z_!Os=VR6G5F4<d#gQJBqUKhU}Gr1xC5OW3hrck)=)a39T6vOgOJ1Z3S8{aBa`U$`A
zvjHnH-ABY<uR4f(j8IPbPTz94SzlR95{6A*H(;f$Sz}e~n~%h@atYWt#R&w*H{_CN
zO*-|=yH&UiS==pk&mG`}Up96xEiMtBTR5LNH`kb7bbSzFz2GF5${f(^S!<86BNTxk
z6G4$n;&dOHJbdVGt9ebc@dVGYg$b_P%bU`BWAP~tX`8w?)dpi&2L=UEDk<Ls7k&&T
z_YlTd%q<Z}3rUgYCrsxhtli~8?JV{M(4-Dish(cw3@qOmH$`Qs{nH@#4t<TJ(%(LK
zzwnGcq6<I4=m<R0g3U1tg_+diVitiXc4B=sZB=&j;_*46ee3&{PkG@`h>Een+I_e&
z{H34#<H0*0?i;2<y7%B)FXE8!EG59E>Id8uNz%$C;g_3#8rUB5o{F}U6)Sp|deDVi
zpR(u277af%DVVniqt4S=;!LCW4MV2Y$)MI8;VX5S@#1Ql6Kb8mi%V81uT8f#jZY8G
z6}^vaTBxz_q3TIIKN2w^$6!w2)F3OQjKD`zq&7M-oci#=7i67?(AVp{6m-5q$MT_A
zv2wY|awl=*Lw+4csdC5UV0Js&^CT{B+&T`UNuR4PH%oIEqRr|*TZ2&X$<KqdUdlsK
z6W3MrF5fh+CD7{^cyvfJurv^KB|o(sW#@C3lA1(V#JhPyf~?O!Qri{cx*-g{T6UKM
zAsQS;Z%<XMtP*opC>>yWgh%k$8-=5zs3$xtkhW}PB~EjaIsTC^fiUaak#N08_9;1}
z5#lMi3a9<u_@zCQuT(Xo`rU?K*`^N5g)^#6GDe(qrm9Q|=+dPWG7!6UaYVO{(S&Nm
z5-0K9aNCACoEmpXE`o$-42Zm$t>`OK;79z`U%`-T$kCy7i6fwo&XNqWO8Mn(>cc5s
zTXKBOl|tLcROHs^4Y_60aNVzyV&TUsba2ndqh}uuY3(a?QeILbqYE=|XyGfs2+W8n
zMB$Y4&2U!NcwA9sLveRwS%J9tx=f?)0#OH=I$VusApbOb7PU>-7@fDGh=E~<-AeK>
zg{g&C=BNoX;qr_)vm;8FwDLK*AAbQcf7`=hE}Porj8)HDd(E`3J!Kh!Q*bfvUKIQa
z)eV_>U3x9SsrKZP+n)9FL=5m9<GAy@Z(2Ifo-t&FUA8yFHuBQlF(K-AWR;1=FUAul
z?Y3#@xo0TLCB~ITO+90YSsmVg8urz|9m|ZWdD@Tdr2*qI{Q41@Lt?$R#io>jk#30z
z?qQAlC2ag4=6;@Hj%YCjo_diQeqXz>O=jc(h0okOt}W-$B=!$6s#OdI=9S2T;E6Ht
zCCm%%V>UFw@E+^2>8x=?Y)&L~UDg45HDkV5ctuDW1P2am%Ubm}Pb0xMV)seWi#VO?
zHN$LO(=i!H*v#D5a4<7o&Ur7$KaFekgrq)*4>_Brrl_Bzf0=MGMiV_^eACoVya(2x
ze0S>~9IwzpS<*K;M^k}ds4O&wFwz?q5EEQ9b*Y4HpZ~d5O89JkwTNMaeMV!)&=PW_
zku-ls$o{isw#{L8uBl0(;#$wM5fRHu?<#4_T9FJQFWsbFc9HBNG>$@93ucqB(bH*D
zKWi+@BI<P-dJff$U<H~3HHDOMXmvS<#P_-INL4vv7@r(XDzYCHVwbU~PQNM$)_f_d
zIBnQd-kUW1iA;Km!9h6_qLxfNs(Q?S-pFNU2h)Y<L$cD)4)sc=TtH_<AQhrKV|A`l
z=NhgCV}8NQI8z=ltlPfcIlLC}Ob2N5oBv!(;wGiH!C}C_9Hl`cr5}9_)z3WTcL&U%
z{kPrDzu`A+Efw#@Pq;tvn^q3?)(-Z+@R_0{rzS@K^_eMAG7^x?Xr22Pn1ZgT&k#xA
zmJ8#?qC|U)1mTer$UR;PU+?WjTGTVcYq}0LoVg1c!T9X^1Pl@(Da^q%!MC(HL|CKZ
zK~J!~>_H_~H_;+IlVL<A=A024)-VY>#wss~bnP8taR$Q-hOe-7PjlAzvK5|(veyDt
zNVys`s$Y#@KY}HyKcczh_Tia$Jwl8qVnwFbO0NuK;Zow3BNp2Pc28}Nzw)}rxrTPj
zMmk>8+7K-p`*F)Id@>E<C&hy*SD7I7Nsi&(X*{PM&y7#adU%9(@=*EL*xV{e&%&PI
z73<a}W|f@V^f8Yn8MeoK<y!C4oBw>$dHM014R7_T6fAxr^FB5(#ugT+^@jxq0~3S-
z)tn!9o9y?R^S3ts-_V-rcUY>x===L0_D{6NK-XUP7drC>z02r(oFzQKi~zxm3H8Zc
zhWYw)8@`Ilw23Y?y1*my^SKroM=XPVOLX5tBWEVNZ=Hhjfed6B{S{m=MqbWJ6K+}i
zV6zzy)rwm-wF^ppDk$cRiZSdeL%u4N&MjU)Z_(}Ob(1Z!H*leJ?W?p3Lv^3lE)7zO
z)x7`*N+^Wg`>_K6zz4wZk0|&@WF)_r(BA<0Z^$Ry=zcW(vs0~a{hLVmMguewma>}R
zMDyRj#qxEVdW@bkR}}yqEWC~9_fD9Aa|_0m#31n${hgRsW+aU8oom3C0CM%xHN|Lr
zei(0}vL4(a9vAjU;_~ErVpK;^y76#g%pWiLd$<dzg2+eTI+F`Oa_J#`u>NW-Z6DG%
zQ00Z!7qdQgBgA9yIoKl}eAQd@y(Y@p*_b!HA7mqlcw`vb&k(cInVdU#R1~hBO&-BK
zhw&k<^MlV7(xA%`Q1jF+%7S|^J52plFzztfUlBiGoY|P{lce?W3$jd+;)Mp6jb^-_
zI<whp>XnGL;7)?h-n>Jf6UYVf^^z1k)+X;>CG<$>sA!d)8A6re)&7mC^UG<UtJD&U
z4Cj{CZygDC_!XiE^l-lEZCdEs$koP9t)65ED$hmiCt4X-l4iEPqHDi>p=}(Mba${Z
zb-WW3hdNW~{pvhPg#Ju*i%;-6Ixk+LKR%I3UYIO|1_EA7%QwxLk0XON+JByix$%*e
zZfUe$*yG^U76W{;fjmib-^z6J(*oVWnl;!Y*HWbO;B0M@3X~=<SVuQUzr)Wlgpl7L
zztlm7kFQy{y`Bv|q+_kdu5K$?fa6FUec9IM{nDry#&qlXaxwoCp^Qk)F7_B>C6@Es
z-I?e3^8Dw9y9Y#HJNI!slCYbyB2JemTc1XVqO?VLnOZwPjx#cV@4pr(|E!!@pxl7L
zB$7h>a)(&mr=0i_hssQ$)6Tj$kFB95kw|#$S&qYs0H;jB3Xxt=5JT^h$&so5^IKK|
z&Bu{^3Ma;CqUc`m>Y~aqsnq^MM-h}V+BeUIzp)_F>zX+7Gf$Y}1ZI}#X@tXE;x~$T
z5H~ZM&aM@)La1h2zNf0<pUYmH@ivp`-Pr4WP4-IAp8O%@9K#Ep<^{UA0D>cIJtKnC
znFZP;`^uUZ^NYzHsni3c^EE0j`6h8I?G>b-3R;tXd|0Wln}q6fR$*U9M@gTXQb4X<
zr1%mmi9E%;u)&@&l7Nnqn>NBiF+nDOCG8td98E%%lWR&rm>KN`qmqEC%lUE>{VGhk
z7KZjfZpi5RDOy-Fxy6=!)i_o}_Gx{tSN92l?s7|n05)gJnC6ZgOg}j(yfaO@FFmd%
zCh_Fw7VK<iEENZlZ{cRNRbXQxUmV4rrj*5?Mpa`ujdDt=`!&^bm|Zuip4Tfn2F&O6
zqQD{JFi}8IgzQhB5AUy@bEiCNPMI*jZjx}m^ez^F@#+d?i%-9tEBfe?KT%x-sp%&_
zjeLcxCMQiE?Vptq1LMlpNS0bhU1JKq_llHCx5!g#UMyED@XB3_QHOGOS!pM(cff8W
zCn9BwYRZ^}>QNFuWm2Jpyxp_Z8*bb%o0~>MJ<>2g`n$tNMRT=L(Rvi9;t~o^-%-}H
zs>!8nzj-<$o_F?2fca$p<y-2Vr<_z&N5~$=ksilSo~yc~?B1}zDGj=fHrD1--fqo2
z>*}PF*fM|e&hKNJ4AAg0hkjI%1h~aUR#3zHqsjUU*Z8-r*S}$U0eOgf0o6}kqlv!t
zFI?lbC?H=A2&eP_zs|_gSM5w_{!Y(3(_rCt)!;PiFvY1c%MetX<R7R~N|(*Z9___^
zAq(%7ZBR+|-P^d8Av8i_D-l7<4ExeSRWGwkeqquB4Gz&vTBh)Fx+)avnhh-Rbus7Z
zW;z>zxvpY^4Ni05nJus6mRx=EQxEl$%$T`r&5tg|-qqVgDchw3->P<&nJP?O5<Z^8
z7kPqp_;j0=JEv>mo+U=^_mGxRrO6JJ87P>1oRbi7E*ErmtcBG_dE7q=gUuM4C?_0U
z&2#{Fb^zuySZaE%9nz&#=B%kPw@g345>oLZf#D@q{AHeNJrmt%41MObl0(YVeA*-%
zy3zGq#2s;ou#+$;w0`?an$?xMuA!{4!a@Gngey4OJLB4tx>ES%zHvsNGS$GNs}lj@
ztUx$WW%^MFf91vhS|0y~Dv>Iy+*2iBM(%qe?)&w^77!zvTK+1brT_fuf5G|gOHH#G
zCd@a(#WnHIT&K*^Lh0#A?F%Bp8ly=tFP=Pbpd;<ylI-<Zh@tO3c@)Vxv>m`nj8>F&
zWn({7%0@vm2GOb@z>>zsQYh~;aNrX7*x4=>CpZ1|u>%y*7n=3y0wxwo7;9v+q8qru
zkk7*fw-GOkg$<Nr-kZV2ET(DuZn+ReajxQqoFix!mDxrPQCr-0Fbr(I#azTf-eT*>
zG=W<bGxgV?bD|8a)Ufk8z<u2H)*2f1?FB^|iJ(OtCfFJrW)uaj2yLR2Y;hJ})dxC8
z9$LKW_h7lQ9pCgQLUzIChi9htw^n1NvN>2!Pp)oOhs=sBGas^iGM6shcvbp|#WAEY
zfna(Fo(G9ve&gvf@vKbtqC6QUbh*%{nh#RKBZE2TDbNj%>JJYWErOIPBzhlt-Zq2x
zZSO;$pvBKm4mT5a&+}e~lGuOEIqwGNbVxz7g&NdLAgw{JJH3UB{rKSB`m=D~{Q&F$
zLTz^k7zENCM!HXk5Zy3(LW4bIkqSELY_5x3p)#gQR+py}Jd!rBFW06KN>Pi$-X!5Q
zS{f~E^TEe_)-XKtCi=MRu!lzX9xnLMgcWZ~aGZYmu|`sGs`=#Dd}}`U%9BZZe4LbZ
zJ)=g4EbrD7SSQ}Ll<Gb+!-1vb5!Dl&A#y<+2U({r4wIU4?xYuw1aEFSo>y}tHSG6Y
zQM{W*@Pr%n0qd(i$c316tu?W$G_fh=?5@<)aZ~Q%NEi)1e2C|LaD%&#pp7>*BU!W3
zHom}}Z=-~tIipm^4qqW}QQ-ZU%q$<}HNo-g+}DNY3*rSbVxN6fEXE`-c7_!4J#(aY
z|8qK5xodQ-0WS?&c%Y~AN4+NheT@D0RQ%sKpk$Kw4=Dam4yduNy`ht?i`_5meI@PH
z|LlF`J7zP0z4vpv3(oidB)~kR2A8F<`8jJ!;DPc56-k+abeSO4?f$cFN9*NMp{Tt^
z!Lud|1tesA2&~XC3Z^a5SvA2+SPX*0Og{SP1*8_=JP~QEi%bi6e3N%}GFv$3ABv^6
zEW`Hev&+G;k?PzcIvFhr2vRG$gFBSotCMeYa;Cy+_30)fE`9p)mYib1s=WJA%4p;3
z2ig5i=dWQ5B~Hj>9F4=fJ~B7yqIU$bw$T<WK?fJ~vuH8&=_k@}<<;GJ^UgbNYi||G
zbf6pimqhOkA2y}vBMshcbgtLS$d_A?BNe<nV5%csw@_)NhjL1B@BkWdqE|ecCxC0%
z7l5k#aTWV<cPW0aCVz9I{|!A+)V&`QJp75CIO_lEeVAF{kGoh{#E5h|6O!=471qn=
zAMlDr15x>Vjvf_<BtDIavdsH*o03VJ0r%Kh!p%zBtynC$yp#`riu46WLrK-AY-*I5
ziwy8ZPH6)d%)w29h8Dj9h29Ah$Xm>inF}^(HCfZ>L3Poc%CZJl9{(P}>7aU3a+5Z`
z7x3KO`c-?ZX7g-M(i-*<iVvWMtxYVY^qZr&xJDkaP%KTkX)&EgON?LUhD^|Ji;CY=
zUxe7bZM4dDwf{m;_k5}{OaSSYtid`W26fT35RNzMRG!<Jwzx64UGmLq#?%=P5_bro
z9#mtgeVGR6K?69b9{jj_#J|^rzuw4yLj@k_+|RT9%v3n)+M4R>nH&DXR0zPG{_k}v
zCPq%Coe0fy;fglUb%b!KJ$n>qu*zIv1tabFWiJk!XG+)kLe|{Z4}O(R=3@IRdn>Q~
zBB?~=Q8oqmhcavU7M_bu@nGtl%3CnU)O%BvL+Ud1zoNoTOPYdIYo^Z*D)&b4A5;d1
z?Gj+*U}Y@w#AzWf6eovMqN@|hjpn(q;g?{`y8h_>HSbt6xlD2?TB2@D%XX-u_KOJf
zJ8cJLLjiqh`Ni(!v95<ECp-yK6X14gIydj8yN=H}Gz!NKpZU$42ufP_f3!|hF`c^%
zgWIr0#T`EqlnYF3{RmDDSM4Bmh5UtD+BYkVBndg=W{g<*!-@9TYhSI6{_ZW7`Q2BS
ze8@XB-Tr6mq=!RS$)h(9)CR0p>ih=$Yg1cFaxmViKaKc!&c=mT1Q9%#w6evd<i!7}
zGU+hX4h#kLtTi^sW4aE}yJ{}f*c`G%-%R}(Zt*zkH&r(h`Sh@7$^pGs2Q9;Ol~grb
z4>1<35s$mJEwK_mhK)b-jy37+Y%5X@<)RrAIa@h7cDR1{xo>wk)$OF#RF*sg`EiZS
z*9XoN+hNpf1|{2Ya}4{9R{V;0oC+=rQ!Y85QPtW^Bkp);w4sBTeVdfeTo+oQPc<qg
z)@$)k|C2Y=#pLB31E{~!y?FLV?fDB+_%{{l-#7>9KfKfaET*-#GWbnuN=NnXkC--I
z(`uRt(|`X0>xFf>W;Ao*bZ6$PZK^!k2Sg?uyL|}Zh!0!C%|8|-UM@H#qeg<!@5b`=
zAqZdv?b=<ZQZjZcN%r%}!8nL<rO7js#H)(4Qznk^+1SZsi^I4RY&Y2leHwjwT?8&$
zdq80LP!gw2lhcR$1$$KPMH1&_I083~ONtj|?h1QGzw^S{^jWeiNisCz{*2BElOz$6
zx#VghoOX-yIh^(fCD)uWJf>&{Yu)&^%@988Z5#&Z<QA7=*rrGk`K_(Q*L&fk#WV*v
zd)h;|LF^?S>^3}at(iNq9LR$Eu`+bOoM7+e%rrl8=+dvxe*xkDbgw55*Z7k;yWm=6
zn1xUUF*83t!!#4~8Sl)a(S40OoY114n$ad)hhmS&{*gtac<C7p9Ie!>C*it}w<`>(
zGa!sA^%H6KtmIImc+Plgkq~irkVU);!Dne|!Ay-L{T8a3qSUvT-4L?9pJ4|NrN#5r
zB4aO+mcevINg8A;1;AGckU$edtY}A=@TrRx%J|yjer;Fy>YP1qz7|AB8q_A#e~Ojs
znSIi2W`;y(EXnu5=JByjhb&D7IOSmGlN+ilMqQME%1k;%tD*|!OnLR-5ZORVF<s2y
zz}-ll5`(COXgkeFQn}}5B4k0Q>*5!5a@lV<BmFjL;+gzRnZm9O#7f*N)A?B)x;5fw
zl|N7h<LWVrY<jSy*}{n<n}o%5`1gIt27k7-NQ2^^J{g+Q;^3-+CNb}e6P?#LC`T4D
z$b##DBU4tErU9+smo>X5p;fgG>zEuLx$VfUj?3k_6WuMk&Evupyy-c<ySARr=L$bN
zp~Lv3U%vvIZY{qAJKtk$*D&l|Mk#i`Xu|2|$~%EBf*AYE<-?<HYa%NrMv+x@t4~eS
ze&UT|NDG8&Cj>;ZPgC7pLXsRSdW1-9<O0m0bSJ~=^r82^4$o|ij>_yK@(^C|s5Q3n
zDP|c{-)2T{Dcj;0hEFG4t~_m0q!4P^>!cxRKXFj0Y@l+ak_(S7JEv%AyYMUBJzj;t
zo<c;e+{AcS|912uxM`b%H{iK)OuP2yV_&d!)EzOx3j79@F!ThomJbBa;FDQ2H%E9?
zk8|j(XK~-`S8=aiJdc(ORY4M{&F_IK9+Yt6R-d%d@M%AtphXYw53edeh{oFW^Gp7=
znz}dXe2eb?9O$hJkIY?N0QGvRB%t2<#{>Qs!TsMm>;HzON|3)F-2W_SGqC;D&3om^
z)&HFJo42h9ZA@rF`xn9FgtEspfw23J8~w>u*(#*^9P=@^nv*gg(mb@9>Sg-opZgY4
z9fF{c;|U9HHwW^iZu|9XYB2m66je0@y#^mro``(Dqfm{c{oz%|rhU9eQZ2E(^U;dZ
zN^Sl`Vpi#$*=3ScS(wr#0gzw6WMW$B;bQW;4od|wjW_H052|@3Bd*)w)4tUxiRB81
zdNUeF<*6k5B#sCSxBgLD@kWSr+p*PnuvOy$@_*zj81|+d5RJLqi^hK3mcNL`{(6W0
z4cU?z-Vexu`Jo>(E9QDYCq!>#Yh`I~Xld|^piEKik9^&(;xie*{cY|WZ9z#3Uk(%`
zBBVA16ok+e{Y2wK#O|sgY;nKK1)Jn-!it;+RDo$hEXg-+8?I+ZXbtqT5E6xo8fs9M
zo+1ymYhhJCq%#wy(`(?N6}LFN#ecpES>fMutZ@2{iNazJN*=|(X1g5Yl!7ULl+Fs~
zIEjrs&s{pcN`A9I4dv?1TFOIxOCc1SX1a!A*Q@gMUNSMq$&+v2NJ%k$ydupfRLLA?
zrzA>DUwlJDMBcetVH66dWkphbGiI($EGj=<QY=%mHFz^NYFM2FGs_`N`W)Xfwy;+0
zVXcixuXw)lt6>weE$1)<SQ-Y-FoJ^l)9dx+p!ajnk{7aBH(#y8?HU|D+Y};$hakXF
z^&zACU;y7Bv^IW#8JY6R;>Fl?_Lre`oaw;?rj-#yq7rN8rxRu7Q;A{JZ<2)y1o{GP
zgW~wY+mLkYdQ}+a1#4HN320bRDa9_Ji7P)~o6yAddt}E7^Tv^vr^iBXF62VTb_!J0
zDrP@#lTnhNk~#}nctk)@rOWBQ!&zvWGxN!|&BSAgYw0*LdAmk<;!u6YREh=JZ9~1$
zoF!FC{sIc9=&dlr>lFYcPrp|W`J;}|19aqn#m7G?3!oVJAF0c~q4d%}DE-euFC#m<
z--KS70A>IF*1sDk5i-Ms*1dm=>2vn^F?wW{m)5Cl)m|B988K>Ks_(lP#V@hGWL9{6
z?q}lRDRH}%z4{Y#(-A(8GjIp5kBrHJmP<RJG{ULdG|)Q&wQMgCslD~ZP7vtH-ufZ#
zX;623Y4dxI0=E9{AS)bhG!VubQl{yvQTA1c(HVx3qw?t-Ur#Ba<HV@Zvk&6Fw+PJ7
zNqXxX)}IcC+d;QmVc^)<B{D+2`{Xq>@xTqu2<GzU_Qi|w#x_T)m55C2va3KvQFERT
zoM?e%eq73h`*^ZqCE3ZXOU4k5g!5sIy&ddV;<FT6xq*dA6xB(Yf}%xS>$*b=6n0O#
z%;T6<jKQ{Ih%Vp)=8wDE&$$zwtIH2>jvvg05gL&?>BpWyutR83TH=>~ZlXx*Rc%#O
z>*`p4M@5%Q)sq=?B!P2eC_lq?#<amgeOtxG6vyLTVW1=3OH~qAO1;#(M3bwwETgbK
zlbhKjdTGx8S=h7Z&f*dNj=AL2(D_v9bHPR7a}tNcBRswd%g1LAT;CNDl*5b&i!Xg{
z;8oiq+;h%Du(x>as;W6!b5Uoc@AkIN$jmjfXe#;|qs|D@qN<4C(}|`1;Ae->qP3By
zQAN8?OeY#;-VbLPnHNo;ensY|eKm|w+5hmyH+vv)-=->ov)s*)k6pd`Hp9Juub@vg
zPd*<H$MAKfX_I1EuH78|@ldXs#kaA7^?cDvM{y5<6~jSosru>EeEw(3TJ<zRc`r-E
z<Hr%!ndy`TqIC9&O$UZgBP(j&4M^l0TZPW2rPAl#no@92%Vy^ISID16N5WWG_w9U6
zB(&zL>A7N&(WG@kepinjLHl*N&oe*G3#;G;`akaJVley-AYs&n0~&t(sN{bUe*8Us
z|2IzSk4aLTpSh^tbgTeV|KDpYViZR#SBTKu&Xi@JE0!v%HpX#pW#$mdE5Yf179{or
zqYRtAz1p1)XO4gAB-2{X3i%a9&YyLy*Ht+1SW#W-bag<ZzcO>_74+1;7_v1o)E*R~
zx7w(}b9*&kd?%lU1q{Eg-BsMm*@sz(j}i#J@#AS`eyq&la@Jmjd@P2&65fX8B1TQq
zp^hfaDy*a&ZLuRqdvZ2yK~N!?d*P!-Iotv{VyQUQaB#@Kw{EmCXl{*CUr_h#tB~MX
zMe)`{?W$%k$oI9`WinPUI4&gq5`AI#&(*C4ZPcDs@!dW9Oi3T_yfhSvc!{u$SZ|4B
zJX@^EDwX6>d^$DVo|@=)H*M8vHL)|sn@dj78eSH)WfQt4w*=SsEzHl*b}_agCkyQn
z_am~8ma=+Hh(f&@B#@J=rb8lI50+c3vgGFxHcS&~h8t9-J(n8$(?{sA`x8^zYR6v1
z%{LA?VJ14ff{<q?f`4CzhI40!{`A_%z7qx;>d5!Q*B~gTIeKt#6G^sPJ*vlnkE36$
zn@dt)&6DuK7P7WlXS7t_2HllJzL!6SO&5Ic)x14sw^Zg-;iE#(ZJ)5B<Ma%%V307V
zn@Ls(d$G#d-OYu_!9Fi(yZjOnsQs3Q<{85PpM?*oPWvNe`lHg2{)Nx_8~XEa=)Qy|
z-o5gopC!wzZLJ(l4Ge965trRc4H$iQRrLML2%b!ske}uhpin=g%pTLoPcveEDb96x
zuy2`<;uY}%g?Kkp!&(W<P{wPyJM1+KW9U9o4&vq=ijb7Ocf%L)9V657iRY;oSoZXs
z$D4Sg@o)F?R^0&`4+}RO{o*5Vv9^HUAA<N1!Cxe7{wA1zLl&EA_e15Ml@i%G=mFj%
ze<2A>z>D^GNi@dnTDB2k`rn<=1Y+yVE|42x>mj9Kl0HZS-!_V!yF#fXluhB=o_?Qv
z=61-N=4T|rp2$)mAFZFq)}BpGUQSz~ryXl52K8{w`dpJp$R*2$8uJ<PnZ=0TW+kH|
z#7BjVL=#t|&w5%8PjilPkKqIOWwmqc^KNHIO!zu39gz;z@<|zMI~^1dq?wCLBhN{=
zpm)9C+W8d4e4wcloSDWfpm{`-latgUXk%9gZilSp(9FhE{OPHo>kC<D<FQo*@uK0v
zpX@k-x0__tHtMy8%}ntH%{lM5vn2~uV4Ygdllm2!^<&XJ7+MVQw#S~dIIYIbd6h}9
z7yC*?r|&9e1opMyzKOy$W+$sa%>YpcHls}7*dQt29!DVf5fLdi8Wl5kgif#<-}Nyk
z(HZSWh;(Tr!5J!ipLLI(_&VOIkoac^+;88rJT&@}sJ(a^+3GovAX_tkL1+KClNslw
zgu_BYr~T{=Uo{fAZa*A!8mFJ{UZogo6YcZSYxf>Eu(|<Gu-0dp0<!si9S^|9(r;aF
zNY-8Z;<)!;4OcW0FfM!>kEvN%Im&g6>!?Ao=@wjKDUx|DlKehL;SMaSVs?S=J#SQq
zZtx--c2tvia<ui1kO~ULk|~aGKi~362-q^U_AOh@H0uMC?tTwE4Yk>Q8>fB4^Zz((
z_cR&83xLUzK><A}KkC<C)P4LdRr@#2iRBOJ0-~SzYdb@I2U}Bn7kYD3yI&obcYwsf
z_X3dJcy+5$Cd}@IGwSd%Wh%o1UpC@#sdPOiHU>sG;i8qI@kiW~Lsba7^>$x15-T*L
z_C6mjO6937gb&|c4>KyUv(ijN^Jh}M&HYUGBy>G-#)Yn?^nnmtNLb+F{$nsDQ;`a(
zgbHSvMYN*8$D&5XF-@T}Q8kyr;?;SV+)!y$4}A1+HZUw%_}5FxsA-37OON1FH(}4L
zM|eZm{EWIhhoD*c3?Ll4Y5+}DkA|ZqYZ}1Tv6o=9=(IECzS>Q6M-0dgvi8Sx1decB
zMcEA=2ti9m2I(BcOyauT-a>}grfmmr)h5})HyxB_MKTVH=u-+ON=OHB(;fxbB^s3;
z1t=dT8w5!(yvC1#bWFYQ;^=HC^cbut3#J+Q(o3i;b*^NXE6$#=)N<F1ClWSQ^VEZl
zm-p>k>0y!geWnt07}BE6Q`^b4LF$w&uI9bLZ8$uu%@0t&m1soLyd^)xD?gJzXeuHV
z$T1^Qr4VOdOq{`uJFq+M9F&2_KKBlDt`>j0o`VNInGQ*}nB{S1cJ9jOlD-0;YI`C1
zawbQi-$JH9Wk#eC%QdGtr!T9pSeU&%%SKAV8MSzc0O`!SaF60?eW|1bi5~M5!L&L*
z<jVK29;Z2Ykm9TBQfj|(%NtsgmN(x&>^<euskS$$)Ai#9ubn;=FGF|1{`YfYZW11#
z_o(YtEaR@Y((&5){%LAxFWS!Re^pTS)|8urMN~xn@3)_R2@$96uJrx`&mM)u3b(Es
z!4)-^_C#6TyDYO54=4J(E|vDFI>~^=R~18bgbkX_Z>|EX<041e+&85q;e!WYnMlwn
zkg5@kM%LUA#Dlq3yVkatTogr>EUD7#g<^M;Bk_@5Tg$##wLLtnGG2KW5%vsfLA**>
zLZ(t2zih5hKy^gY6yJ=5QRP{A`lm<{Ebv!_r%Rb{u_X{K$&1XuCmtj6;&gPLKE)mv
zqC4eS6FaPNREw2@V>K)|BZu%Cy2d<xA~0c7$yiR<{}f+75nXqD-9Gqhe&iB*wP>(1
zZPF0=lhbB3?4~Vuc@Fd08c{|?b2<x;Z^g{+7fL!=mPv#t7DG=Squu?-Q#&tNYKjB$
zl`7Pr_UFfQOZ)qf>7N|of5Qyj{P4c=Gk5)eQx(5(*C?QOe30jrEh#7P^ulrRm^@Sc
z9Kk56Wx=r`x|L)B-%`>UFC~S$D|1Rd`AI%Aug|(ch}ZAFU7lpb;rOXh1QSC=3j2!r
z34KTqXD7i^O(*##3L{QoqhlNzalrfFHCjtCI#|?7JPoUet|(?3vSd!)z)Nh{-LLQ%
zmg5C;U~!>G;?ox0?V{buyy*Pho86j?Ec<a+(P6T_{9Cz-PrY2PtQCn20`dAj@v{dN
zT&vJzq^X;=ZV8W79d%xet&IglPTPBg6w@rJOwuP@CQeHqb_VJ)w|c#)kPd?*^&1e9
zZ~12AB-d;)!JX0~eI=-CHHYUA<ChrhMEmlyD8+?*XKktUs(I{a;IxqU)0hsPE|pJ{
z1y1|>(+grBwRS4;=LlD;-b|Q5cN$7KjGIbZsGE%Y<E@TYVkL%&GtqY|Viwb3yRB<T
z-{5{+Z}*ARuUE$tcyCJ+zt$!izYgybfl#JDN<`RV)o2=^_7JB;N#5FaphlB>KT|pF
z1{{0WP9iW}&vS~XCH}So;pS3RhD_tFYtg<7P3>D@XEPxYJq0rS!Rl6nR~@X6CRh_L
zs?&F)dIxSX`yhN`dr306s9KAH=#9dM!gL4RTyX=;(ksp!DCH7;VbQXrS6xHpow{bi
z<u~T|g>y07z~nANdz~<{!g~vaw^%}Ff<9Y`*5X3oli;`JUO8~)r+PHFtsxOy(lqtV
z41c;ia!@Qr8qrM+M;gP7z;1B8Jb{+Qel`O?z~c^!7T@hO?4t7!OhbIIIjx3)fg}9@
zN{z*yd8>G5lo-LJD$&#Xl*_*uGqRN4rXj})Ci|ohv1so&bx*oy#aY>mZ<OXe5gSWH
zE}VjBjz8np-Sejh9$e&Ybm|Fqte=HCAb4AGH3Uz_1gyeGnYT{i6^S=__-G+5Q%&#s
z26)o1*`1RfI5dFmzs;#UTWAl-S=n`1;M=82cZUQ<?NZ^2TH}D^K`kz*E%@>9{6#GC
zx6aYOVFacP?iU*%0&Ln}Trqeaoc?dXg~i(ulr|zjk;z4{KdMeJ-uv}poVGmDR)^Tu
zkfjAf{Vwv$&lR<2sZ|&(N%)75S`eOxxCHu6Qa!CBVDvo_^~#i$QR*%R;zhKn<j{QM
zSZ2H65W-b(cJY%cZ>2`oXe@h-vmBrySF=z?uC!%KPbrRv(BBT4U$j4^Dh$_Fe5e{Y
z9J3Z$=JDo03$nK)&!@)<C^C`!*{DdsB?}4=LjG~l`VlJdmF9n0S_bXEiTd9V()JG{
zNPt4J(>F1+&}DGZwJ`r#gLN%n3d#4J&LG~5B|gXLoHqaDn@NZ;+K*chV-iID!L(#C
z4Y8liIUJy0`A5PK*eFIu?ns^NyP`0%t|Gm7rwOY<T0(wwa4>5X+NU^FXK?MvXX!!0
z*h3x@8X8~6*s*WWgY7L&UKKQr;26o05NMuJ=I!)=Ndm4qLKRF*kv}tC;N6vEA=(8z
z7^a@oA>H7|uQCoe?Lm?+&80ky1h!`wh8TyqDY?&1jtw`K1BRSZls{6sypvsBj6NKV
ziXy<mP1*RWhB*`VH8mM+Q4II7jK{!d%rv;`uPh0JHV*uDy#tZY5W53!y`n-DQh5e~
z$t3zaGgYiStJzm*X3@;yzxX++$)#4!=}f)95WT5~$_O5GglCLfEJyXy=F%+J0nb4%
z=L%du)8SgPjUDCcr@iJ$$_+ry*N!(gvgL+d&O@$7pEp{12TQSS>^-(wEA?(1RY_t5
zL+7caC-UHt%Z-5@Z7}glAx@&Y91<dRKl!;EoIT1DWD&V$Dh(8w@zW<HGvL`zm&vc|
zKB8g~C(~4K&IB0f#gWrhVfFaLd=!M-!`28Qq2%CN3vJ;TLXX*HIr;QzREH+W5Aum~
z+Tv{>0XxpjfJrL$8Pc(~IrOJcqpwzR2rydx4sWujA(+TF_1=-U_GamPpbBHs+21~`
zi$S$^SBcNkQ^ihbhI%h}vm~I<S0f&i-iz?2q0A8m1)_;Mf6}lm7M{W%=f&4TE!N}o
z2}k&j_m(jH$V89pPDRB+bv(>jTR$^+mGq&R@=W{2)hsR)>kNePpFiJS<I>Q<ByY6|
zR5L^`kfJ46<~1KqFytL`;cI7l?iOjFBsxA60XtoZE;Z$CY1i{u`%PZ=(i_B4hAuzz
z(-(p)eq%URHL%p?h`DHGvDtVS29Z|eDhV<SD>Ie1!GtvZ%>1~snPtJy=cv{1s-;(O
zFKVBE&Wv4Z5-HGnk%Lp)4y~unpn4fL(iRPG4c=32pqV+740xMg^?hlAg!(PL2Y1Y+
ze>L`Cuk}4{2We9Qp`aAGpN?i`)t4dvL&fk~48M;Vy20Wh>N<)J)3g?eRhvYyHE*dD
zO1$KCTwgp-^ymRclNKq#iy|nB(o1s)wf^AfGir?0hmO{=VG<gpkhM%9ce6A`KjJD!
zOXox$2|e$d#xQcbI)Gl19QA%)CVSPE@Ac|Th{yPtef%l1FIixc^^Db>^PHatWAojl
z%i+zOHsjK8KKJ=a`<yl*H?~vp$%~tvlZg#&kJq*P$xiNmS4~f!3BVaHjYPMOnFu(C
z*jmdFLb@wOEu3X6HP55MNeK~?BXoQ9P{J>gzByc&54oG2YVO(oIK+WneEMGZF!b1}
zXZ2>ygz3bsX24EP2Bka?{Q9aW>}&Jfki(OJ53}xK?T78#3}hFqIO>%f^|8=?Wqc!{
z`fOaHX8T5>6tXqGt*51yDlC<#sug}Oq?nn<`4%5?b}iz63LOzQsxfaTu1-QGtNT)C
z<H@4f`7TswJ5z90#agcg-n;ueVH?R(CvQ<<-L^o=-c5*{B2O|ThwcK-Fs<7SXQ7E;
z_DLhfCQf?lH-14k>bM{st8?-4e0X?d>qlz@h1I;{%aEV#P3my9*|Rh%RpcHlU~a`l
zS`j$ZpUkig-{z3JsSoTnDiu$AkEz|^*s9De<l(THwh$xZ)7C-uZx}cWnk4FB@aIHN
zMe3tJ?3|8ml=+fu=zYYdHm+E3{`Hc?6k9@p&3JV#tI{vX7-_JG>lG#n(z{2-j|>}C
zQ(HE{v6@Mec6o*)ufa<aTTJQ|r<QH$Q{ISfb}TxFu2eFgu<e`4*PgA;CesV8eQik<
z9zvNqjI>PfytWXlE<Irr<H-Hex;JR>8OafmI>TFJ(GmPCMV9_;(V}}4zh@E;A7Kpz
zh7w$zfpjK4dLeS4fEo=+cw{=PmYHHWI(|f1^&Ca*o)j$M>*n)!En(5quVrj4z}4u`
z>sX(&GbMx9U-C13&DM;oL_%Ya;+tA~UirXWy0NZwe9T*wYNAtZC?!U{=zUu2*kA-W
zYszWq8!LK#s9BB+D`+IX6qJgFwk2J~mtg2|qd6QmcX1=-qPd1Tc;Dh+WE&Py+=PMx
z`U)LJbZs~f_1^Pa93iP;Qt<n3WbXMeV_s7D=4IQxh}F~9Xqgmy`(kwFklXfK5eHsG
zYx75+8M%D|hPN;`Th=@*H!}JS8u+^5AKPzRj3xLj$F(QWUY7B!46tUhOq=-W+$fu^
z2D2+n;q@t-`9&&1edtP#kXxQKd?%^&L6IA79knAPAQ(PIGWD*ndsf6zHeLONAA~sD
z`z$_gzSqaBcqZiq%3baGytva`)U^*f86*<GqMI?*70Qd^nGUNaIa#8Vz{$a=wB}g5
z9w6b{2ogppThn124<rTZ<r}**>~fvu!*;$tVlFln5xcG6{W2Uet58HjUrt~*C4zxO
zrmDmfm;ES~sj}2wtZovI&Kc3R=9r)bUyA!7hD0w6wM(Ler`$vU(v>y$_;59^j<3KD
zu?l%u;^IJ1EPtcNkiezU4qigylkjMM;_xtp$1`I^9z4N|<=*t*Za#KV==)0>@$f<5
zRw)t30!$_d&}$L^OspG{v4JBui{HLg1{S^?Wte?<_?URn@xl9d{qs<ecI5{s3(Oh9
zYgypLQKTP{Wnb?AdN?9plly1L`M#J}7xaD<+da(2>^?dAHlCX!<Xc3?8{h5C*)oyy
zrJ%JO*>RP$NM}#QrQjnQkIi@{+tdIP3{hUR>Gw~X%&i?oiY$vAw6&W`#^;kIAJPyS
z3o_(svZ`VgJ%e1IS*Xf$n#`fDnpHaWN}f|@f~_rz|18cn+`5z^dU-(8m*i^kjX#xC
z>s*ll4pyt?6xZY_(r2en5*k{<d{GmmYwK}~xvhN1&`pDIqR{ArV6P{PzeY?ERD~Yx
zHb2SmHALq{eXOwkWhc>lhmv`xaQvNvMNoHNq*o@<u}}ggw7HnaDWfL1Qn?$Auf-`#
z=lGgO0_O*X{btq9wZs1u6_q6}Q;z~_AA=}Bqr4wur5~cazZo|D8&RH++x_%8Fv|Oj
z^2|l=Kcc*pmr})md0-72$|?;KuA*1ATZI8+Z(jmtf(cv_D`Bx1rBQ{4g$m*+-Rx_k
z_l2}pc#@DuHnMVaYZWWV$BYC*+OWaVOp-^_g%BL=oE4Z?VP+;^77A0m<x;wY6PRIw
zI9AOQbS8WWI~Ns5_a*L;^&1gUB=~1GQuFAPONwxdLrCp}JsXuysPcU5zT_AjD#D)e
zqT-ejCJx>S?@)+29*87!+RTSx98bph;oG@*UbJmNe1gOh(J1pF&i_P%kt<g2?B;OO
zpw&={)|n2+6;^WT_*$|thhEi6?7(!b_DXdEH#VS?x(x$oM+UM&dD!+NBd@Y*P%b4|
zW^zAkhc2;9aO+s7^m4P~v++)kLnp#H&1P_=4X;EKZ}2L78^qjB^P7+E<h7xcea<4&
z?2GR7I^}uaU>|}XDEOd92k_vLk)<`5P;bdkVjY@<r|mwh?d|E{#MOLWhtx>JR8eJA
ziF8WnR($71qGpn8fx(`zsT<d#XC2a|_L4wh;)DV2(o8&9&zu<U!uT}!^XnpN_mnL|
z`!)#0gi@I2CNzk7FFNrHVUZo<zXVk7?>gQ3n{!AElkZJ5)_;q|_wG-vFG|c~?@m<r
zX6df8N%0y+>dD5EiVT&C{}@5jGWv+^#e2v7un>m41*Vr<n-7Z`Zy76SafyAT%Y(~L
zjP`4l!SdJ*pXWU%%;;uZ#P=*NotomIJr0=(x&2IZe%k1L_n%hwWMu*^62NU%`d$Ic
zkE-{>q4}Fy`2X|JfJ0zH{xP2sbS5Ai7~qxvzkiutz<>O5_#ZSFIB;5{ti*k4priUQ
z?orDI2Lrt_{u9E$Nq?Zz)L`!s)&z*;S7Xxvs|3#d16?JM80ad|?-9d*zPHN1Nf)?N
zKMpqo-OFA6UI5+i)l7f7a{^Wg9F_*UN+7jgt#a2374RGla{c}<;lH8_T;-4B$Iw8~
z@A7v7=zd@2_twXsQ3Z}516?hUD(GtQK&g6Rz=EvyJNaLaI0Nj)kMx0~U_gh&5P;Cn
z^cn%s|4#P%s((KX2EYP1gbWnIe^`LbnWVbM;u+vE?SC8oBd@=jJ@XT8zzHRwvrBOA
zaf3(wGoW7&DFKiNPKN;n10)YB53+mYozQ*@<{xna4)OpU@qvAh)AI*^2J)*}9sn4?
zfhC|YfW$#zklZ7Vi~d^}|9}s$DIT<4{=PI80DOKF`LFxp0Wg45JwRaq$%DeUFO5j-
z-@^DuoB+o}9kf;ZzBJST#{EYi2EXXZ2EYLJ$b-TF5(kBGUm6R56z^|N$Uoo%tgZp=
zXazMUnO<3d9@ig1{HApkfCE^f1&RYm9~1}qJ*|2}@LL@Jj1{oA613|Q{~jxm$A5<M
zyY@-|7GNJMC>9_CP%ISp7-SOu7Rx{61#A!mZ5@1gkC!FUpTYd1M-YGm*lY=k14tVb
z2k|}H1;oF_@%PyP8@xbUzwXP!hU6y@e$y-nzyWL)1jPYl0E*+jJc`MFkK>>50=9sF
zHiz6lCobfF2J@RP5C9fn#}_CTAbn6Q_s@wM;Cc5q=l!3t0(LtTg7iV$S1nSSKSTLN
z!vg>Yuq6Z(29P!=jQgtfl=inU{yrOE9Xn`+`+e(p2VnD~)%qKy>;O2x&IeF9Kt7;w
z=<l5rQik8c`F~>xEcPt~DFeQ*XvYASKSKLWy)OU~u)ZA>5|BP9r2C3C#r#`H|BMyT
z_Jh`R;@sQ4be2Cu`Q1I`uRIIsJ?ax|zXkG77y;`ZK`SEf+p$#kKg0Ol3mrftz&cJ)
zkpLNhisZf>(|Ph+B>#{Xurv*{XzhOVMZ@uDFu$%&13&>5LV`j8k_UxyKl%#h`Yn`y
z#0gmA0$Tk-bWi;9Pk#dBuPW65cz~5^pm=~>K=IJt<AT8Zdp!RS41v$}pbz=?<ue6f
z_~Y^a^@}|K53uqD6c3O*D4zTBc_{E(JpYIj@DUsIc^mQG&dmcj{e|WNU++Pe4kQS=
z^!skBR}f_BzkeeKY|D?dfw@@FEbaZp`Urvj_7xjI5crA>x>z8=UoW;;>fU01m+Jiq
zZD0-zG&^>Gv8K|1(XPLbZGg#G(8U4?{(7;iviBDIw`fBHQX61kEP(F>aGy(+1OC_l
E0p(rbZ2$lO

literal 22875
zcmc({WmFZ~^FMqDr9%mklI||)4w3Gb?rtQM2I=lnx;vz#JEa?>QzWG2Ip_YK`@ILR
zdcAM{_pr`7Z&)+)*?VTs?1?Qa0R@c?fCc{LDllpQz&@}50)U0JzODtGgOQ^P0ssQ~
z6aoMM{xbleq=*E7(Xj0^Ii1)uIRSo^`WfLn2v9{=78R}&cwu0B9=2h!DH9eWcImaG
z1_q(FEqYkix^<p?#Gp{(hEK4u7;12=?Vht9^3Lugius6SwH$=9jw>VUXYg1I)n6c&
zDg0=E=s_3%8NrJ@+i-09EnU_)zMSSA7+DDzSPq(RW~M+XUIM?eKNTMhD89C~lz@<o
zf+{_o_U|CEnA|hb*TK*?*3r{Bl#*0FL{Scu^@NPTf+9!7fv_b+^*IlI90(akNGKpn
z_N*I`U_(@)EfDpQ)X?yR1Pw)x_yjdYAHBq&#DIjfp^kxGnVQXOZ@HBu0-%^Mu<?%(
z-zWn`&b%WwatOnnRfhqJZK-Q&^^-+M^6C9!!9k1esN8Co%z)Z-Ma?p_aN&&~D8!uT
z+5$ylDiZ>jG4%F&P_ZDHd%GBm8mAmZUvbt{YjUPm)X0f6_+H;&f!P-Cd^71<>j4vz
z@eAgo(4wc|l{&7P(EPilhCC^veVuPk-&x>9Xj3ftiuZiln?`O@9)!qnT#EZ-9+T`S
zB-MZf0PsbeSrVBJ<>{<vzj%lQpeZt1<rp!Mkr`++%uB4dbWv-4kseK2CR=QNnZIY!
z$tmI3uIM+%)4P-wRmb2ssn3y0T?SBb^U1cmDEX@C04q#Y8wT(>QQpK7E{LpslsAB8
z=05qc1gE5ka&vWg9ETv5`ejPf2P^&Iq&HtA5ZWU65~5*HA-)blbWJs+Eo9zE_BR1m
zcgw?d<!6o}jrcwd*o!n%g}_J&pc`aN*L09`SDW|XP4-vr9l}ja@p^ns!VVytj%*b$
zhirHR)5%#IjOxc+bcv^kaf`m*X`bYQr0DRFA<bJ#2icB6=P8<wd(+%F&+Kqj5&}ar
ze)<GMzQsk_W*TXLX&Wy92;Zv<4}EvuUkH7u4BJsw=|DoU<H>00Ji43j`tuJdL5~y{
zbrfmdI@%MCxK8n8%Oo_-y<ni*9V01eHQWp)kqV+&h`gbDuJ`bk<`c~ur-#y?in%k6
z*^OQs(Cuf~>u!{VdP|2ILV5GsxUyGO57qVW@`R;$b-IjeWE7lnxOvG;juq$|wuh^m
z0#^NXLHp4)$T5<4szFcasxI!AacX^0+vZl**~{3XquE;Al;W+?czN~&q?@xkdVyk)
z0KivRaFhC8Hy_?Lsozl3|JN1;G%Y}g64M=v0-a-))&`CihW7M7I>$`A`c3}){&k#u
zPvv{;|3~mw^!^L%HU?66u%m)uw=#5awzf0>;TnLBlRv+It-<%yu)+8L&n2bP{{IR8
zXf6Jv`Tu$?K>o~1RpQQC;Qe4NKnr4MM{8wo{FC!m2XE(pPHtag-})09*6onCuB|qk
zX*cA_x|KYuBd)X1{w(}#a*k<*_i9`qs#w?<e$v5fJ}!FbfRFbdq6M_&f9%Zq(*L<L
z{Fpm?njAs|iv_NNkO*DqQ6;%x?npO923vAF%yY<6xTJR&3R{;bQirdh0K!IT;xmX1
zh_jgNP~l{jq#tNs_kMmQTvA7UkpdAwFlH(;c<t8zm8UyJXevebo8|nR+o;B>Tjm#J
z#Cez?k0&E7t-K6c2xV|Jluz!j@8jFj&UpaX8}kK@hp3y-hu14f6cEP}1-W)GYBD)A
z*g6AeI_}M&JULq4=`Z8MX1(w*=R}C#j(t%5aZzKX&n1SzJFxO&_STpK?x;44M$g8J
zIv16jxeuiQk8H+2FCf9x-nP)U?=~c#bm3<5zu<&SPekO>`!Wp3guq1b@({M9*MwhO
zdA}M#Zu9CT+^2g`A)Y2gymh$-_vySDa~kQx@QCO#-Fb1XANjZmwxZ$7z$RX{be}xX
z(BYPO#R2`non=MuIfI@gvddNM+x|z%GbNPw<DfoeH(-1UdBkA6jIKj{uk?5_YwH0u
zuD4to_66~c(bkGrKc<nz)yS#lA(x5IlIPp|jXp=uJy|i*0Zf_i;br%mS;dXS<owCt
z!j1FPclYqeRqlJ|Uy}?tm7U>jQ&#nuV1<)LHN@me(*!Xu;#STr4ptVdMs7kUBPRn`
zT1~L6LtCfIAEZb1uF6JtvrsrGG4ed*ok0<ZxY&NsN5HxOgZmn;W#GE2dxVX%n_N72
z|2gdv&L=TAxt+Hs#&0s^zlu=A^t~YK?)%oz7o&=h6uEZ3Oh#J&hCslyWOP3zE#<lI
z7WQ>!5-QA8UbMNQP*ls2!&f9;ZXS=-gE6vZ!W=oAB~+i{NP7c{cbWFE6>CmmN+ny{
zxa6Ey{-H+nkHxGHO<`~A8V|Id8I7{2uYAxB-MGJn?E1QxC(?zCFI=@IyoWf){>!+H
z0aNpry!w@UL~(WO@&OvD9jTpPI2`+R`hw^@O{i4o40UVtMG9i|Ulvr}*ABawdM2BN
z*PZhOat}tI7c0;r*b1;{azf7V;Neq$mrfa|(J^@8FR5W`<zEa9%C^nb86kujpHRna
zzCB6ZH%%2zC7ygOKGsP|Bz6QR5EO7o%Cv^Jwb>ideI74Hk-{fbGF7;C<m{Cl-`+p2
zy7-{agFdC`CMr(f{j}<W^>L!SPvJVQL|~g9votX+DaD$&<Zd<~G>THKiDJN?)Mi4H
zB`J$h#Xi2kF^+t$F`bk81ye-q%n*XWLqwEM)NhN7<@$-mt<Fp~#3jt#9r7yTthRL`
zCpP4J*DeML3PQ8)NoSIaiD_+Dm77r9#%c?O)c3fHadcZgCW3oGR~Hkj{lsidoY#Es
zapt$f-HfRKdORXL!5pu%XhWvTYOJh?^3bxSPdEtZ#lik-e7D%QH;_r6?%l&Z{vw&o
z7r#nA)dYdn=|KTE5OyZMKMd6<>#8*UT$%t?Dy@ifXDGUHRJAl|?~9=Sqnk%&8!81K
z;p5UCM-}JN_PO5}q)Y0A*IqyGi6p;rV2BKT`n4z%{jG?xA12;u6}yWl4|gWKo%_f%
za{)b@>Ki<kf+ymDqWF4hYH0QJq5}N(aO_~4fOYpXcgmpgqvE{Nonu(ohSbEgfPBEs
zu?e)%ryI*irV*zG+BpaJ;(;u_Nr~0IVBcD@AcOnf2o)&fekhhg`t8%YSsyS^CjBm7
zBI?ieSe-%V$LmvsU(_1)QHROl2yUtI*E|W6i<5E)8Mr9b$MujM4EB-RvOrgo6&!xv
zaKj!N;|Q%bq7&bk7q8S<t?&#ZW~5Tp1|<{zkfoIl_Ik@2agkXXuw(>i2pnqP#GKQg
zef$Zx5LwJz;qAFmdzcEv7bsBF!a7?=5_%5+n3o5STE0K`DSqU&{&a?P+Q01r{tF)l
zkYH5@#Wa6@9{<3HSvxw|I6C~qf4x-;H~#aImKr^121SVOcgEXEIwLXZCrjabP?2ba
z5yTz_{l=v;oih7mfy*b_Kr$9_#&wuuNhu7=Clo@ti9ynl`kWBJGbPuC$pT+uniQce
zI5~p5__ZP2A2r3Ijp>O7u}~*X%9=n$A>s=NKRw9Q6lsbyWBdBI1wM}$<aQstTv6S_
z^s=glG{w4vNuhTz-o|{(Wa<?+XwFTqRqCq=Jy3m5k1mf;<G@EyLFntemgoBlz`(uk
zL1Ssn_U4zv^?KLaPY$s;g+r{_<`sl<+n#c9gv62INMWR$y+x11mwahdlt{1Ho2G|f
zwUStDJ=rkmc%`^_E)m7Leggqgm7?aZZ|A^Otb+nqmG76A<kzb5TPyuvsL5<3hT5Mh
z0{VUQ12r+wb<q8Zl6XAqGWt_VL<Sh)AsNx3M_$P=UVm)EQB|Ea(WQJSh)a6D&?4i6
zVer}Np>MH~3xoY}r;vOg9Z6<?6~}!eFBhdL_w3Jr`Akgp(v~glqH>=qvIV13H2dn{
zJ*D!6<!inc-Hu*&*%AkXm*j4J)z+aXuV%H&-zdfDUi`5`!K~i+jzHNnfZxAD(C?8E
z{d$Lf1LS|PKe5txL(w0ZvA)eO!q9$1urO5J+<cA!{U%MD@W|AMHOq1~OyIEw=JTzZ
zn5qRVeOM(q&Ie*l74yX*H)mSC;T?|88_(sqqzEE<Ts60G@wAqxJGr;1`(!ob!}1jo
z5prIOv$o@BHh;RrU!vM>upG~!!(6n)xiKXaUY{p@KAbp`ATvT)Ph5ajEy?RU>#Ufd
zKDvp{5%n+^4ZZys?o2aaUSD7XF|F;Hn^D%}lCp#$tIZdc3uGw!^^lbogMm)klhu`*
zmUB3j5Hq@auIFCm0qMhCKK=b{<8B57TuZEz4&ISmPOc?U>hjxJ{=q7OLZ^9{EU-Bt
zr%mSZtH;YbyC&{o^e{KOUk-P0cyYo@=x1#^5jPT;axlqWCYfxsB=Kt$yBjI{y;QWF
zDnUTJ9I{=bcbNFVzp_I}JG$i#7(po3Ve(ASF)3KXz1Kuc_!dP!E-|c%=cQAt<z^Cs
zUQiizY*$dA1}3ktiS(=Xgew>rv4uR}VBy}SxC=~aSX_E&qZ$e*q5Cp25$o%k!%^9@
zqzZnWl4?1^{87->%9SK*9-**yhZY$6GbvKzdQ=#kXVwYc-@G8jCzb`7t6?@f<{zb~
z8(DP)uD<xpAP`uWLBdM|t)GjYEboia8zD(9F~P!Nkz;WZ@TBYfrd#fon-HU`wt+BB
zOK<oCgb>3zTJ?JzMyT<#z<!>bgXM^_Zl7<xvh1+%_bDG(ueMwY2H0l?wX)dQ1#QvJ
zidoCnx>#964o8wm%JT&24z^`Ji^^n3e>bGK&8i>@f5@xJQU2AT-$l!7sNX|M&4x^s
z?m%}X=*Xl(BuGBSI?9J1p_frO|8PB9Zx(ldoHV|^=t$4*xy0A@JZ%3x-)x9BdFGF}
zd>U$$6g~CNRp5illyC6e8_^=jI#mjDy2Z7!y~kckRqIXP#)OpD3*WN9u}}%n9H<of
zrAkM^uP8z~P%8TJHOce8(o%_d8s;a!rPrc^hRb$2+#*WzHApfy<$lIX;9a0^h6J}r
zob%Q-*x{9yB=yrvaYC8aMRr!>ZB4VDV55WUOBe6QANOrBJ9V)IxE`HH(!(uD`BB!d
zuc;C*vZzp*tvyuN%esIh3F?7B3a-zUV--Pm`Y3O(M-`^{*p++ak!-YYkm5tmK%GTO
zfp1$MR|Qc!$qIc>Y&4t>)^)B8r=Ki~y+FXFG;Y4q6J*)$FiHd<!-SVWeIsJawiP&8
zbvx^(9%uVT+zdf&v>*Sn<|L0#SZ>(7)@hXgsq^O&f42A5>F`U{$*zx&+XVJ4`wxoW
zNTh#VoO;qy{Xqi9Hv2u~2<+2lTjwG*&VciIR+6*SSw(|9Zisw#*O+ytwz&T81I~To
zd3LKXUlvl^Dlg(A67j4+2v((l0Gp}NhO!oV(+(fs75J%7l##rqLobG-`4EkhSFxKG
z+V-CI)DuXja9u8WzHmvOQAKz1YtPE^%PT6Ajq7+VC3A(i-8$G3S{_o-mOtjIu=VYa
z6PV6ec2Nl$09fY&KY_nLyZ*sP{?;+}U!1|;r?)}Lj6ZW2e@26LKo4(f^|M?6c*1*M
zS;~BlAGK*$MKb=Ox{2btIxMN9_XAp_I?{O5xKlGT`nYPnYI!Q}TQ}oV4Dm3j*^X_}
z$xiJ3p#it!H088b$xTrr23m~xS%Tpa^yfs{u)($O3|eZ4obf%!cNMW3x;pGIS}D=n
z&f#V?ES25QBa|O8*%r<&QFf>YO_#QxaLcP<2S<_Xg`ULRBrpZB`BfI^IBUcQSHD=_
zZg{4;67Dwa{-Aqaq=Elxle6vuAStrPlRdA<e$>IXFX01S-kI2H%<d(F>Vh-u=9wov
zjW6!g(2jO;vq$bGe@0bql9!6_yFapG>pR99;#!XLB5qiVJYVh}E0mbnVGfGjJe3y`
z>|QT&ndoL!Z_vvS9v+l;0RgiyJXY$wY?A_|$qX;&dmCw=`Nhy`R5y$h6HglEp&BVi
zev6T=qaB;&e^gm$W7kT)auM?S!inReugg5$j3}R|eRF)KfJq@%13Q-O{mcNNkM=Bp
z)Z0~$$iH9Q#o8j)Q;P^obA(J;?IWYgL*wU=yOHhKP83hX2;&DG7;INpBh@0HH3>vm
zQj8)ZaZ9WVXyp|wKdPkaJZX)|Aw7jq$ID|(7ZTMVJ-Pgf@L<#BLydl(*4&{1Yh%;g
zY%QTHMV+cLOX_fr<Al`UxPHgMq69sS1Jwo9(GAfp*K=3neqPS6V=a&$>Ur;5JVlj%
zn?LXO0f$8QIA`CN!gC1UBs@^1pZ9}dL;Jp;$K2!%`SHPZ*<m*XQ{3&6(w@=SJs7=L
zlckY-pnwztA4!Y{m~qub05`Vpm6Y_?;m+^r>wjTw-s*QF9?TzDo0I;}svN?Ee}y}p
zic-OIz$(Y43gSVvV^dYGASH_%+|6`FRTE9H?AjY<Vf_546rJba+(>6;*!REsIOsCM
zzFgcg-54~%bsgjIlf@Ddd>o)xSm)WMQTh06$r#XArCdKk1S7!O=wIwWsz3d>_Cc=B
zNlC8;ty^nF=jc<W^`#DxYBUMU@h+K`H>`|hkJRbpWVjD3IMTw}11STT)>K!JG+U_i
zjIL$|Zj#hOsb{tcxC@5lw*1JR=#^}LoZahE)ab3?;C$lZUzJN0>x><%^pf6Lo|uW(
z>)zAIZl7Hi*9c7^RpR#v{=rV>b!1k6N(F9ypQ}g<_V{<fA2U?KEC|{eGd^K|a9m?x
z!sd^Y2t5?{XLUcnzDL(fT`4j}&Jep}+MJBU*N{XnFE<w^-rJ#MU?*RUK^FbwKtgXS
zKcur?kHvS<s6Du~Y`D;o49n1AR%}nNrHiP=q`2>zr!*&z{c!M6{M4uYtHO(h2gv1R
zoN)0dFjKmaU&R&OP2Ttmo<BP>(d(>(D(CLFiB?5Bq3Imjr^>IM@v2e|pJ@+kOTua%
z;v;h>74IhH&0Z?BbLyVIUA8KiJ7Q<R&yW3<*DwB*r%W){@@N?T#`@Mo{q2sDJCD%7
zxJ|usG3nC;(F-YD?+(>q0-V=eI8o=jS^wvS-ap!Svj+hH_}m9KjPLb{@Yja%&#Lub
z7{z;^yR|-?9~p(NovE&#h2c-GYT6FH|I0^*#<p6m5}@*b{sup;S^uOwfaO$q^tm{C
zZn3K%mP}(FG)=~ka^bft?_@ImjIX4T+$bA^p8jbRqGrfjq5}O{bpp4%LEo<BJUO19
z2IX@*2q!|p`lvDUcOud%OH{ed#Q4>E!}|}q!K8=yrC}Bllz3vb@Hpnf`{D+_dZ+&U
zh5LC1=}>-KsW<NY*C}?x&^Ffi6D62r`<%gIwxBm(yH5*5O$Nk~uB&pXEqn^P8<gHl
zB#a^N*3PmSb=(dhsjD={+obSyl1McBa&@}yvRMhU$BUVi#aRalP9lE8mi4wtp6VcH
zu&^bhu|%Kw{1|T-xfrteLj|(R*2|_FEvw@Nr&^TpsxTOf`Wn<;XWq5OgW(Y)kMya1
z1Lna~$Q+R-m&K1hkevndytI!DUnuzOB=X#f7Z9dQh9;PvF{;OuGD9}0Tb4T?o7HNT
z9(7I%<8aO7VBoZ&A-usP<w9q?&?9DGpVn52rLZYI4a^`VdapTs*2hSm-MXdQOr5?-
zPgy+q4Y&6yVQy+A?XY8@R%k1EixLOTil8-7(kS)q)xOUMEZ?i{P_yowDdRZXk%upQ
z+CHnjd_>ZPdfDAnrk@G5XHbDM<!n9w8srmt4KIO3RsdiM23+;O*BY{aQ2pOip#MVu
zA=K_Vg&&1rHr58exCh(g|K%9=)s|#{j^Wj3ZQGp}Y^Dx|*Dm~mXbu<!I<nPerb%Sf
zj#kAJ<6#ys%2L;#D^tlVO>}h)q~NLPJIXyaudWwnv`MHQhzH3&ig`dq@-XaDw1-jd
z8FBAP3}SX*8|S#t3R;Q3<GB)4hTcP0d6@|FHg|Ska~Za%w=?lMXRPZrDo0$t{Ic{W
z9fKQ9!-`lg3T;hrNwt&XajffzBAU6x2}Im$hY&R@fTZd<^?eM7bJ=(D1epK~mw6Z-
zL9)STrn5q=9$f*RB??j-T8G!8L*{YxUC)dN324~FYgTp6C5a{^ZR)O=&9_t1PiAkL
zwfcGDG_SucOY0lek6P3P`pKIJh?E(OCY^Y<Bn7KHKVfkY;IY<z^?oZg>Q#f|#IEKm
zQu3zY!h^=u)l}KpF|6t7C*E-nW@R(pMfuTTb#2I@2I8=Da`~wB@FOr(Qk)ZZLi-9l
zuixaBeH4NxzCiwEqX)vMfrds(lXW%ilo}=jq3M>kAi<k6fXTlGS9a+GgWxP%%uskP
zvwT7drJuZp=DEq7MO?aY%BTzZLP&&AmIWKnQ=WQ3vwKD(&nP_bubh{Q;ykZjGd(IJ
z-mnNWri|_5q7Ug~p$Y85tQa%#{D{Q_Lqt^<XT-SS**O|{eIJIHunQi&&-_G}ffnJ@
zZIK7jxqa87*L&{81LdgN%IY!kXHi!DG**thUwgjHi0rbo&%0Kxd|PDQ4fo6)yByb2
z(-)En-wO>0GLKQ<%C?uN`_gw0MQ7t<m|I2-{*$(nmvvfvX*dEOC(cXWSzxZwNTqw8
zq`V0+k9VsiDMIX;B!nsRAZsOnsBf#9I3b+Gly%#0ej4c_4A09YEuJcqZL;}*(nuD)
zLuY_qUa=q#b9ls0J~7HJvS7C`s*Z+NG4b^ot}_B{OmKi|fOHc76M-_p(cVlV#UMtE
zdhVf%>Nl>Cbp3ER&xV6wC9J4Po(rmJ4iOV`OVIIYO$^5LF=e@G#=*TH!$CMdu-kN#
zFm)dwMu~B7YqTHCOIoy_*(ovD@Sb!Y-|u*rRz){+YG9obECDa|p7i6YP)ZYYf(u{h
z`<sP@)GV(ro&Iyx@The~e2R%T=Jf^N_J?}cyoyxoBH+`y<7VczaL26Ac%9WPk49M8
zQT1^BN<C!ULdV7W-9_bCCGm)ASS_D@yO_NGhPe}S5rr7Sw|bcjc{D6i2z8U_RUIGQ
zWE_L143%!=U%@bJfQ;b8WN&I5c(ZfV;C_$O4Pq%G90{%rr*q?DGuc966h`pAHR!xU
zh()Yu1}0?jD8SFV?@x(;h=G6a!1ynYyYGYfAH~21cE5Am^awA9Z(~69KjZFvpoyV%
z&(_A-0ZHs3OO;gLsXAr$XR9bGVJfTle7(*~GBpT1rU*<Xxef${hzq1W0$1xSZ~(j{
z%r`i@Y8+7HSP@Q(N6fO>&Gf70tMxTqaxX3Rt}IE`<qT9mb8I+{sD5TqTWdrgvhgI|
z>!g9c8JF(~xr}5JX_qZ-CrPfLc~7I-RUJ1k*-LXO3B2I3iytcttBR^PKSq-E92-Ww
zzg#}pGq+Bq&v09)b{-e14ccd#vfZc#U|RPL(6{}S+Wmfc{vo9M=au>|_E`5fT$+)+
z{V!Y^`4cdgmY`uy#E9O#w5fobGmPO#y%&rUY#vNw@};dphR`64Z7;z$T2f2xa^Y#B
zoH=c=RTBdg-XS45IY<2UxqZaQP6)JMk)MGe8k3*Z+wG^76iiW8y+&EgXhPi8ag<!a
zE7s5iC-XLT_KIP>(6fg<`8B+kc4KaQ@EDDg+BovGF6z_+ulOP-v)p^p(=(Tl-j)dE
zZBYi5WaJw8PC^<|sxMPPoOwpMBd_g?777<U);T~QeT%_E-`-SsY4CvRX}PGJ84;Xc
zw0i5oCiDL3Xa9v!im$J%eR~@!$>V1WYO5P@{Hw+Ub4x#2V#kyE7dKsdz0=!>Bm4Z~
z1J^eWtZzD*R>n+wp|8suR&?y1SmUDfkWWXXDO7}UNwyPLwaWRwr8T)H9{scn<|Z!3
z6(aicS=kPuB&)!!6SSxsdL83422!4YPgXcbaE@Eo@X58DA11^*ect%_gw!Rin4#$m
z-Ja`&it0DTnVH|9`=uLi#GsZ*?HBRy0jTOpJ@p!*uX?ACc$x9f$?&8<40pjF%j=BN
z6tl6*$y;JMf0Muw#3P;ZH!`f!g$ZIZ6KYwNwR9O2O{`jxFs*(oZ{PmL-_Ph~V>dW=
z32W%+Yiy*iSr|h15Nv$*N>0^t*?h_s;Y@+b#RBcaed<i;30&l`R9HF*p<M;IFgfo|
zD5@Td^K`KS^UbBP=P-HDw808qK?1ojwIa8?C8(izWa^vAXd3D8wwQj?2>ozb`Y2?#
zfAkf0k=NES0y7D!7~t0Ry<+~uDf)Xl`d?TW$9L^qSU<Ql{i?ZhsI&inH>Oy{ezSH4
z)W$1nHeO$>AX9o;bU|Jbii)Tpil_*KhPT@voY!k{<<zzH28RaB5*@RQ6gkiP0KUY1
z6w^XNmc20q-;CJz&LW6Yh`rRLdB{aoIwr(AZ+bjhYBeHS>-KnzX_>{hp@#>Q=MZYe
zofMNW!sbL7(qcMT$7Lx4pcs`|dIVZa6cQX)UIh#?3|}^jU{yzV;=LN}>X=!6mikDY
z6bUoBqY6^YG=b<{(546?az-M7<lKQOXD0p4oc)`Vv#>?;QG>>b#}l+oJXpwe8ucYC
z>z9pN$0p%C7^k;8wafASXCmp-Ond&@1}a*9o@0dmupfJe?|s{TucUat)+9C8yY|H4
zVaT-lkuIht)4~v<0ZJC#iPRAStXFvUI2qZ20{U?%l^cGNy-0WkOcx{B^A7THw?5ty
z%?rL~k1QPES~%+oxIAlX7h-S)7Yh8AA|}!D)cf>ci=Xx$LL9Oum(QB#kj`$Du7rz~
znTIq(SCuF)YovJ?|B>~=-&@G_0D6H@V4C?aPw@Q~6aV^#^E<o!Uudd?7WSPg?2oSZ
zHg?udrUr&~Ke^t2lN$J6C6*T0Q|-xs4mGl%0F9E7I)6eXKTD53UYhUt;ImaBvR8x{
zGU0xfri~K7P{!+1cc|-q`jF3vc?es#$ih+%-i_nWca2Odr})w?FdS&vPqwhf62cD(
z)?WQ_Xbi`Q<${E@yHjob9>G6cHGdP#f3X)`-{l{F)cmKXYwuucZAEMUvkv!8ury?B
z%$yl8;qU+X6y3)TZ)(u6HAWO}yox1)-}<?la^agMgKBCcF>%S>24|G0Om-Lp1RNIT
z!i!rOX0nqKaz9zlY(G2Sw#*&zV`;4Y_r4WzY1NehUtZtyw6i3CqftfU07YFFUscwF
z5_ZthZ;;ol!loRWj)9e%rM70%^K{l(^uRZk)_-sMoP~u~iYHjs0n)sI@B}~a>6XCk
zeV5=QZ!GvPLo=dtNIF#TFb;ID<I;ykE&zBOPJM|@SjwqbKKVqe4;pu)a?CtzX@_3F
zP~z(o=X_5YAMD_vj!YRBLPn(pp%6|vouQJ|utkl3VHD!#nVkGtps6}fZyu__1kPO>
zCJrGl%MZI<&L;$EOT%VzFXL=<Q>ohj7}1P9qCt$fq<^^o1%&zqR#IAOXzeWT5--LV
zoL7fXngTrL)MBSF{^T>xF9!jy&}*){JY-!YN>X*)(%TM2xx{Fm%_1Ezm%`#P^u>@B
zNiW+C(I6AMpwHKd+cL*kJsbC$NWHDRcH`dUPWqT|A@tJJ(2}7XR~fZt$UaFzFu#Tp
zV^STh?emTb$ESn_Gc=CMnq496<IVL@HMpH_OE+CdYw`DsM+E%$jzjcrUnguJHn$m{
zL-v2lKSu$@rzxM5N~VFQk|eN~=&w`hdlmYJKBC{&rvJhm^n(=tv5&~!Q4d%L`^mv{
zrBwUBKBCT80jqWbRFN~@dwme^95g6*1m2nWGAhYg@Ox^BD1BZe6i2GdDl^ffPlRE<
zzO{VnufdAl)ho&fA^8~D$%51wr=omb(%a7u*gizY31wM2{pQ?QhRm#n5;pBi9ySZB
z)$&KLEh~!2rC1IDbzxV%j|xk}X*wvg)}{TbQ=(08l-Wo0=Me4-`b05^w;l<Z5R>h&
zAM9oMrPVYJ``FK9w(X>)34HY0G}RUu$s4t`soH;8r|}B%NYKbM(~=plbVY9XrTVk(
zP(D_5?!B<NU^dCnkAqQ+?d7ytW6S6=E?-M7ERvSERmhPg<7v|qyX%@xXsW2EF<O!p
zI_G`y2$|H}UVG+kOWB4l;35_@?ADY{aolWa4ou~R`Z`A>+mSr9N>$CGMHqdylH|h9
zY&0gjeaHh7C19pCQc!7#5}`ifnWrsq6L>AQ-Hu*eUpvm}Wsi|9)9SdUeL|yJmSN5p
z5p3yKYLNC~h1`S#C)CDx%kR`q9d`@$I;2py$G|ZF1}}3>llO9JKC8B1aHz1@#Sp4W
z+UVUYzeeG;^bZv;SC2of;+B8<<MxG@dm>N>)b1*HaP9tHBmSYR`&-KKUubs!cNef9
zwboeZ{o?-h8T|gGx&&;kL47r>ZCh7r`E0J(?~l%!>A1Km!#(l5Bhm+sB!s=&ZCkg^
z(R(bmuNlI#Iv=y13w*pdSy<SVG1hS4tc4^T6=Zr#%jEY>c@Aeoc1`(`14kn@*_XyD
z!f;CRy)EPi4S=8wQthjtKIX(WxPdxL`m_?ds8h*2o$5Mif-!I7eZ8bfg>A{MP025m
zAI+vM=^GXi8mbS}i}AKXX*prohDRV&D9_=ZOHj}Z;uOp0ckw%yna$MO(gw8JlJ>E;
zw=tXGwQto0a>ru&#jCfr2Ya4L2Q&o-`wpbdFmCM7m(5CG?I+;tS5FBVhdVV6XFc+#
zErJwvctM3P%f$DTG1q5tJ-l*7#c6c+1=3YK-^}*m-VS%Z`V>HA%>Zub<pCqY1P6q*
zJq<2AwbVAlMU3GkCSAj3)sPr5rH;XAOvEvI$;+--euNi7E01GxHg&UT*{hf-O)|t#
z+p$JIzOUiUKqlO+3kY`17q#pOQY-0FrGu2bpck}vv2k~3Oo)V7(hVqKx1WN4`rsfN
ztK%TL^LfSOvf}FzM0pI#{MKA1XL^Zjrq}mksRjtil=3n16nlJyYOBY46~=TRh#aII
zWfamUV`QKnu~nEf2ya1@ClL#JN$&=ZIE@;6b04EI3fLY`B3W+1wqqPA_Iyf1&wK}s
zYF^ewS+m69@>-E_#BM_gu1bsZgpXCIP;&N}v0|_Sm(ApUyQk(L>LuwXMYLzxJazNX
zX9CL3a0I&9+Y}Xb*I(xd=tHHKns=33<phZ;q_r+Ru5hO@j_R(24WrMa2~@uEVs0le
z!SlB9x_b^8DH&xaSyxoNP)nDKjab3f8r+R-9Pd};d~0m7Irus;JAtj4p7O<xh<tw~
zi89-}(ljK}t#)=)hsBZQ1&M0ZaH=LP`pfoDPjkJtoIjMFksgN+od3}j%ZRbp-2%K0
zI%9&H`}bz@59a<`7V}@2`;_w99Y=-$yej-d7&;ke{J+^2%Ww%~9|lC>GY-E_2*D3}
zBBk;ot+bKyl6X;4u?<tG1w_?2{gVUSb7)M-IA5S%z<YjqjHmA`)zdl(pjC`_DjjxJ
zv0RU&d@s!{0q<FaX1)ypDN+M#pD?W&UcEIzWz`dE1^<YE-Z60T)~;hFd4x-Xd$MvJ
zWhW2i@<hZiHue&iQl;ne^n)85Nqapa)rUVCZ)ORjC!&CXI27=d{wx0Y9x5n(2sY68
zo2dVbO`;0BTjvCAlD)o(p`|X}OI=Hg9}NmY1pGDEIH9g>P5d6|^;s@z6x3zZ{RT_z
zou}Pja=H#?y!H>idP4ehXR?psnY({ve`DL@%qRcah$M7vx_857A;6E=w&w|D)H{j^
z5v>Z|#8>!{GsA18YeCON$%<YTbvQF^ID7Z0?^U>xtI``Yp>@{KQ7wwK5fRVJV&aqL
zQxlm}nH{N)pY=4tK*vtYUdP2Dd{un1F%mt)GdEHy`HXabb-lYEr3vP0b7qOx{dzOt
z!|U^IwbCM{AnX*zSChLuvT`Fzy;j22bA7K$#rSj8cU``g5)DTNwR{K=#H7Y;%FH%!
z?Qus)e{hP@Y>;wf@u8@K$ohVzS>?S2wvefBzB=aooBb>~+!EppJM>yPB{Z!jgK;R2
zt^Jp4CA?nS)$1+-G9LD0By2RCblKCzlWLV$V6+4qHZ4`i>eXoVEx?adqd9dvnnKPT
z>9G+uVy?yLgnDLgY@((dPNUstM$UxEFfl!%Bk6nIDEB0jZ@v5^mq@j`$1*nHXqHer
zf%!n(t}9xP1P$e$30~k)fQM~s3OQ54ZV(bIXa8Hdh2F{FWoLAM<^utnu4wgAf&)Su
z!QvZTZB2&FH;5bcdQjfJlji52BM&qtIEwc(a6BjdBPrYSms!y$dLzys>#2TGS0sH;
zOKEIy;#*Zk!Z4ub&mR3A>K&<hUR+}Vgg;j=B0Ynaxe|u<K6=E2_u>LZ;@P@7gDShB
zGRofR9vK{r9VsG>eK|7HGIFc+Yf9S;b7tIZN2y9T$v2j$jIhc*1{G4Loc+7=g{`V(
z%&a+I^ul)0o=x3Aeg$MqpAC{DVYR+m!0=x8fNVe&%K5UkhfwaeUY0%juxa7QLN<<o
zpPUsg8881c0$g+EByx>-!VAVs_mUbZk@oooe}l7F15-cTkIm&KD&)zB9<=_^jA|_=
zh@3;M{>?sZfUh?9;QRfG=EZG@9wDtZgkGY(t_piwn^*5*^YI=#*HgmBdfepN0ciKC
zXRaa3%y9GdY`UF$JerIy{Me4X;SO!`czbgCoJq$fCkNmxXH4*vm6VtYoNSxME-S=j
z?vbE0BlETU^-#5522Nt}8EbUebF5FI4?%_sETq2*=9;!2prP859Mzi^=$K148B2d<
zj`Y>yOQ!P`Ho%6-YcyfsCPmTNEHn~1PV3k~$&UyL@$g|6J8mw+_B-sbQe$Bm(VMbV
zQ5{segnlLrhDk;rrMG2AZl}(2l~U1#izQ-}`3}`}X#;RF)6QPsV3!`ATB3c`=t0C<
zD&!ei8r6dHJLXwM+|ja;9l|Hn<>wh>7F~8rCXw`pReY7IylLPfv2oj+6oM(e#_Ffe
z^6ffQ0<D>cKrVZ@A$FF5P$9?9p>3j6*rP{0%>LBRuBn|jfX?_v>b*wP`m&SchAcXR
zt@!<jU31N<TY(A^i~&K>X=T|5n#;nX93>y-0h_fndYPA%)`7msWN$M+Q(Y#|CiRld
zN~`8R$(DPX-UJ|e9Bfs>oFywYQMH_~h*B_Ba_E+4vNKAsp;zFg{rFRYcRInALkos_
zKRU|$Ijgs2JyOc2s+V$3SwxY{^Msa&9HVQ{z0tj6BkZ=O(G-*3X6<bv13Nj=t({Ti
zG?--V)?+i9qeaQ6O=Eg2l&=)fKgS{w&vTiUxlNyXxpIezyJPK}JR8I+K+YhE+024;
z@OHmR1VBi~VGN3^xd&X=trnEUTE9V&iQFtPd$YE&>#Qd#fqgFK^Lc~u$r+>C?m|mi
z^xU@N)YTla==iC1;dRqBuR-e2^PD#Q5BFosIZnB`GKb2cMSW^QOLeJlV>}_^N?`#$
zsE{=3^R?_+TAChXoF6iri8654WkPb!D{f{6N06ktA@l31c8i<N(|B9_J9^LKM!36Q
zz`vEpG!GNQkh2`vzP)W_*)-ry^1wq8TX0`?M#<#REfHS?7SgAk**cyDjCb$YbFj5N
zc&`2}pK==J0=G3aa0qby=E0>H)ktU|!0mDz7m`&@xit|!NG$tJli0gCOSNS=wKmji
z`uu5qwVt%HuIhxfdx}wO2$(b~Rl;^}&9RFxttB_lJO&@o9v3Ga>%+VAIbbhv<LK&I
zyj;FG7F4kezc>9Z@0Q5csg^2uujl5}(|>bq%zbh2p|iZG0@TCYv9^(#%@C$ZT|SJ6
z2ODl`l}L$Gu^GFfpM}q1o?`OGVRp!2#0%k9b%oi%dmiEP?-&t_b-^W4RBf1lA*l#~
z+UY<%zOPg8K+@`d@Mvu-y?uA~-h^ZUEv~Q)xtWU+Oe7S!sC^VVBF;h$M15Em<Wm~S
zhJ#a{*@Jz#r3VuZu}Fz;E0Byb-%DYOnnUf;HW^Q>jT_X%y|R$t%oFF{Z@46f<B@N;
z-}mAhsphyc|HIlbgR=AExvc<IO4~13!STp)W-v~AS(6$CO@dyWQ-@_6onZ=P<y%dX
zr|;>-v3wXYpFfnZKGPG!|F*c$GEJ8*jaj+<$nMIJ;c?{XYs}0UgTs3P<e4ja+^Hwe
zPF}Iqai`E_R5(o(%tSZu&-1HO_IWdRM<!WhVnT=G3P_aBmeo)5Z|gV8MqvU<5?GJ?
z3LG;asdnOG3IMH*q3+`z+M=Y<@we*=RyF*p!dzhp@HC?ylaM$3r-6q}C`CC<+GJy2
zP9s7Fkx1WTObA6XL(sg=ce+e~o(LSOotSJJIG`??P)79#u_bAbE9!zdq<V2MXvzFw
zLRzbPX1~i{I|03YP>k<tG<a<>`f8V%EIei^awGr!YbIJTn~1&UiTAdK8Wy7TzBpTY
zx$iU3$8GlSd)iZ4C=DP+(GtDXdgiGRu)ksansahSiWl!Nl#Rb)65DI#<k1^yyE87K
z?fPOKE|@~wEF>yh3uT*eE8~UXOvD!~7DCIMDf@|BGIZWJ#;hw2jnOqwPewJ%J`+%A
z>uZiCTnTQ?=5YDX6<Vdsr^TK`RWYJ%aJOZcMyEv=w&J4Mo(X^YaQg-`QYEP)r9F(p
zeQ@Gy9_cgIhpVF;slxai7oIfnW7d@n+6kpg4l$>MykfG>scif=LAy#*-qxR`8;gWK
zEu&G`eOlQJS0tE~fn9!bKrUG@Yk)|x^tFs{E_%d)y{5p#So^}_3pUQzv8e@oCl)U9
zsY)EhG7niy1L3CAr`DtHw6kg+<&+l3fEbw%r>5ztBF6%P%469rPqC2(1&TGY$BA~P
zteYi$d7Hy_jI^J;C*dP9ZOB7jGcXQ!z}PaP?QmvLnt>G%)RGi2yFMGq&*VR8)$N0O
zCh>5=f1;>xny{8@@A05Q_cERLO6qQZX}0$z6Ac-431@B%bDob3#>u&wLT)5(NZLfb
zG@v@m?Uc@P0^8-=c4<k9*txCSH8Lp8_Lz%}X&ep!$YlTzbH5K3zYBAJGj9AZ!rc16
zzlXU_zwW*ob^j~OO^sVBO=18RdvB<*-DmKxy);tXrhTUR<B}h<Y#qeWAW+KUmSf6O
z4bfaJIgbpPdodA^C5?POvl-f~N;66jo6dxO?9DK6U5Rrgr<1Yt+I7bAO|%wzWt$Km
zFG)f$l<vE}_CWSd_s@&{SzElY!J4+xu-u;s(IZfw<nup?cpyK3^;Q&R&Eur8?6Xvg
zj==nYv5E#hfcpim0%_o~*hhsIFmdJ&gTnAAX?L-BW5&Gw1RBYq#wc(+A)I-zudWn(
zgGKXQV&U=27tBd#o!fCy23K6z@e>tR#W?g@<m2^F7|@SBaV2|=%0-juQEIC9V;@|+
zNyg_f5z&x+x|&_^ao75#%pwkFChtqW(Il$3SH1koZ!1Z;`!W`hmGqvkqQT9x@Y<y-
zs&L`I;LR*2`R2IpUW3bX>b``w7}=;-@|LfE`%&#%vq|UWf<jgmr%zPxKZ`yoRta}S
z7sqv2JN#7Sr6X;JxG^x|dWy)ORjZ_ovTL@D)Bp07y6WYTLR%$ljnY%-f`+do&50po
zpF`B$x|!tz-)&O*or){k#bU?qx4Tz*sL#08;7i|=%nq|qa;BYAyU;FKw(@1`U@4Xn
z99D+kt;{o^W~G`7PYz8pPsp*<_0ERt*`6CUFf%E>JUWi4s_CoH)naBY5jj}i^&Kvz
zzNt;k{xE9jtvmXhULhobfSX>{H931$yJ)YtQvKbjos~w<Wlc4%TeI-tbPeXk8!ANp
zBkI>kIW6U<g!PES@vx{;Hn{$gOS-7hc;qAFqEP3f7Y?8OgQ>6UA(pCny`oNE7q7>(
ze#}dLUt$()c9n)xhB|$lxRj_7E(J-9dk`j7nh~$D`A2Gyk8}?EH859j4-woVzt`*U
zEb=#1{QspzLO`NJ{q=|u`1?Sx04(6e`u{#zUZCHfRuAt1AV3oyvJ!Wxfj`@Wc8A&r
zAT_WH`M)6ydRYbh%@vqCgq?tSfS*0C0+bT;1`xQEAY$NBKD<NhA+Xd6CgpF^1+CQg
zPoRLW<-R}<knW%JGk?3$1EmB#sRAw~h}zGj-1kBTmR`W6{K@kw-_Zq0`TZj$s9@;#
z1v-Fq|CI92DW4xn3wo#oTv`xSaA~o@sd_yG_NM<&+CRzv{2>&e)Zfzw4XJ~Vuj7Hy
z&+-}p(*Kj}pHlyNP94Ys^i&Br1P}{w2o!f%^Z-r%ZxH_E^-ojrKi~!$r3N3eetd^p
z4Dhw6?*aXMni@zRG`9{821Fhl49Okx$H>0~^RGC8CXT^pkssaR)PVALAU_*A2EqVM
zR)fO;5eJ7sbcc8>>MvpZ3qGKsJ@9e9ySt(B;O`)QKDP&i0UAFBhXEoF4&&}_JOXB(
zf1z6ciW8_w5PVb$+zzw6mVlhTSF2ylL;;cf(+N*{XG44+{}Rc+V+9&v0UvI`yu(Tg
z`|nVGGQ|Rf0UD43-w+UO@C_lnLpv4smoR>x4QLbrd`JQ34jVnZA3*p;JPgDE8fO8=
z0b&4-gX|82geSko@$Yzn`i#LlkngIN9>L$i{G!zuhy^s80FDJj9~{eF)e0o}C6<53
z3S=eVO}2McOOEvKP=3-)`x_Q=SG8=&ehK6E*?{^L!8;l6?glIQ-y!^>Wf2Gi)K&|=
z8zA~W-;E*4U&8oztU&E-;Eirrca%7u>hDl~6*_|Y7r}vmsDlF`zC+!W=9fVJ4I@x9
z7<il5U1JxZ{X2|bm85`M0%~ppM*?C1j^wVfL(%;b$-m?UYUTlN^SK*u4FY+6??-;!
z&jW-5>J9^k17ZOV=We`(%J@q-|C$@9e*?U;<F1FF2Xgx!(9c^qfM7uVJ>XzK<iWw*
z_3#JGzXbEIIDsnD;5F;JKx$b24&>*>X&?|#I|n!r5c!`2S$O(OApeRJs9p<R$wjzh
znAz;WtI98$KY^ly3f17Eg9w6)e)m+5-~bbyPWxZd24&sA^Ko~Dea;E^Wx*CGET~`$
zE-Z-P&xLgsz9a0fl6pU&4N6FWrz-9W%P0Z>{3<5_BnV2ofeQ;F_;X?5p4}1lw`ku3
V-q?UozyklgfkAvbkOBbk{{d6q*zf=V

diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf
index 10e83d69a..aa2b8390b 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf
@@ -1,4 +1,25 @@
 locals {
   # VCN_NATIVE_CNI internally it is mapped as npn
   cni = var.cni_type == "vcn_native" ? "npn" : var.cni_type
+  vcn_cidr_blocks = [var.vcn_cidr_block]
+  subnets = {
+    cidr = {
+      pod           = cidrsubnet(var.vcn_cidr_block, 1, 0)       # e.g., "10.1.0.0/17"
+      worker        = cidrsubnet(var.vcn_cidr_block, 3, 4)       # e.g., "10.1.128.0/19"
+      lb_external   = cidrsubnet(var.vcn_cidr_block, 8, 160)     # e.g., "10.1.160.0/24"
+      lb_internal   = cidrsubnet(var.vcn_cidr_block, 8, 161)     # e.g., "10.1.161.0/24"
+      fss           = cidrsubnet(var.vcn_cidr_block, 8, 162)     # e.g., "10.1.162.0/24"
+      bastion       = cidrsubnet(var.vcn_cidr_block, 13, 5216)   # e.g., "10.1.163.0/29"
+      cp            = cidrsubnet(var.vcn_cidr_block, 13, 5217)   # e.g., "10.1.163.8/29"
+    }
+    dns = {
+      pod = "pod"
+      worker = "worker"
+      lb_external = "lbext"
+      lb_internal = "lbint"
+      fss = "fss"
+      bastion = "bastion"
+      cp = "cp"
+    }
+  }
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf
index e0be02ada..0df41e12f 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf
@@ -8,41 +8,44 @@ module "network" {
   create_vcn = var.create_vcn
   vcn_id = var.vcn_id
   vcn_name = var.vcn_name
-  vcn_cidr_blocks = var.vcn_cidr_blocks
+  vcn_cidr_blocks = local.vcn_cidr_blocks
   vcn_dns_label = var.vcn_dns_label
   # CP SUBNET
   create_cp_subnet = var.create_cp_subnet
-  cp_subnet_cidr = var.cp_subnet_cidr
-  cp_subnet_dns_label = var.cp_subnet_dns_label
+  cp_subnet_cidr = local.subnets.cidr.cp
+  cp_subnet_dns_label = local.subnets.dns.cp
   cp_subnet_name = var.cp_subnet_name
   cp_subnet_private = var.cp_subnet_private
   cp_allowed_source_cidr = var.cp_allowed_source_cidr
-  # SERVICE SUBNET
-  create_service_subnet = var.create_service_subnet
-  service_subnet_cidr = var.service_subnet_cidr
-  service_subnet_dns_label = var.service_subnet_dns_label
-  service_subnet_name = var.service_subnet_name
-  service_subnet_private = var.service_subnet_private
+  # LB SUBNETS
+  create_external_lb_subnet = var.create_external_lb_subnet
+  external_lb_cidr = local.subnets.cidr.lb_external
+  external_lb_subnet_dns_label = local.subnets.dns.lb_external
+  external_lb_subnet_name = var.external_lb_subnet_name
+  create_internal_lb_subnet = var.create_internal_lb_subnet
+  internal_lb_cidr = local.subnets.cidr.lb_internal
+  internal_lb_subnet_dns_label = local.subnets.dns.lb_internal
+  internal_lb_subnet_name = var.internal_lb_subnet_name
   # WORKER SUBNET
   create_worker_subnet = var.create_worker_subnet
-  worker_subnet_cidr = var.worker_subnet_cidr
-  worker_subnet_dns_label = var.worker_subnet_dns_label
+  worker_subnet_cidr = local.subnets.cidr.worker
+  worker_subnet_dns_label = local.subnets.dns.worker
   worker_subnet_name = var.worker_subnet_name
   # POD SUBNET
   create_pod_subnet = var.create_pod_subnet
-  pod_subnet_cidr = var.pod_subnet_cidr
-  pod_subnet_dns_label = var.pod_subnet_dns_label
+  pod_subnet_cidr = local.subnets.cidr.pod
+  pod_subnet_dns_label = local.subnets.dns.pod
   pod_subnet_name = var.pod_subnet_name
   # BASTION SUBNET
   create_bastion_subnet = var.create_bastion_subnet
-  bastion_subnet_cidr = var.bastion_subnet_cidr
-  bastion_subnet_dns_label = var.bastion_subnet_dns_label
+  bastion_subnet_cidr = local.subnets.cidr.bastion
+  bastion_subnet_dns_label = local.subnets.dns.bastion
   bastion_subnet_name = var.bastion_subnet_name
   bastion_subnet_private = var.bastion_subnet_private
   # FSS SUBNET
   create_fss = var.create_fss
-  fss_subnet_cidr = var.fss_subnet_cidr
-  fss_subnet_dns_label = var.fss_subnet_dns_label
+  fss_subnet_cidr = local.subnets.cidr.fss
+  fss_subnet_dns_label = local.subnets.dns.fss
   fss_subnet_name = var.fss_subnet_name
   # GATEWAYS
   create_gateways = var.create_gateways
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf
deleted file mode 100644
index 9bfdee565..000000000
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-resource "oci_core_security_list" "bastion_security_list" {
-  compartment_id = var.network_compartment_id
-  vcn_id         = local.vcn_id
-  display_name = "bastion-sec-list"
-
-  # Ingress rules and their corresponding egress
-  ingress_security_rules {
-    protocol = local.tcp_protocol
-    source_type = "CIDR_BLOCK"
-    source   = "0.0.0.0/0"
-    stateless = true
-    description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet"
-    tcp_options {
-      max = 22
-      min = 22
-    }
-  }
-
-  egress_security_rules {
-    destination = "0.0.0.0/0"
-    destination_type = "CIDR_BLOCK"
-    protocol = local.tcp_protocol
-    stateless = true
-    description = "Allow SSH responses from the subnet"
-    tcp_options {
-      source_port_range {
-        max = 22
-        min = 22
-      }
-    }
-  }
-
-  # Egress rules and their corresponding ingress
-  egress_security_rules {
-    destination = var.vcn_cidr_blocks[0]
-    destination_type = "CIDR_BLOCK"
-    protocol    = "all"
-    stateless = true
-    description = "Enable the bastion hosts to reach the entire VCN"
-  }
-
-  ingress_security_rules {
-    protocol = "all"
-    source_type = "CIDR_BLOCK"
-    source = var.vcn_cidr_blocks[0]
-    stateless = true
-    description = "Allow responses from the VCN to the bastion hosts"
-  }
-
-  count = var.create_bastion_subnet ? 1 : 0
-}
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf
index 942cf722e..31f0a9a84 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf
@@ -1,17 +1,18 @@
 resource "oci_core_network_security_group" "cp_nsg" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "cp-nsg"
+  display_name   = "cp"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1" {
+# Worker nodes to control plane - Kubelet communication (port 12250)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_12250_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress to OKE control plane from worker nodes"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress to OKE control plane from worker nodes on port 12250"
   tcp_options {
     destination_port_range {
       max = 12250
@@ -20,14 +21,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1"
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_12250_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress to worker nodes from control plane"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress to worker nodes from control plane on port 12250"
   tcp_options {
     source_port_range {
       max = 12250
@@ -36,14 +37,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1_s
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2" {
+# Control plane inter-communication (port 6443)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_cp_internal_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP ingress for Kubernetes control plane inter-communication"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress for Kubernetes control plane inter-communication on port 6443"
   tcp_options {
     source_port_range {
       max = 6443
@@ -52,14 +54,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2"
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2_stateless" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_cp_internal_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP egress for Kubernetes control plane inter-communication"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress for Kubernetes control plane inter-communication on port 6443"
   tcp_options {
     destination_port_range {
       max = 6443
@@ -68,14 +70,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2_s
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3" {
+# Bastion subnet to control plane - API server (port 6443)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_bastion_apiserver_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "CIDR_BLOCK"
-  source = var.bastion_subnet_cidr
-  stateless = true
-  description = "Allow TCP ingress to kube-apiserver from the bastion subnet"
+  source_type               = "CIDR_BLOCK"
+  source                    = var.bastion_subnet_cidr
+  stateless                 = true
+  description               = "Allow TCP ingress to kube-apiserver from the bastion subnet on port 6443"
   tcp_options {
     destination_port_range {
       max = 6443
@@ -85,14 +88,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3"
   count = var.create_bastion_subnet ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_bastion_apiserver_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = var.bastion_subnet_cidr
-  stateless = true
-  description = "Allow TCP egress to bastion subnet from control plane"
+  destination_type          = "CIDR_BLOCK"
+  destination               = var.bastion_subnet_cidr
+  stateless                 = true
+  description               = "Allow TCP egress to bastion subnet from control plane on port 6443"
   tcp_options {
     source_port_range {
       max = 6443
@@ -102,14 +105,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3_s
   count = var.create_bastion_subnet ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4" {
+# Pods to control plane - Kubelet communication (port 12250)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_kubelet_12250_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow TCP ingress to OKE control plane from pods"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP ingress to OKE control plane from pods on port 12250"
   tcp_options {
     destination_port_range {
       max = 12250
@@ -119,14 +123,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4"
   count = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_kubelet_12250_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow TCP egress to pods from control plane"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP egress to pods from control plane on port 12250"
   tcp_options {
     source_port_range {
       max = 12250
@@ -136,14 +140,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4_s
   count = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5" {
+# Pods to control plane - API server (port 6443)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_apiserver_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow TCP ingress to kube-apiserver from pods"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP ingress to kube-apiserver from pods on port 6443"
   tcp_options {
     destination_port_range {
       max = 6443
@@ -153,14 +158,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5"
   count = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_apiserver_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow TCP egress to pods from control plane"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP egress to pods from control plane on port 6443"
   tcp_options {
     source_port_range {
       max = 6443
@@ -170,14 +175,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5_s
   count = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6" {
+# Worker nodes to control plane - API server (port 6443)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_apiserver_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress to kube-apiserver from worker nodes"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress to kube-apiserver from worker nodes on port 6443"
   tcp_options {
     destination_port_range {
       max = 6443
@@ -186,14 +192,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6"
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_apiserver_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress to worker nodes from control plane"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress to worker nodes from control plane on port 6443"
   tcp_options {
     source_port_range {
       max = 6443
@@ -202,28 +208,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6_s
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.icmp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ICMP ingress for path discovery from worker nodes"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8" {
+# External sources to control plane - API server (port 6443)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_external_apiserver_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "CIDR_BLOCK"
-  source = var.cp_allowed_source_cidr
-  stateless = true
-  description = "Allow ingress traffic from specified sources"
+  source_type               = "CIDR_BLOCK"
+  source                    = var.cp_allowed_source_cidr
+  stateless                 = true
+  description               = "Allow TCP ingress traffic from specified sources to kube-apiserver on port 6443"
   tcp_options {
     destination_port_range {
       max = 6443
@@ -232,14 +225,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8"
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_external_apiserver_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = var.cp_allowed_source_cidr
-  stateless = true
-  description = "Allow TCP egress to specified sources from control plane"
+  destination_type          = "CIDR_BLOCK"
+  destination               = var.cp_allowed_source_cidr
+  stateless                 = true
+  description               = "Allow TCP egress to specified sources from control plane on port 6443"
   tcp_options {
     source_port_range {
       max = 6443
@@ -248,30 +241,31 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8_s
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1_stateless_ingress" {
+# Control plane to worker nodes - Kubelet (port 10250)
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_10250_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress to OKE control plane from worker nodes for Kubelet responses"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress to control plane from worker nodes for Kubelet responses on port 10250"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 10250
       min = 10250
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_10250_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress from OKE control plane to Kubelet on worker nodes"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from control plane to Kubelet on worker nodes on port 10250"
   tcp_options {
     destination_port_range {
       max = 10250
@@ -280,158 +274,58 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" {
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow TCP ingress from pods to control plane for responses"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow TCP egress from OKE control plane to pods"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3_stateless_ingress" {
+# Control plane to pods - general communication
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "SERVICE_CIDR_BLOCK"
-  source = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
-  stateless = true
-  description = "Allow TCP ingress from OCI services to control plane for responses"
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.tcp_protocol
-  destination_type = "SERVICE_CIDR_BLOCK"
-  destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
-  stateless = true
-  description = "Allow TCP egress from OKE control plane to OCI services"
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from worker nodes to control plane for responses"
-  tcp_options {
-    destination_port_range {
-      max = 12250
-      min = 12250
-    }
-  }
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP ingress from pods to control plane for responses"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress from OKE control plane to worker nodes"
-  tcp_options {
-    destination_port_range {
-      max = 12250
-      min = 12250
-    }
-  }
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP egress from control plane to pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5_stateless_ingress" {
+# Control plane to OCI services
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_services_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from control plane to control plane for responses"
-  tcp_options {
-    destination_port_range {
-      max = 6443
-      min = 6443
-    }
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP egress for Kubernetes control plane inter-communication"
-  tcp_options {
-    destination_port_range {
-      max = 6443
-      min = 6443
-    }
-  }
+  source_type               = "SERVICE_CIDR_BLOCK"
+  source                    = local.service_cidr_block
+  stateless                 = true
+  description               = "Allow TCP ingress from OCI services to control plane for responses"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.icmp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ICMP ingress from worker nodes to control plane for responses"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" {
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_services_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = local.icmp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ICMP egress for path discovery to worker nodes"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_7_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "CIDR_BLOCK"
-  source = var.cp_egress_cidr
-  stateless = true
-  description = "Allow TCP ingress from external sources to control plane for responses"
-  count = local.create_cp_external_traffic_rule ? 1 : 0
+  destination_type          = "SERVICE_CIDR_BLOCK"
+  destination               = local.service_cidr_block
+  stateless                 = true
+  description               = "Allow TCP egress from control plane to OCI services"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_7" {
+# External traffic communication
+resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_external_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = var.cp_egress_cidr
-  stateless = true
-  description = "Allow external traffic communication"
-  count = local.create_cp_external_traffic_rule ? 1 : 0
+  destination_type          = "CIDR_BLOCK"
+  destination               = var.cp_egress_cidr
+  stateless                 = false
+  description               = "Allow external traffic communication"
+  count                     = local.create_cp_external_traffic_rule ? 1 : 0
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf
new file mode 100644
index 000000000..b545c9209
--- /dev/null
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf
@@ -0,0 +1,76 @@
+resource "oci_core_dhcp_options" "external_lb_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.external_lb_subnet_name
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_external_lb_subnet ? 1 : 0
+}
+
+resource "oci_core_dhcp_options" "internal_lb_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.internal_lb_subnet_name
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_internal_lb_subnet ? 1 : 0
+}
+
+resource "oci_core_dhcp_options" "oke_cp_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.cp_subnet_name
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_cp_subnet ? 1 : 0
+}
+
+resource "oci_core_dhcp_options" "worker_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.worker_subnet_name
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_worker_subnet ? 1 : 0
+}
+
+resource "oci_core_dhcp_options" "pods_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.pod_subnet_name
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_pod_subnet ? 1 : 0
+}
+
+resource "oci_core_dhcp_options" "bastion_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.bastion_subnet_name
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_bastion_subnet ? 1 : 0
+}
+
+resource "oci_core_dhcp_options" "fss_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.fss_subnet_name
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_fss_subnet ? 1 : 0
+}
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf
index ef7dd1596..f991d33d4 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf
@@ -7,7 +7,7 @@ resource "oci_core_drg" "vcn_drg" {
 
 resource "oci_core_drg_attachment" "oke_drg_attachment" {
   drg_id = local.drg_id
-  display_name = "${var.vcn_name}-attachment"
+  display_name = var.vcn_name
 
   network_details {
     id = local.vcn_id
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf
index 44e7584d9..5c1101f22 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf
@@ -1,18 +1,18 @@
 resource "oci_core_network_security_group" "fss_nsg" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "fss-nsg"
+  display_name   = "fss"
 }
 
-# Ingress rules and their corresponding egress
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" {
+# NFS Portmapper - UDP (port 111)
+resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.udp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow UDP ingress for NFS portmapper from workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow UDP ingress for NFS portmapper from workers on port 111"
   udp_options {
     destination_port_range {
       max = 111
@@ -21,14 +21,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" {
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.udp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow UDP egress for NFS portmapper to workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow UDP egress for NFS portmapper to workers on port 111"
   udp_options {
     source_port_range {
       max = 111
@@ -37,14 +37,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1_sta
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" {
+# NFS Portmapper - TCP (port 111)
+resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress for NFS portmapper from workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress for NFS portmapper from workers on port 111"
   tcp_options {
     destination_port_range {
       max = 111
@@ -53,14 +54,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" {
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress for NFS portmapper to workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress for NFS portmapper to workers on port 111"
   tcp_options {
     source_port_range {
       max = 111
@@ -69,14 +70,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2_sta
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" {
+# NFS - UDP (port 2048)
+resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.udp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow UDP ingress for NFS from workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow UDP ingress for NFS from workers on port 2048"
   udp_options {
     destination_port_range {
       max = 2048
@@ -85,14 +87,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" {
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.udp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow UDP egress for NFS to workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow UDP egress for NFS to workers on port 2048"
   udp_options {
     source_port_range {
       max = 2048
@@ -101,14 +103,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3_sta
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" {
+# NFS - TCP (ports 2048-2050)
+resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress for NFS from workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress for NFS from workers on ports 2048-2050"
   tcp_options {
     destination_port_range {
       max = 2050
@@ -117,14 +120,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" {
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress for NFS to workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress for NFS to workers on ports 2048-2050"
   tcp_options {
     source_port_range {
       max = 2050
@@ -133,14 +136,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4_sta
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5" {
+# NFS Encrypted - TCP (port 2051)
+resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_encrypted_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress when using in-transit encryption for OCI FSS"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress for NFS with in-transit encryption from workers on port 2051"
   tcp_options {
     destination_port_range {
       max = 2051
@@ -149,14 +153,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5" {
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_encrypted_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress when using in-transit encryption to workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress for NFS with in-transit encryption to workers on port 2051"
   tcp_options {
     source_port_range {
       max = 2051
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf
new file mode 100644
index 000000000..852d83da2
--- /dev/null
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf
@@ -0,0 +1,23 @@
+resource "oci_core_service_gateway" "service_gateway" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = "SG"
+  services {
+    service_id = lookup(data.oci_core_services.all_oci_services.services[0], "id")
+  }
+  count = var.create_gateways ? 1 : 0
+}
+
+resource "oci_core_nat_gateway" "nat_gateway" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = "NAT"
+  count = var.create_gateways ? 1 : 0
+}
+
+resource "oci_core_internet_gateway" "internet_gateway" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = "IG"
+  count = local.all_subnet_private && ! local.create_internet_gateway ? 0 : 1
+}
\ No newline at end of file
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg-frontend.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg-frontend.tf
new file mode 100644
index 000000000..d473b7414
--- /dev/null
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg-frontend.tf
@@ -0,0 +1,71 @@
+resource "oci_core_network_security_group" "oke_lb_nsg_frontend" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = "oke-lb-frontend"
+}
+
+# HTTP traffic (port 80)
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_http_ingress" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id
+  protocol                  = local.tcp_protocol
+  source_type               = "CIDR_BLOCK"
+  source                    = "0.0.0.0/0"
+  stateless                 = true
+  description               = "Allow HTTP ingress traffic from anywhere on port 80"
+  tcp_options {
+    destination_port_range {
+      max = 80
+      min = 80
+    }
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_http_egress" {
+  direction                 = "EGRESS"
+  network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id
+  protocol                  = local.tcp_protocol
+  destination_type          = "CIDR_BLOCK"
+  destination               = "0.0.0.0/0"
+  stateless                 = true
+  description               = "Allow HTTP egress traffic to anywhere on port 80"
+  tcp_options {
+    source_port_range {
+      max = 80
+      min = 80
+    }
+  }
+}
+
+# HTTPS traffic (port 443)
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_https_ingress" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id
+  protocol                  = local.tcp_protocol
+  source_type               = "CIDR_BLOCK"
+  source                    = "0.0.0.0/0"
+  stateless                 = true
+  description               = "Allow HTTPS ingress traffic from anywhere on port 443"
+  tcp_options {
+    destination_port_range {
+      max = 443
+      min = 443
+    }
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_https_egress" {
+  direction                 = "EGRESS"
+  network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id
+  protocol                  = local.tcp_protocol
+  destination_type          = "CIDR_BLOCK"
+  destination               = "0.0.0.0/0"
+  stateless                 = true
+  description               = "Allow HTTPS egress traffic to anywhere on port 443"
+  tcp_options {
+    source_port_range {
+      max = 443
+      min = 443
+    }
+  }
+}
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf
index db9a215f5..170087571 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf
@@ -1,18 +1,18 @@
 resource "oci_core_network_security_group" "oke_lb_nsg" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "oke-lb-nsg"
+  display_name   = "oke-lb-backend"
 }
 
-# Egress rules and their corresponding ingress
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress" {
+# Worker nodes - Service ports TCP (30000-32767)
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from load balancer to worker nodes for services of type NodePort on ports 30000-32767"
   tcp_options {
     destination_port_range {
       max = 32767
@@ -21,30 +21,31 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from worker nodes to load balancer for responses"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from worker nodes to load balancer for service responses on ports 30000-32767"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 32767
       min = 30000
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_udp" {
+# Worker nodes - Service ports UDP (30000-32767)
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.udp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow UDP traffic from load balancer to worker nodes for services of type NodePort"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow UDP egress from load balancer to worker nodes for services of type NodePort on ports 30000-32767"
   udp_options {
     destination_port_range {
       max = 32767
@@ -53,30 +54,31 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_udp_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.udp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow UDP ingress from worker nodes to load balancer for responses"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow UDP ingress from worker nodes to load balancer for service responses on ports 30000-32767"
   udp_options {
-    destination_port_range {
+    source_port_range {
       max = 32767
       min = 30000
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_healthcheck_egress" {
+# Worker nodes - Health check (TCP 10256)
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_healthcheck_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP egress from load balancers to worker nodes for health check"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from load balancers to worker nodes for health check on port 10256"
   tcp_options {
     destination_port_range {
       max = 10256
@@ -85,69 +87,64 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_healthcheck_egress_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_healthcheck_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from worker nodes to load balancer for health check responses"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from worker nodes to load balancer for health check responses on port 10256"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 10256
       min = 10256
     }
   }
 }
 
-# OCI Native Ingress does not support UDP, hence no UDP egress rule
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_egress" {
+# Pods - TCP (when NPN enabled)
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "LB to pods, OCI Native Ingress"
-  count = local.is_npn ? 1 : 0
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP egress from load balancer to pods for OCI Native Ingress and Pods as Backends"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_egress_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow TCP ingress from pods to load balancer for responses"
-  count = local.is_npn ? 1 : 0
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow TCP ingress from pods to load balancer for responses"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker_discovery_egress" {
+# Pods - UDP (when NPN enabled)
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = local.icmp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow LB to discover workers"
-  icmp_options {
-    type = 3
-    code = 4
-  }
+  protocol                  = local.udp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow UDP egress from load balancer to pods for OCI Native Ingress and Pods as Backends"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker_discovery_egress_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = local.icmp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ICMP ingress from worker nodes to load balancer for responses"
-  icmp_options {
-    type = 3
-    code = 4
-  }
+  protocol                  = local.udp_protocol
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow UDP ingress from pods to load balancer for responses"
+  count                     = local.is_npn ? 1 : 0
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf
index 94b12c870..298b0efb9 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf
@@ -2,21 +2,27 @@ locals {
   is_npn = var.cni_type == "npn"
   create_pod_subnet = var.create_pod_subnet && local.is_npn
   create_cp_subnet = var.create_cp_subnet
+  create_bastion_subnet = var.create_bastion_subnet
+  create_fss_subnet = var.create_fss
   create_worker_subnet = var.create_worker_subnet
-  create_service_subnet = var.create_service_subnet
-  all_subnet_private = (var.cp_subnet_private || ! local.create_cp_subnet) && (var.service_subnet_private || ! local.create_service_subnet) && (var.bastion_subnet_private || ! var.create_bastion_subnet)
+  create_external_lb_subnet = var.create_external_lb_subnet
+  create_internal_lb_subnet = var.create_internal_lb_subnet
+  all_subnet_private = (var.cp_subnet_private || ! local.create_cp_subnet) && (! local.create_external_lb_subnet) && (var.bastion_subnet_private || ! var.create_bastion_subnet)
   vcn_id = var.create_vcn ? oci_core_vcn.spoke_vcn.0.id : var.vcn_id
   service_gateway_id = var.create_gateways ? oci_core_service_gateway.service_gateway.0.id : var.service_gateway_id
   nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id
   cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat
   create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat))
+
+  create_internet_gateway = (! var.create_vcn) && var.create_gateways && var.create_internet_gateway
+
   create_drg = var.enable_drg && var.create_drg
   create_drg_attachment = var.enable_drg && var.create_drg_attachment
   drg_id = var.create_drg ? try(oci_core_drg.vcn_drg.0.id, null) : var.drg_id
 
 
-
   tcp_protocol = "6"
   icmp_protocol = "1"
   udp_protocol = "17"
+  service_cidr_block = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf
index 9bd04fd8e..579b1260d 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf
@@ -16,8 +16,12 @@ output "worker_subnet_id" {
   value = local.create_worker_subnet ? oci_core_subnet.worker_subnet.0.id : null
 }
 
-output "service_subnet_id" {
-  value = local.create_service_subnet ? oci_core_subnet.service_subnet.0.id : null
+output "external_lb_subnet_id" {
+  value = local.create_external_lb_subnet ? oci_core_subnet.external_lb_subnet.0.id : null
+}
+
+output "internal_lb_subnet_id" {
+  value = local.create_internal_lb_subnet ? oci_core_subnet.internal_lb_subnet.0.id : null
 }
 
 output "bastion_subnet_id" {
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf
index f7518c468..4f9fe8cc8 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf
@@ -1,193 +1,146 @@
 resource "oci_core_network_security_group" "pod_nsg" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "pod-nsg"
-  count = local.is_npn ? 1 : 0
+  display_name   = "pod"
+  count          = local.is_npn ? 1 : 0
 }
 
-# Ingress rules and their corresponding egress
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_1" {
+# Pod intercommunication - ALL protocols
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_pods_all_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL ingress to pods from other pods"
-  count = local.is_npn ? 1 : 0
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow ALL ingress to pods from other pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_1_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_pods_all_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL egress to other pods from pods"
-  count = local.is_npn ? 1 : 0
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow ALL egress to other pods from pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_2" {
+# Cross-node communication - ALL protocols
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_workers_all_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL ingress to pods for cross-node pod communication when using NodePorts or hostNetwork: true"
-  count = local.is_npn ? 1 : 0
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow ALL ingress to pods for cross-node pod communication when using NodePorts or hostNetwork: true"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_2_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_workers_all_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL egress to workers from pods"
-  count = local.is_npn ? 1 : 0
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow ALL egress to workers from pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_3" {
+# Control plane webhooks - ALL protocols
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_all_ingress_webhooks" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow ALL ingress to pods from Kubernetes control plane for webhooks served by pods"
-  count = local.is_npn ? 1 : 0
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow ALL ingress to pods from Kubernetes control plane for webhooks served by pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_3_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_all_egress_webhooks" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow ALL egress to control plane from pods"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = local.icmp_protocol
-  source_type = "CIDR_BLOCK"
-  source = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP ingress to pods for path discovery"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4_stateless_egress" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = local.icmp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP egress to internet from pods"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-  count = local.is_npn ? 1 : 0
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow ALL egress to control plane from pods for webhooks served by pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_ingress" {
+# Load balancer - TCP
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "LBs to pods"
-  count = local.is_npn ? 1 : 0
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress to pods from load balancers"
+  count                     = local.is_npn ? 1 : 0
 }
 
-# Egress rules and their corresponding ingress
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_1" {
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "all"
-  destination_type = "CIDR_BLOCK"
-  destination = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ALL egress from pods to internet"
-  count = local.is_npn ? 1 : 0
+  protocol                  = local.tcp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress to load balancers from pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_1_stateless_ingress" {
+# Load balancer - UDP
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "all"
-  source_type = "CIDR_BLOCK"
-  source = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ALL ingress from internet to pods"
-  count = local.is_npn ? 1 : 0
+  protocol                  = local.udp_protocol
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow UDP ingress to pods from load balancers"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_2" {
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL egress from pods for cross-node pod communication when using NodePorts or hostNetwork: true"
-  count = local.is_npn ? 1 : 0
+  protocol                  = local.udp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow UDP egress to load balancers from pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_2_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL ingress from workers to pods"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_3" {
+# Internet - ALL protocols
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_internet_all_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL egress from pods to other pods"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_3_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL ingress from other pods to pods"
-  count = local.is_npn ? 1 : 0
+  destination_type          = "CIDR_BLOCK"
+  destination               = "0.0.0.0/0"
+  stateless                 = false
+  description               = "Allow ALL egress from pods to internet"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4" {
+# Control plane - API server (TCP 6443)
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_apiserver_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP egress from pods to Kubernetes API server"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from pods to Kubernetes API server on port 6443"
   tcp_options {
     destination_port_range {
       max = 6443
@@ -197,16 +150,16 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4"
   count = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_apiserver_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from control plane to pods"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from control plane to pods on port 6443"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 6443
       min = 6443
     }
@@ -214,54 +167,25 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4_s
   count = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5" {
+# OCI services - TCP
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_services_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = local.tcp_protocol
-  destination_type = "SERVICE_CIDR_BLOCK"
-  destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
-  stateless = true
-  description = "Allow TCP egress from pods to OCI Services"
-  count = local.is_npn ? 1 : 0
+  destination_type          = "SERVICE_CIDR_BLOCK"
+  destination               = local.service_cidr_block
+  stateless                 = true
+  description               = "Allow TCP egress from pods to OCI Services"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_services_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
   protocol                  = local.tcp_protocol
-  source_type = "SERVICE_CIDR_BLOCK"
-  source = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
-  stateless = true
-  description = "Allow TCP ingress from OCI services to pods"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = local.icmp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP egress from pods for path discovery"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = local.icmp_protocol
-  source_type = "CIDR_BLOCK"
-  source = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP ingress from internet to pods"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-  count = local.is_npn ? 1 : 0
+  source_type               = "SERVICE_CIDR_BLOCK"
+  source                    = local.service_cidr_block
+  stateless                 = true
+  description               = "Allow TCP ingress from OCI services to pods"
+  count                     = local.is_npn ? 1 : 0
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf
index 3f170a471..29e337319 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf
@@ -1,39 +1,121 @@
-
-resource "oci_core_service_gateway" "service_gateway" {
+resource "oci_core_route_table" "bastion_route_table" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "SG"
-  services {
-    service_id = lookup(data.oci_core_services.all_oci_services.services[0], "id")
+  display_name = var.bastion_subnet_name
+  dynamic "route_rules" {
+    for_each = var.bastion_subnet_private ? [0] : []
+    content {
+      network_entity_id = local.service_gateway_id
+      destination_type = "SERVICE_CIDR_BLOCK"
+      destination = local.service_cidr_block
+      description = "Route for all internal OCI services in the region"
+    }
+  }
+  dynamic "route_rules" {
+    for_each = var.bastion_subnet_private ? [] : [0]
+    content {
+      network_entity_id = oci_core_internet_gateway.internet_gateway[0].id
+      destination_type = "CIDR_BLOCK"
+      destination = "0.0.0.0/0"
+      description = "Route to reach external Internet through the Internet gateway"
+    }
+  }
+  dynamic "route_rules" {
+    for_each = var.bastion_subnet_private ? [0] : []
+    content {
+      network_entity_id = local.nat_gateway_id
+      destination_type = "CIDR_BLOCK"
+      destination = "0.0.0.0/0"
+      description = "Route to reach external Internet through a NAT gateway"
+    }
   }
-  count = var.create_gateways ? 1 : 0
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+  count = local.create_bastion_subnet ? 1 : 0
 }
 
-resource "oci_core_nat_gateway" "nat_gateway" {
+resource "oci_core_route_table" "cp_route_table" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "NAT"
-  count = var.create_gateways ? 1 : 0
+  display_name = var.cp_subnet_name
+  dynamic "route_rules" {
+    for_each = var.cp_subnet_private ? [0] : []
+    content {
+      network_entity_id = local.service_gateway_id
+      destination_type = "SERVICE_CIDR_BLOCK"
+      destination = local.service_cidr_block
+      description = "Route for all internal OCI services in the region"
+    }
+  }
+  dynamic "route_rules" {
+    for_each = var.cp_subnet_private ? [] : [0]
+    content {
+      network_entity_id = oci_core_internet_gateway.internet_gateway[0].id
+      destination_type = "CIDR_BLOCK"
+      destination = "0.0.0.0/0"
+      description = "Route to reach external Internet through the Internet gateway"
+    }
+  }
+  dynamic "route_rules" {
+    for_each = local.cp_nat_mode ? [0] : []
+    content {
+      network_entity_id = local.nat_gateway_id
+      destination_type = "CIDR_BLOCK"
+      destination = "0.0.0.0/0"
+      description = "Route to reach external Internet through a NAT gateway"
+    }
+  }
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+  count = local.create_cp_subnet ? 1 : 0
 }
 
-resource "oci_core_internet_gateway" "internet_gateway" {
+resource "oci_core_route_table" "lb_ext_route_table" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "IG"
-  count = local.all_subnet_private && ! var.create_internet_gateway ? 0 : 1
+  display_name = var.external_lb_subnet_name
+  route_rules {
+    network_entity_id = oci_core_internet_gateway.internet_gateway[0].id
+    destination_type = "CIDR_BLOCK"
+    destination = "0.0.0.0/0"
+    description = "Route to reach external Internet through the Internet gateway"
+  }
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+  count = local.create_external_lb_subnet ? 1 : 0
 }
 
-resource "oci_core_route_table" "service_route_table" {
+resource "oci_core_route_table" "lb_int_route_table" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "service-gateway-rt"
+  display_name = var.internal_lb_subnet_name
   route_rules {
     network_entity_id = local.service_gateway_id
     destination_type = "SERVICE_CIDR_BLOCK"
-    destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
+    destination = local.service_cidr_block
     description = "Route for all internal OCI services in the region"
   }
-
   dynamic "route_rules" {
     for_each = var.enable_drg ? var.peer_vcns : []
     content {
@@ -43,17 +125,17 @@ resource "oci_core_route_table" "service_route_table" {
       description       = "Route to ${route_rules.value} through the DRG"
     }
   }
-
+  count = local.create_internal_lb_subnet ? 1 : 0
 }
 
-resource "oci_core_route_table" "nat_route_table" {
+resource "oci_core_route_table" "worker_route_table" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "nat-gateway-rt"
+  display_name = var.worker_subnet_name
   route_rules {
     network_entity_id = local.service_gateway_id
     destination_type = "SERVICE_CIDR_BLOCK"
-    destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
+    destination = local.service_cidr_block
     description = "Route for all internal OCI services in the region"
   }
   route_rules {
@@ -62,7 +144,6 @@ resource "oci_core_route_table" "nat_route_table" {
     destination = "0.0.0.0/0"
     description = "Route to reach external Internet through a NAT gateway"
   }
-
   dynamic "route_rules" {
     for_each = var.enable_drg ? var.peer_vcns : []
     content {
@@ -72,18 +153,46 @@ resource "oci_core_route_table" "nat_route_table" {
       description       = "Route to ${route_rules.value} through the DRG"
     }
   }
-
+  count = local.create_worker_subnet ? 1 : 0
 }
 
-resource "oci_core_route_table" "internet_route_table" {
+resource "oci_core_route_table" "pod_route_table" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "internet-gateway-rt"
+  display_name = var.pod_subnet_name
   route_rules {
-    network_entity_id = oci_core_internet_gateway.internet_gateway[0].id
+    network_entity_id = local.service_gateway_id
+    destination_type = "SERVICE_CIDR_BLOCK"
+    destination = local.service_cidr_block
+    description = "Route for all internal OCI services in the region"
+  }
+  route_rules {
+    network_entity_id = local.nat_gateway_id
     destination_type = "CIDR_BLOCK"
     destination = "0.0.0.0/0"
-    description = "Route to reach external Internet through the Internet gateway"
+    description = "Route to reach external Internet through a NAT gateway"
+  }
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+  count = local.create_pod_subnet ? 1 : 0
+}
+
+resource "oci_core_route_table" "fss_route_table" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.fss_subnet_name
+  route_rules {
+    network_entity_id = local.service_gateway_id
+    destination_type = "SERVICE_CIDR_BLOCK"
+    destination = local.service_cidr_block
+    description = "Route for all internal OCI services in the region"
   }
-  count = local.all_subnet_private && ! var.create_internet_gateway ? 0 : 1
+  count = local.create_fss_subnet ? 1 : 0
 }
\ No newline at end of file
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/security-list.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/security-list.tf
new file mode 100644
index 000000000..824fb09d9
--- /dev/null
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/security-list.tf
@@ -0,0 +1,393 @@
+resource "oci_core_security_list" "cp_sl" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.cp_subnet_name
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  ingress_security_rules {
+    description = "Required to allow application within VCN to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = oci_core_vcn.spoke_vcn[0].cidr_block
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to allow application within VCN responses to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = oci_core_vcn.spoke_vcn[0].cidr_block
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  count = local.create_cp_subnet ? 1 : 0
+}
+
+resource "oci_core_security_list" "external_lb_sl" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.external_lb_subnet_name
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  ingress_security_rules {
+    description = "Required to allow application within VCN to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = oci_core_vcn.spoke_vcn[0].cidr_block
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to allow application within VCN responses to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = oci_core_vcn.spoke_vcn[0].cidr_block
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  count = local.create_external_lb_subnet ? 1 : 0
+}
+
+
+
+resource "oci_core_security_list" "internal_lb_sl" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.internal_lb_subnet_name
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  ingress_security_rules {
+    description = "Required to allow application within VCN to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = oci_core_vcn.spoke_vcn[0].cidr_block
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to allow application within VCN responses to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = oci_core_vcn.spoke_vcn[0].cidr_block
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  count = local.create_internal_lb_subnet ? 1 : 0
+}
+
+
+resource "oci_core_security_list" "worker_sl" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.worker_subnet_name
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  ingress_security_rules {
+    description = "Required to allow application within VCN to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = oci_core_vcn.spoke_vcn[0].cidr_block
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to allow application within VCN responses to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = oci_core_vcn.spoke_vcn[0].cidr_block
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  count = local.create_worker_subnet ? 1 : 0
+}
+
+resource "oci_core_security_list" "pod_sl" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.pod_subnet_name
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  ingress_security_rules {
+    description = "Required to allow application within VCN to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = oci_core_vcn.spoke_vcn[0].cidr_block
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to allow application within VCN responses to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = oci_core_vcn.spoke_vcn[0].cidr_block
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  count = local.create_pod_subnet ? 1 : 0
+}
+
+
+resource "oci_core_security_list" "fss_sl" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.fss_subnet_name
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  ingress_security_rules {
+    description = "Required to allow application within VCN to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = oci_core_vcn.spoke_vcn[0].cidr_block
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to allow application within VCN responses to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    destination = oci_core_vcn.spoke_vcn[0].cidr_block
+    destination_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  count = local.create_fss_subnet ? 1 : 0
+}
+
+resource "oci_core_security_list" "bastion_security_list" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name = var.bastion_subnet_name
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    protocol = local.tcp_protocol
+    source_type = "CIDR_BLOCK"
+    source   = "0.0.0.0/0"
+    stateless = true
+    description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet"
+    tcp_options {
+      max = 22
+      min = 22
+    }
+  }
+
+  egress_security_rules {
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    protocol = local.tcp_protocol
+    stateless = true
+    description = "Allow SSH responses from the subnet"
+    tcp_options {
+      source_port_range {
+        max = 22
+        min = 22
+      }
+    }
+  }
+
+  # Egress rules and their corresponding ingress
+  egress_security_rules {
+    destination = var.vcn_cidr_blocks[0]
+    destination_type = "CIDR_BLOCK"
+    protocol    = "all"
+    stateless = true
+    description = "Enable the bastion hosts to reach the entire VCN"
+  }
+
+  egress_security_rules {
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    protocol    = "all"
+    stateless = false
+    description = "Let bastion instances connect to Internet"
+  }
+
+  ingress_security_rules {
+    protocol = "all"
+    source_type = "CIDR_BLOCK"
+    source = var.vcn_cidr_blocks[0]
+    stateless = true
+    description = "Allow responses from the VCN to the bastion hosts"
+  }
+
+  count = local.create_bastion_subnet ? 1 : 0
+}
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf
index 0244b5ff2..cf8c69d3f 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf
@@ -1,13 +1,28 @@
 
-resource "oci_core_subnet" "service_subnet" {
-  cidr_block     = var.service_subnet_cidr
+resource "oci_core_subnet" "external_lb_subnet" {
+  cidr_block     = var.external_lb_cidr
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  prohibit_public_ip_on_vnic = var.service_subnet_private
-  dns_label = var.service_subnet_dns_label
-  display_name = var.service_subnet_name
-  route_table_id = var.service_subnet_private ? oci_core_route_table.service_route_table.id : oci_core_route_table.internet_route_table[0].id
-  count = local.create_service_subnet ? 1 : 0
+  prohibit_public_ip_on_vnic = false
+  dns_label = var.external_lb_subnet_dns_label
+  display_name = var.external_lb_subnet_name
+  route_table_id = oci_core_route_table.lb_ext_route_table.0.id
+  security_list_ids = [oci_core_security_list.external_lb_sl.0.id]
+  dhcp_options_id = oci_core_dhcp_options.external_lb_dhcp[0].id
+  count = local.create_external_lb_subnet ? 1 : 0
+}
+
+resource "oci_core_subnet" "internal_lb_subnet" {
+  cidr_block     = var.internal_lb_cidr
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  prohibit_public_ip_on_vnic = true
+  dns_label = var.internal_lb_subnet_dns_label
+  display_name = var.internal_lb_subnet_name
+  route_table_id = oci_core_route_table.lb_int_route_table.0.id
+  security_list_ids = [oci_core_security_list.internal_lb_sl.0.id]
+  dhcp_options_id = oci_core_dhcp_options.internal_lb_dhcp[0].id
+  count = local.create_internal_lb_subnet ? 1 : 0
 }
 
 resource "oci_core_subnet" "oke_cp_subnet" {
@@ -17,7 +32,9 @@ resource "oci_core_subnet" "oke_cp_subnet" {
   dns_label = var.cp_subnet_dns_label
   display_name = var.cp_subnet_name
   prohibit_public_ip_on_vnic = var.cp_subnet_private
-  route_table_id = var.cp_subnet_private ? local.cp_nat_mode ? oci_core_route_table.nat_route_table.id : oci_core_route_table.service_route_table.id : oci_core_route_table.internet_route_table[0].id
+  route_table_id = oci_core_route_table.cp_route_table.0.id
+  security_list_ids = [oci_core_security_list.cp_sl.0.id]
+  dhcp_options_id = oci_core_dhcp_options.oke_cp_dhcp[0].id
   count = local.create_cp_subnet ? 1 : 0
 }
 
@@ -28,7 +45,9 @@ resource "oci_core_subnet" "worker_subnet" {
   dns_label = var.worker_subnet_dns_label
   display_name = var.worker_subnet_name
   prohibit_public_ip_on_vnic = true
-  route_table_id = oci_core_route_table.nat_route_table.id
+  route_table_id = oci_core_route_table.worker_route_table.0.id
+  security_list_ids = [oci_core_security_list.worker_sl.0.id]
+  dhcp_options_id = oci_core_dhcp_options.worker_dhcp[0].id
   count = local.create_worker_subnet ? 1 : 0
 }
 
@@ -39,7 +58,9 @@ resource "oci_core_subnet" "pods_subnet" {
   dns_label = var.pod_subnet_dns_label
   display_name = var.pod_subnet_name
   prohibit_public_ip_on_vnic = true
-  route_table_id = oci_core_route_table.nat_route_table.id
+  route_table_id = oci_core_route_table.pod_route_table.0.id
+  security_list_ids = [oci_core_security_list.pod_sl.0.id]
+  dhcp_options_id = oci_core_dhcp_options.pods_dhcp[0].id
   count = local.create_pod_subnet ? 1 : 0
 }
 
@@ -50,9 +71,10 @@ resource "oci_core_subnet" "bastion_subnet" {
   dns_label = var.bastion_subnet_dns_label
   display_name = var.bastion_subnet_name
   prohibit_public_ip_on_vnic = var.bastion_subnet_private
-  route_table_id = var.bastion_subnet_private ? oci_core_route_table.service_route_table.id : oci_core_route_table.internet_route_table[0].id
+  route_table_id = oci_core_route_table.bastion_route_table.0.id
   security_list_ids = [oci_core_security_list.bastion_security_list.0.id]
-  count = var.create_bastion_subnet ? 1 : 0
+  dhcp_options_id = oci_core_dhcp_options.bastion_dhcp[0].id
+  count = local.create_bastion_subnet? 1 : 0
 }
 
 resource "oci_core_subnet" "fss_subnet" {
@@ -62,7 +84,8 @@ resource "oci_core_subnet" "fss_subnet" {
   dns_label = var.fss_subnet_dns_label
   display_name = var.fss_subnet_name
   prohibit_public_ip_on_vnic = true
-  route_table_id = oci_core_route_table.service_route_table.id
-  count = var.create_fss ? 1 : 0
+  route_table_id = oci_core_route_table.fss_route_table.0.id
+  security_list_ids = [oci_core_security_list.fss_sl.0.id]
+  dhcp_options_id = oci_core_dhcp_options.fss_dhcp[0].id
+  count = local.create_fss_subnet ? 1 : 0
 }
-
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf
index 174fec1e7..bd4c457c4 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf
@@ -85,23 +85,32 @@ variable "pod_subnet_dns_label" {
 variable "pod_subnet_name" {
 }
 
-# SERVICE SUBNET
+# LB SUBNETS
 
-variable "create_service_subnet" {
+variable "create_external_lb_subnet" {
   type = bool
 }
 
-variable "service_subnet_cidr" {
+variable "external_lb_cidr" {
 }
 
-variable "service_subnet_private" {
+variable "external_lb_subnet_dns_label" {
+}
+
+variable "external_lb_subnet_name" {
+}
+
+variable "create_internal_lb_subnet" {
   type = bool
 }
 
-variable "service_subnet_dns_label" {
+variable "internal_lb_cidr" {
+}
+
+variable "internal_lb_subnet_dns_label" {
 }
 
-variable "service_subnet_name" {
+variable "internal_lb_subnet_name" {
 }
 
 
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf
index b6160460c..b29a9533c 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf
@@ -9,53 +9,6 @@ resource "oci_core_vcn" "spoke_vcn" {
 resource "oci_core_default_security_list" "lockdown" {
   manage_default_resource_id = oci_core_vcn.spoke_vcn.0.default_security_list_id
 
-  # Ingress rules and their corresponding egress
-  ingress_security_rules {
-    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
-    icmp_options {
-      code = "4"
-      type = "3"
-    }
-    protocol    = "1"
-    source      = "0.0.0.0/0"
-    source_type = "CIDR_BLOCK"
-    stateless   = "true"
-  }
-
-  egress_security_rules {
-    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
-    icmp_options {
-      code = "4"
-      type = "3"
-    }
-    protocol    = "1"
-    destination = "0.0.0.0/0"
-    destination_type = "CIDR_BLOCK"
-    stateless   = "true"
-  }
-
-  ingress_security_rules {
-    description = "Required to allow application within VCN to fail fast"
-    icmp_options {
-      type = "3"
-    }
-    protocol    = "1"
-    source      = oci_core_vcn.spoke_vcn[0].cidr_block
-    source_type = "CIDR_BLOCK"
-    stateless   = "true"
-  }
-
-  egress_security_rules {
-    description = "Required to allow application within VCN responses to fail fast"
-    icmp_options {
-      type = "3"
-    }
-    protocol    = "1"
-    destination = oci_core_vcn.spoke_vcn[0].cidr_block
-    destination_type = "CIDR_BLOCK"
-    stateless   = "true"
-  }
-
   lifecycle {
     ignore_changes = [defined_tags]
   }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf
index 00d047711..06dc39dc3 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf
@@ -1,80 +1,83 @@
 resource "oci_core_network_security_group" "worker_nsg" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
-  display_name = "worker-nsg"
+  display_name   = "worker"
 }
 
-# Ingress rules and their corresponding egress
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_1" {
+# Control plane - ALL protocols (webhooks)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_all_ingress_webhooks" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow ALL ingress to workers from Kubernetes control plane for webhooks served by workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow ALL ingress to workers from Kubernetes control plane for webhooks served by workers"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_1_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_all_egress_webhooks" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow ALL egress to control plane from workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow ALL egress to control plane from workers for webhooks served by workers"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_2" {
+# Pods - ALL protocols
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_pods_all_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL ingress to workers from pods"
-  count = local.is_npn ? 1 : 0
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow ALL ingress to workers from pods"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_2_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_pods_all_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL egress to pods from workers"
-  count = local.is_npn ? 1 : 0
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.pod_nsg.0.id
+  stateless                 = true
+  description               = "Allow ALL egress to pods from workers"
+  count                     = local.is_npn ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_3" {
+# Worker intercommunication - ALL protocols
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_workers_all_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL ingress to workers from other workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow ALL ingress to workers from other workers"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_3_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_workers_all_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL egress to other workers from workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.worker_nsg.id
+  stateless                 = true
+  description               = "Allow ALL egress to other workers from workers"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_4" {
+# Load balancer - Health check (TCP 10256)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_healthcheck_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "Allow TCP ingress to workers for health check from public load balancers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress to workers for health check from public load balancers on port 10256"
   tcp_options {
     destination_port_range {
       max = 10256
@@ -83,14 +86,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_4_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_healthcheck_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "Allow TCP egress to load balancers from workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress to load balancers from workers on port 10256"
   tcp_options {
     source_port_range {
       max = 10256
@@ -99,14 +102,15 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_5" {
+# Load balancer - Service ports TCP (30000-32767)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "Allow TCP ingress to workers from load balancers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress to workers from load balancers on service ports 30000-32767"
   tcp_options {
     destination_port_range {
       max = 32767
@@ -115,14 +119,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_5_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "Allow TCP egress to load balancers from workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress to load balancers from workers on service ports 30000-32767"
   tcp_options {
     source_port_range {
       max = 32767
@@ -131,14 +135,15 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_udp" {
+# Load balancer - Service ports UDP (30000-32767)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.udp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "Allow UDP ingress to workers from load balancers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow UDP ingress to workers from load balancers on service ports 30000-32767"
   udp_options {
     destination_port_range {
       max = 32767
@@ -147,14 +152,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_udp_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.udp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "Allow UDP egress to load balancers from workers"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.oke_lb_nsg.id
+  stateless                 = true
+  description               = "Allow UDP egress to load balancers from workers on service ports 30000-32767"
   udp_options {
     source_port_range {
       max = 32767
@@ -163,42 +168,15 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_6" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = local.icmp_protocol
-  source_type = "CIDR_BLOCK"
-  source = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP ingress to workers for path discovery"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_6_stateless_egress" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = local.icmp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP egress to internet from workers"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_7" {
+# Bastion - SSH access (TCP 22)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_bastion_ssh_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "CIDR_BLOCK"
-  source = var.bastion_subnet_cidr
-  stateless = true
-  description = "Allow SSH access from bastion subnet"
+  source_type               = "CIDR_BLOCK"
+  source                    = var.bastion_subnet_cidr
+  stateless                 = true
+  description               = "Allow SSH access from bastion subnet on port 22"
   tcp_options {
     destination_port_range {
       max = 22
@@ -208,14 +186,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   count = var.create_bastion_subnet ? 1 : 0
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_7_stateless_egress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_bastion_ssh_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = var.bastion_subnet_cidr
-  stateless = true
-  description = "Allow TCP egress to bastion from workers"
+  destination_type          = "CIDR_BLOCK"
+  destination               = var.bastion_subnet_cidr
+  stateless                 = true
+  description               = "Allow TCP egress to bastion from workers on port 22"
   tcp_options {
     source_port_range {
       max = 22
@@ -225,77 +203,26 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress
   count = var.create_bastion_subnet ? 1 : 0
 }
 
-# Egress rules and their corresponding ingress
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_1" {
+# Internet - ALL protocols
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_internet_all_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = "all"
-  destination_type = "CIDR_BLOCK"
-  destination = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ALL egress from workers to internet"
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_1_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = "all"
-  source_type = "CIDR_BLOCK"
-  source = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ALL ingress from internet to workers"
+  destination_type          = "CIDR_BLOCK"
+  destination               = "0.0.0.0/0"
+  stateless                 = false
+  description               = "Allow ALL egress from workers to internet"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_2" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL egress from workers to other workers"
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_2_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow ALL ingress from other workers to workers"
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_3" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = "all"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL egress from workers to pods"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_3_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = "all"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "Allow ALL ingress from pods to workers"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_4" {
+# Control plane - API server (TCP 6443)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_apiserver_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP egress from workers to Kubernetes API server"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from workers to Kubernetes API server on port 6443"
   tcp_options {
     destination_port_range {
       max = 6443
@@ -304,50 +231,52 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_4_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_apiserver_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from control plane to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from control plane to workers on port 6443"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 6443
       min = 6443
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_5" {
+# OCI services - TCP
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_services_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "SERVICE_CIDR_BLOCK"
-  destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
-  stateless = true
-  description = "Allow TCP egress from workers to OCI Services"
+  destination_type          = "SERVICE_CIDR_BLOCK"
+  destination               = local.service_cidr_block
+  stateless                 = true
+  description               = "Allow TCP egress from workers to OCI Services"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_5_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_services_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "SERVICE_CIDR_BLOCK"
-  source = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
-  stateless = true
-  description = "Allow TCP ingress from OCI services to workers"
+  source_type               = "SERVICE_CIDR_BLOCK"
+  source                    = local.service_cidr_block
+  stateless                 = true
+  description               = "Allow TCP ingress from OCI services to workers"
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_6" {
+# Control plane - Kubelet health check (TCP 10250)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_health_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP egress to OKE control plane from workers for health check"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress to control plane from workers for health check on port 10250"
   tcp_options {
     destination_port_range {
       max = 10250
@@ -356,30 +285,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_6_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_health_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from control plane to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from control plane to workers on port 10250"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 10250
       min = 10250
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_7" {
+# Control plane - Kubelet (TCP 12250)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP egress from workers to OKE control plane"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from workers to control plane on port 12250"
   tcp_options {
     destination_port_range {
       max = 12250
@@ -388,58 +318,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_7_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.cp_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from control plane to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.cp_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from control plane to workers on port 12250"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 12250
       min = 12250
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_8" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = local.icmp_protocol
-  destination_type = "CIDR_BLOCK"
-  destination = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP egress from workers for path discovery"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_8_stateless_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.worker_nsg.id
-  protocol                  = local.icmp_protocol
-  source_type = "CIDR_BLOCK"
-  source = "0.0.0.0/0"
-  stateless = true
-  description = "Allow ICMP ingress from internet to workers"
-  icmp_options {
-    type = 3
-    code = 4
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_9" {
+# FSS - NFS portmapper UDP (111)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.udp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow UDP egress from workers for NFS portmapper to FSS mounts"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow UDP egress from workers for NFS portmapper to FSS mounts on port 111"
   udp_options {
     destination_port_range {
       max = 111
@@ -448,30 +351,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_9_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.udp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow UDP ingress from FSS to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow UDP ingress from FSS to workers on port 111"
   udp_options {
-    destination_port_range {
+    source_port_range {
       max = 111
       min = 111
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_10" {
+# FSS - NFS portmapper TCP (111)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow TCP egress from workers for NFS portmapper to FSS mounts"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from workers for NFS portmapper to FSS mounts on port 111"
   tcp_options {
     destination_port_range {
       max = 111
@@ -480,30 +384,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_10_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from FSS to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from FSS to workers on port 111"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 111
       min = 111
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_11" {
+# FSS - NFS TCP (2048-2050)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow TCP egress from workers for NFS to FSS mounts"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from workers for NFS to FSS mounts on ports 2048-2050"
   tcp_options {
     destination_port_range {
       max = 2050
@@ -512,30 +417,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_11_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from FSS to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from FSS to workers on ports 2048-2050"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 2050
       min = 2048
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_12" {
+# FSS - NFS UDP (2048)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_udp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.udp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow UDP egress from workers for NFS to FSS mounts"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow UDP egress from workers for NFS to FSS mounts on port 2048"
   udp_options {
     destination_port_range {
       max = 2048
@@ -544,30 +450,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_12_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_udp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.udp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow UDP ingress from FSS to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow UDP ingress from FSS to workers on port 2048"
   udp_options {
-    destination_port_range {
+    source_port_range {
       max = 2048
       min = 2048
     }
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_13" {
+# FSS - NFS encrypted TCP (2051)
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_encrypted_tcp_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow TCP egress from workers for NFS to FSS mounts when using in-transit encryption"
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow TCP egress from workers for NFS to FSS mounts when using in-transit encryption on port 2051"
   tcp_options {
     destination_port_range {
       max = 2051
@@ -576,16 +483,16 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_13_stateless_ingress" {
+resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_encrypted_tcp_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.worker_nsg.id
   protocol                  = local.tcp_protocol
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.fss_nsg.id
-  stateless = true
-  description = "Allow TCP ingress from FSS to workers"
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.fss_nsg.id
+  stateless                 = true
+  description               = "Allow TCP ingress from FSS to workers on port 2051"
   tcp_options {
-    destination_port_range {
+    source_port_range {
       max = 2051
       min = 2051
     }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf
index c19cf34b9..a31bb57c7 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = "7.7.0"
+      version = "7.22.0"
     }
     null = {
       source = "hashicorp/null"
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml b/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml
index fa5cbac24..4d15b4b98 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml
@@ -20,45 +20,34 @@ variableGroups:
       - create_vcn
       - vcn_id
       - vcn_name
-      - vcn_cidr_blocks
+      - vcn_cidr_block
       - vcn_dns_label
       - cni_type
       - create_cp_subnet
       - cp_subnet_name
-      - cp_subnet_cidr
-      - cp_subnet_dns_label
-      - cp_subnet_private
-      - cp_allowed_source_cidr
       - create_worker_subnet
       - worker_subnet_name
-      - worker_subnet_cidr
-      - worker_subnet_dns_label
       - create_pod_subnet
       - pod_subnet_name
-      - pod_subnet_cidr
-      - pod_subnet_dns_label
-      - create_service_subnet
-      - service_subnet_name
-      - service_subnet_cidr
-      - service_subnet_dns_label
-      - service_subnet_private
+      - create_external_lb_subnet
+      - external_lb_subnet_name
+      - create_internal_lb_subnet
+      - internal_lb_subnet_name
       - create_fss
       - fss_subnet_name
-      - fss_subnet_cidr
-      - fss_subnet_dns_label
       - create_bastion_subnet
       - bastion_subnet_name
-      - bastion_subnet_cidr
-      - bastion_subnet_dns_label
       - bastion_subnet_private
       - create_gateways
       - nat_gateway_id
       - service_gateway_id
       - create_internet_gateway
 
-  - title: "Control Plane External Connection"
+  - title: "Control Plane Connectivity"
     variables:
       - cp_connection_notice
+      - cp_subnet_private
+      - cp_allowed_source_cidr
       - cp_external_nat
       - allow_external_cp_traffic
       - cp_egress_cidr
@@ -83,6 +72,7 @@ variables:
     title: "Network Compartment"
     description: "All resources in this section will be created within the compartment chosen"
     type: oci:identity:compartment:id
+    default: ${compartment_ocid}
     required: true
 
   cni_type:
@@ -118,20 +108,20 @@ variables:
     required: true
     visible: ${create_vcn}
 
-  vcn_cidr_blocks:
-    title: "VCN CIDR blocks"
-    description: "CIDR blocks to be allocated for the VCN"
-    type: array
-    items:
-      type: string
+  vcn_cidr_block:
+    title: "VCN CIDR block"
+    description: "CIDR blocks to be allocated for the VCN. MUST BE A /16 VCN"
+    type: string
     required: true
+    pattern: "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){2}0.0\/16$"
     visible: ${create_vcn}
 
   vcn_dns_label:
     title: "VCN DNS name"
-    description: "This dns label will be present by default whenever a new instance is created in the VCN"
+    description: "DNS label fot the VCN. MUST BE UNIQUE across all the VCNs"
     type: string
     required: true
+    pattern: "^[a-zA-Z][a-zA-Z0-9]{0,14}$"
     visible: ${create_vcn}
 
 # CP SUBNET
@@ -141,20 +131,6 @@ variables:
     description: "If flagged, this Terraform module will create the Kubernetes Control Plane subnet"
     type: boolean
 
-  cp_subnet_cidr:
-    title: "Kubernetes Control Plane Subnet CIDR"
-    description: "CIDR block to allocate for Kubernetes Control Plane API Server. As it is just one endpoint, it can be small"
-    type: string
-    required: true
-    visible: ${create_cp_subnet}
-
-  cp_subnet_dns_label:
-    title: "Kubernetes Control Plane DNS label"
-    description: "DNS label for the Kubernetes Control Plane subnet"
-    type: string
-    required: true
-    visible: ${create_cp_subnet}
-
   cp_subnet_name:
     title: "Kubernetes Control Plane subnet name"
     description: "Name of the subnet containing the Kubernetes Control Plane API Server"
@@ -182,20 +158,6 @@ variables:
     description: "If flagged, this Terraform module will create the Kubernetes Worker subnet"
     type: boolean
 
-  worker_subnet_cidr:
-    title: "Worker subnet CIDR"
-    description: "CIDR block for OKE worker nodes and other VM or workload like functions"
-    type: string
-    required: true
-    visible: ${create_worker_subnet}
-
-  worker_subnet_dns_label:
-    title: "Worker subnet DNS label"
-    description: "DNS label for the Worker subnet"
-    type: string
-    required: true
-    visible: ${create_worker_subnet}
-
   worker_subnet_name:
     title: "Worker subnet name"
     description: "Name of the Worker subnet"
@@ -214,30 +176,6 @@ variables:
         - ${cni_type}
         - vcn_native
 
-  pod_subnet_cidr:
-    title: "Pod subnet CIDR"
-    description: "CIDR block for OKE pods"
-    type: string
-    required: true
-    visible:
-      and:
-        - ${create_pod_subnet}
-        - eq:
-            - ${cni_type}
-            - vcn_native
-
-  pod_subnet_dns_label:
-    title: "Pod subnet DNS label"
-    description: "DNS label for the Pod subnet"
-    type: string
-    required: true
-    visible:
-      and:
-        - ${create_pod_subnet}
-        - eq:
-            - ${cni_type}
-            - vcn_native
-
   pod_subnet_name:
     title: "Pod subnet name"
     description: "OKE pods will have an IP address assigned from this subnet"
@@ -250,39 +188,31 @@ variables:
             - ${cni_type}
             - vcn_native
 
-# SERVICE SUBNET
+# LB SUBNETS
 
-  create_service_subnet:
-    title: "Create Service subnet"
-    description: "If flagged, this Terraform module will create the Kubernetes Service subnet"
+  create_external_lb_subnet:
+    title: "Create external LB subnet"
+    description: "If flagged, create a LB subnet to host publicly exposed services"
     type: boolean
 
-  service_subnet_cidr:
-    title: "Service subnet CIDR"
-    description: "CIDR block for the Service subnet"
+  external_lb_subnet_name:
+    title: "Service subnet name"
+    description: "Name of the external LB subnet"
     type: string
     required: true
-    visible: ${create_service_subnet}
+    visible: ${create_external_lb_subnet}
 
-  service_subnet_dns_label:
-    title: "Service subnet DNS label"
-    description: "DNS label for the Service subnet"
-    type: string
-    required: true
-    visible: ${create_service_subnet}
+  create_internal_lb_subnet:
+    title: "Create internal LB subnet"
+    description: "If flagged, create a LB subnet to host internally exposed services"
+    type: boolean
 
-  service_subnet_name:
+  internal_lb_subnet_name:
     title: "Service subnet name"
-    description: "The Service subnet will host all the network appliances necessary to expose services, so Load Balancers and API Gateways"
+    description: "Name of the internal LB subnet"
     type: string
     required: true
-    visible: ${create_service_subnet}
-
-  service_subnet_private:
-    title: "Service Subnet is private"
-    description: "If flagged, the service subnet will be a private one, otherwise it's a public subnet"
-    type: boolean
-    visible: ${create_service_subnet}
+    visible: ${create_internal_lb_subnet}
 
 # FSS SUBNET
 
@@ -297,18 +227,6 @@ variables:
     required: true
     visible: ${create_fss}
 
-  fss_subnet_cidr:
-    title: "FSS subnet CIDR"
-    description: "CIDR block for the FSS subnet"
-    required: true
-    visible: ${create_fss}
-
-  fss_subnet_dns_label:
-    title: "FSS subnet DNS label"
-    description: "DNS label for the FSS subnet"
-    required: true
-    visible: ${create_fss}
-
 # VCN GATEWAYS
 
   create_gateways:
@@ -391,7 +309,7 @@ variables:
           - ${cp_external_nat}
 
   cp_egress_cidr:
-    title: "Egress CIDR block"
+    title: "Control Plane allowed egress cidr"
     description: "Allowed egress IP range that the Control Plane is allowed to call"
     type: string
     required: true
@@ -417,20 +335,6 @@ variables:
     required: true
     visible: ${create_bastion_subnet}
 
-  bastion_subnet_cidr:
-    title: "Bastion subnet CIDR"
-    description: "CIDR block to allocate for the Bastion subnet"
-    type: string
-    required: true
-    visible: ${create_bastion_subnet}
-
-  bastion_subnet_dns_label:
-    title: "Bastion subnet DNS label"
-    description: "DNS label for the Bastion subnet"
-    type: string
-    required: true
-    visible: ${create_bastion_subnet}
-
   bastion_subnet_private:
     title: "Bastion subnet is private"
     description: "Note that if you use the OCI Bastion, the bastion subnet can also be private"
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf
index fb7b148dc..0bd472c11 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf
@@ -21,9 +21,9 @@ variable "vcn_name" {
   default = "vcn-oke-1"
 }
 
-variable "vcn_cidr_blocks" {
-  type = list(string)
-  default = ["10.1.0.0/16"]
+variable "vcn_cidr_block" {
+  type = string
+  default = "10.0.0.0/16"
 }
 
 variable "vcn_dns_label" {
@@ -37,16 +37,8 @@ variable "create_cp_subnet" {
   default = true
 }
 
-variable "cp_subnet_cidr" {
-  default = "10.1.0.0/29"
-}
-
-variable "cp_subnet_dns_label" {
-  default = "cp"
-}
-
 variable "cp_subnet_name" {
-  default = "cp-subnet"
+  default = "cp"
 }
 
 variable "cp_subnet_private" {
@@ -65,16 +57,8 @@ variable "create_worker_subnet" {
   default = true
 }
 
-variable "worker_subnet_cidr" {
-  default = "10.1.8.0/21"
-}
-
-variable "worker_subnet_dns_label" {
-  default = "worker"
-}
-
 variable "worker_subnet_name" {
-  default = "worker-subnet"
+  default = "worker"
 }
 
 # POD SUBNET
@@ -84,40 +68,28 @@ variable "create_pod_subnet" {
   default = true
 }
 
-variable "pod_subnet_cidr" {
-  default = "10.1.128.0/18"
-}
-
-variable "pod_subnet_dns_label" {
-  default = "pod"
-}
-
 variable "pod_subnet_name" {
-  default = "pod-subnet"
+  default = "pod"
 }
 
-# SERVICE SUBNET
+# LB SUBNETS
 
-variable "create_service_subnet" {
+variable "create_external_lb_subnet" {
   type = bool
-  default = true
+  default = false
 }
 
-variable "service_subnet_cidr" {
-  default = "10.1.0.32/27"
+variable "external_lb_subnet_name" {
+  default = "lb-ext"
 }
 
-variable "service_subnet_private" {
+variable "create_internal_lb_subnet" {
   type = bool
   default = true
 }
 
-variable "service_subnet_dns_label" {
-  default = "service"
-}
-
-variable "service_subnet_name" {
-  default = "service-subnet"
+variable "internal_lb_subnet_name" {
+  default = "lb-int"
 }
 
 # BASTION SUBNET
@@ -127,21 +99,13 @@ variable "create_bastion_subnet" {
   default = true
 }
 
-variable "bastion_subnet_cidr" {
-  default = "10.1.0.8/29"
-}
-
 variable "bastion_subnet_private" {
   type = bool
   default = false
 }
 
-variable "bastion_subnet_dns_label" {
-  default = "bastion"
-}
-
 variable "bastion_subnet_name" {
-  default = "bastion-subnet"
+  default = "bastion"
 }
 
 # FSS SUBNET
@@ -151,16 +115,8 @@ variable "create_fss" {
   default = true
 }
 
-variable "fss_subnet_cidr" {
-  default = "10.1.0.64/26"
-}
-
-variable "fss_subnet_dns_label" {
-  default = "fss"
-}
-
 variable "fss_subnet_name" {
-  default = "fss-subnet"
+  default = "fss"
 }
 
 variable "create_gateways" {
diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf
index cd12fb702..33c5ff456 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf
@@ -22,7 +22,7 @@ locals {
 
 module "oke" {
   source  = "oracle-terraform-modules/oke/oci"
-  version = "5.3.2"
+  version = "5.3.3"
   compartment_id = var.oke_compartment_id
   # IAM - Policies
   create_iam_autoscaler_policy = "never"
diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip
index e548a54da3e7cccc1119821873dc9e7d4398c64e..0abe8e103c920abc45cb87ca8d9ad6be4b8271fc 100644
GIT binary patch
delta 7263
zcmZ8m1yoes_Z=9?p^+Luq*Gvq?i8hK2<es%L0X0oq(MeXLJ8@Hp%su6kPsAxkdzLQ
z27y20_tU@M_uiT{Yu-L*-+Rx!YrTDDPr1#z5o)OdZ`=gnUf+~H9}#1mydc8cYWCo`
zD|_m=t6BmsavUHU@Mot(NJHrVfI)Fr2y;%48@&492M7TUZcv)spxytn5DpyG{{Xi*
zh5rEm%K%#IEhBnZc|o)<9-@c%HOv*OFUBvxpIz(^@Oy|JTbMBdO3np3Bs;RF`CrCE
z@*6<-u0t#xAq=XWNS?tLxl7tMMP4Se)DgZGt-1-a_b9Nz_|o5%YMbMksc0)L0TLd8
zS*lhN-ha2~fcsWIo#((aGWPB+Q2ZvjUeyGWZZn#%6K}6Hv#_L(+vRB^erIAOrDxnK
zt%9i0Q7A4D2w&>;jIbaAM=6P6KdH@Y8_I=C7@Z9>-B~is<WJpn;1MY5Gct>H#OaOd
zaMi-v1QW_(Z)VLB;Oq-$+HMMO89h6_)l6Bfrc2R4j6GR?cp&mIm2au_M5+va<8{Z#
z1?JaIHj*>wEhK;&+hupm;kG7o+hiFe>cN1xTdEIX>!4`f;H8=FtW1<1bU4p;gUJqF
zcLdtjjU4vcs;m~$J~6%1XCze?`nkuODlwBX@>DR=?QmyhAP6x)VG;myp8OzqbZASr
z89;F+cN1!TXF8)(`i+zXNUk7mdpPNq6U~_?jV|51dUhQPv14uxOrDzky+A-B^8-)1
zkFqe(-0t0bq-kMwwmKiJXj?-X`&4ehMS$Cb(KJYb(O?bR-1>R@A`HvAN-Q~r8`|py
zQgqnPMoA04T*sT=<pzA%`#MUtc;(-9%L_tAWgFOtVv*FZi8Z!M#qu?z*Lf#zu|A4A
z$j=E9j2dUoMakFPgXj*<t)DnYntR>EmQG5R4XcZ*)af^JY(v7Q%DG7{bfO=^OD{kU
z*!q-MnXe_^HDdsU%oGQNU$O&;!I;K2D%z4h&xCerzobglT-y11IGQ+@+aQNs9u4}V
zz-0?Q8SWfjL)f(;jgky%N{bXVatb^;ofA0NcJ(?%4-+e*Sn&yI3`hbS>FRo(a{??j
zGZppm+~WhGk=24_syQaw1)S<|E6oCGDXq}$2fLe5P53N&T4{5*Fu`i&laOgY7vn%f
zY{+vWi4W2-@@82wN**ujKin+yCsp@u^pfLx!eH5%+-eO5QshQ!$7ZD(wTj<`s+*M5
zQ2HXDj_72z5A(*Qh4usyb*HOW)9{+FLy0`>v_k~A$<yB}$s;O#p7s>Lx6F&a2D2>F
zlR0Tj;fWgT<+dQ1;u9BIGEsE>K?~~QR%VoSE&#6>C>!Oz!@5`f8ln2z7O`TkF)bXw
z;pKdj?2<a;m5clRtujwFpY`t#lSY3^A9ULfYR?;R2eQUvE>C`&n!kZkM6yo7SWB6T
zAE09K%c`taJvoAE@GYC*eb3X0Y{N7jbF7#2+N)31=z4;IU%~b7<*~A~eo~CeJHNI)
zCTmmWRh~w2cvL({@Qx%iu>RK1A-Su#LjU{#+{>D}CW++4@=kDiN&XZYpaeHmrz*kK
z$Cgr~XBA0*T)Jg_kmyv#qF1#~s6cL*WAll8sRu<ynB)>!AaHXTp5%U`MtS_PUk-T!
z1($j0Z6j)!T^O#nbY2SfrKmuJcC#`#W$*3GGNyi|ytT7;>Es9&)So4f(!7MIE1OuN
z$RDK2k=|V|>%W*cbo3o7N&YVVjBqoAZ`8LoWk9Z0HC25w#o0v8`|2RLSqMg~-(Y?z
zW@F^GVr%q*BAF!@4x@Qnf6CG56cTGg$E<^i4I=5)8P|^C7yxy;Myn-@3kQhZx#2D%
ztZ2eLU68wi`HA|>A=kQgVa)kQ{#F^S9KZ_sBs|P0?wGGfTI@8ktR3<ge@-(=k%(tE
zw~T|-@iMmv3A^tYTGyf+*xK|ZoOW%VdilZ-`9aG&?cvW2xX>aKkyPw+)0X*pD+o$t
z*Y3F$nVEBw;~0y}R-du@%?;j<yHjg9nUhQYzEXB(1dAqNdf{<Vh08O1Fbsx;86hhU
z1<`j~{CVQeoe-^xpvo~g2bVSlOX?V?QKgB^qOpIxsV-2pD=yf3)tK>=kP#J_Ld*|6
znO2u(Cvi=Hs~jPCC27caVPJg1o92c>VEwjA42Qsjq1c>7b{)s*9dP^wUuTpI&0vqY
z(xp3e2ey&j_l$#+9A=02$t3s1rbKFsVMCVekL8wyvmJ`>w`#5E85s7=+7~>{S_)<c
zyUunKGR7yip&OA;DA;f*lYRKc6-FPvu25FfQZu54tGU^bg=NV8?6=!W@R~D&pL=$i
z*0lsf2~0o1rgIKII^*4B=^POja7uO=(O}<bBMlo{|ENYVTqyF;N|I)nU%WP_bDd@(
zPf44Jb1BZURyA3t{=<&40ykNI$4R@|?Y#h^F{g7YtC~aGFQx)bPn$MLBGd)b^0)cd
zkW(p=@XbSlH&umwhTn|xytD5?q9?p31fbbrJ&iXY(Z#!C*v;Y<G`c458Og<L!Ma=Q
z+|BBTZyVXU3*2n_aw6o(=%+n;ryOSk3+Tc;1@RNzH5MYa%&V#Dh#Zb1pFU_^rv;sO
zNlVdZ#-QfMkZJ1O>-PzG`G$M*1Rz<F9j9Wg@Ez1z^8&o-N0AqXgSSmx2-cWJg3F}4
z%h4rmMx=~RkJi~I<Yleu=a^%|yShSF^)YRgf(?%a#e*9&HHN!S=e@ix$06ON45i|f
zVxuPAr<(=gpX34sT!m}H<Dc`-j>(o|u6`U3%XiAKQ{>J}D_(gW7$#*p3XQ$>Y^cO-
z8E&;IKITJeFayw>LWV6YgjBDsf41<ICR<(l@UbnrqLEq+`<44pG$BDsMGI82!jLZ(
z&d#_0E!QUwK-SN*75DW}x@V)qlRuIcAXaY<R}hdDbSmd^ZuI(c8XzhVZF*nyk&B_N
zr=+D3EMIfH!^hl`>zjYN@{fB>xhMKXzHsYepxWz347MhU;~1Z<&+(Ps!9W$Ug~o|0
zffL5hIU8j;U60>{^An6A^dc~FNQ#snYO@dwZG90pOs)I2Cr~`4XpkO05cN?<+&(u^
z%gv<dO>Ghmq*?`^EarLo>{zJv7{eAWw^J2fqBbw>+nDX#$mpOilUy>J5>y5P9l7x0
zq_p%F!?h^R>QJxIh;8lW+yiE>bgj!-X@3rIZqI|7{<kt`0lSdb&~hjJ;CD~1aEtJY
z+I(O1q9lX6pG5M6oDujyd0j|nN?d8bZ`W$seRniKNW4#`%vv#e<(y}2|A<OGt6a5z
zXa{TEi4C_)A*2XpxmnCLcZ0iwsaXLY(Gh&*E;-4HlUM9MHf}8V&_m4+)qDD*2gBJ|
zt~meQn~EQ63H6n`iv3}@#@=Ht(utI}=usc&&990eS_rGc?nNd-eO>U{Pu65dO31zZ
zjT1gXrh`-OdEvR#OnQdxk;(g1n=ozn5<_HLwhAT1XJBm5d1gvd|EA2R<{}Pw4v8h7
zE2p$59JNBvDjv%($={14U0gY^gSPmw345s`bT5$dUAnFT)0NU2`>|H=<4_oROML)|
zUg>}^vqO_QH~XMA%?##{Aj?&p&c${~l_}nElXY&X`1$tq*HH-!R^M}?wu71PSWu{n
zCu6BvdWyFFH&(@#7V7|xaxwVWf~+BaLV)C_u?~;QiT(EIff|0!;y0xz3jXlsjsw{1
zlUMt*#$@H@x7^Qc42Mwely~xO($)2zKU(+{rKGH>-&b;adB4@srn@p=(fOQ0!;_}6
z`boTF9v@ZKY!6OpnoBU)SnYnzcVH9elKCR{^vZ7RQMg~$iG$>MtYQ#cGTl^Uds33j
z!OzS_${{&>(KoJvT`$5?bD}6?%QLF^Yjv8>PmQu2*w6E<9tKYgVZS{eZrxNh0pQE5
zftBrWzbab>ixGkBB#xYo%e$K91clBry?gAsDb|+Bva_yjl+bBWsgu&jn3sHw!E=_-
z7Rs^8(65JUKdl=aq*k85G1`WzqZZs^{B{=YB&ZamJ1MOhP$s3m+Q`~^%PUp&d97Hs
zFx|{RNpgll1KzJKD%o<`_;;QSccrBEh3mX1pMKM<ldD6>c?a|A7R*QV)~e-zUvfD8
z;%bzrkjPG7>)hh>s(sT&<ZeQ9@4+@3n?f#Ruf#tvy`47?$)jHhC+4cr7$7JUaj|Cx
ziU<|bi2qmzh(ohue_CIaH<-!^vR#ck$a}v$ttlPSx)_&tFfce!%6qy|u|($4?SVNH
zI$p|cRroBl6;~?y`<+I&QRfU!valHulZO|@?OkTFgoUryh1PU~T?eFKj0^Q51LtlJ
zW^hcTXw4Bi*?#5S@R`UftK99ock7RHyA=jHhEo+h9(zMb!oFNI9cNH&?o|0LZA!KH
zZb|ms?e2T&#Ut!}GB{NVrBE2_+Xp+nnn~ll^zz%E>^Y~(NDQjbj@&jrUS2d3wW^vS
z9TkXiAx9WyZYXxbJ!JN6t+LHT1c9#MbMemP)jrkS-`|Nb!vmom;Ose*VI>1AcYzEu
zVw}~y(znGEhr_|mRfL`FjzxiC{sN~<F7+~$pi6^$N993|tPN_k`4Qn}tld<&)vP5d
zNe>h7ORfq=+dir*IfID<aprH;=x7j-47A6$_&fP95<D@;gE!Hb$MGulb&CD0A*a@q
zjzX=DO0zEM!DsK;b<b}(i<44O7giu2bGUx|b`U5@r$9XW(^p>eQ3UhXlhX@uv$G@a
zvxmMy;6bH_^v7DVl(u%Xrv;E(Ep`MSHo9<2qEMcEjwC`*ih`zw!-$+_-X-s<ZR-(<
z6aI0BuiTVG#&>6ssH$15M=n`s-4M?BWQ2h^ta05P2VPEX9wYaLzV;R0y{spXL^DD^
z7TxXE94lo|FaO-n;y`VoR^;OMZr$LqA@XAP80X&A)kOz_#<or^N7<xD5i0Cfz(cZ0
zG~q>PyCIlya)ZilG`DJEI-gAL^}zVo7kY%-M5Y5Hoovb?Tchu1V2$2JckVSOroa?4
z8nQA!uD^g|j&n~uDbxFb<kzfKag`cXnPLqnQ!qO1C`>-T>$>Mq>FXy1HZ>XQf$>PL
zFjl|3RMmY}$+@O?Gf4@Vv%{R+C1#ktVk`o4%H)t+7#pnd3|bknuvjvReN})uSM`6&
zxz$-IwK67q(J*o*qI<Rrc@vSe&F#N6ownguZ_A}vqJJ~%zGm`VtD%Eam*<!Mt18y;
zBN=eoks`^V{>$nnbDEQBIHr~=4z6m3hioh<01zMw0Q`T){j0MjV-@<-+5Ya4r-PRe
z?WDY*pm@9AJu>2y^a&9C9NmfI34w_S0XV<m-)S6)g9r{He$e2l%AZErn&>qq5Dh#B
z(IJ>f8UBF3+v_Qt>-JiWfDbN7`lr3Ne;hv@jR_%$*j?p(@0({f4&*Uw;$zaWVsFMO
z^cWioj@)$>f2^2-B(dLTIAbO2U{(b+;LENx?90b(E9b5PjEmYDxc6;S4qF0Acb?>B
zGh($5l_F;_n0yv-AEjZ<rc;(oXzrE!S%2Bo$xK*sKPc3I^A|hsZ9#Nk(;A&C&y1&t
zdjgVI&GeYVf^xStf9e+RXsh`Jx)U9yGg3Va{lGmCQb5Qi=vWU1eJCuwQxiAKD883E
zNR7j_|EeZqxA#eViX9yFXe2(E7+wDYDn8i(000n%@pt{vOTT{j&xP<Mgn)k6;CFG@
zf{cw3^guq4eZ;SSD$u)uFaS!zr`ewgu&kcnAL9G$u3N+T;9VPw2t!}jWm+;)SS=2}
zz_XjX^G#Y(a?U9bk_1zcene>9<@_LjxH}6b5q(x?Qp+wt*sZvP&z$9kiVw0;nYNwF
zdMgni;qQD&cXhGd0)KnaI}MM&_hyjurLdiqBslI?@uHV*jrof*ZYlaWIIf{n=HZgL
zpZ05T2;6=K``)g7aXRe}PfKw1l?59)Z24SmrB#%G%bQrgOO-F}l;v}$uRY_!@&jHU
z3O&2tryoLDJv#(yD<>`IAyhf7Gd9g%+nGl5xge1({K+J+n){WE2T!a*hB$_H2s&U!
zDL=@$p%(XSStr=ox*67Q!#RJ15Rxqx*oE#G>C`{!g$@S^9BH|wVQQ&8y!1c#5*hhf
zP3i|--RKHQHbWF3ld4-0pMH*7ChB7J=X)CXxxmb}SR#LQICobxBiVdJhir;~Z4Eue
zL3VM4b8qZo)6mG#yE;_b7bV9)f^ww_Y9XFPn`9opq4ao<3PUq)SNPFA%?-=KTAcdf
zr-HH;EdKeA9U|gu^zLW6)pA5K#iZ=VppIXg{$Lu$ukgeh+(GDAxPcOVT}|~tAX}47
z@%icaZ>+n};7*~;TVL%Gb>Gn@>P64)6&m`wnLcoQnR=p}2Vh-m@>v9klzp9q^m3C4
zv(8Tzw95M0$sFnuxxqE6WgIIEA*@QDodwTAcz7q;?znwjI&(;%++BUkl#Ud4-RH22
z1y-}Ys#k;13jQRrh)6+(im2XppEQ({18Qw{`s4A3nCikQv06F<M7y2H4daF`#PHJS
z=saVc>eCQHv1}c|1d9xG#X=2HL4IqXtR}Vb9ofBm0Rp3kAb6uw!ZvLScQHvBUDarJ
z^yK@5TC9b;{qF|YzmJ*Bki+(DRChV!AH*!L=u~q$PmmcwwAbF)ml4}%QT2JAr4Urp
zM>J6nhf9b*Vs((aR8S3^jxH<vq5VRm8yN2U`9TgI&N4X;D#DKmzXl~T!Kxf8us{9X
zLUW|JDbG2g!5yAH40_g%5Oh~9W&CQVL(QuCh|m{>7npuWC>~Kh-t#razPJs*IjhFO
zwj#oPA+GfO&B<d*GP^6da#Mu}$#g(hX1n1FrXDZTfyK?H(7TsYbg0iVh=h}1(iNtV
zdp-%DZ9nyzZCD)+Xy?ksyJmokQtD4ikLB+ytxkB>)I5M&C;3z@=_xY=zTm`snR>w5
zM_Ow9GO{D}<YKg5PxneFE4CKwFEvLq(cpjM?c&~K!1sO|;kHIbT8=XYujse??_PQ;
ziBSZ1LQ!?h5$|dAqMKEMY3n6k5NH(TkdYq)QF~h(-pF^Ya)B40gq5hgCC#$wiC3Iz
zz1|&_BNkr6IT#|sKHZGRiY52+;pvrp&x==j<-2b#C#%8Zf_b1J__S%xJk9&aUZ}uK
zL4;0(@|{c(No5j~eOwpE%hbg1lp5a9w;2x4l9-tI_GD#tanD5R{K|v2-ylKBz2DDz
z7O>U~6gxtU9Fr<OrY^_j)<4d)vcNLbs#?VA)`opqg11LFW)o+cj&DY7n+o~K_(#8}
z_Oz^G<5PC`7SCLs8K5}@7~Wo^4yAvZq@Q@4b|=Tm4OFJT-+laZBxa*KmdY^Z`M1Ne
zbNPw67nSo&!+gAK1Ks!@Y+!T9qH3wEmgOSFr-}X&lmTfGnPY~})0oRJ4^a`Fl-TI@
zl*ZANI(Sd1npdJ8;S@P{+e~ia!+F7uanC-BN{qCXQJG==ZBOSTw#=?|_x)<}HB%1N
ztuJeZTdhYmW(!~U5*PfDJze<wgJc;1PX@aCGYiZTeYZ75lW(05`;Ho<)=p=fp0%k%
zNqjUVTx!1gOScd-2yT6tl<^_S_x*qs6WEeqx@3Avj~bXlc7Bgzl$;C5Wx;7#j&Cmz
z?NO{aN-phA`w+82P`-3jOj6MiRHtgBj|G&r<gF@oO7(GGXEr0Mm|fWNph?4y45DfS
zWd!B;q+8spg<$cF6j3SC{?Pr7u*Tzu7i8~Y-j(SX#<PRUwE68s+&_NX`%0z6W7Z)b
zRX>(0#7{o{%tHtAksR4i#qL5{0E`#b3^DoA-;DauTR%Y2`DoHS7KaxrC{AE&#3xXh
zC`mkYl^<m<Lz+(#k{^TP@<Vvh6Fcr^<1ql+^&u(KCxX^UvG#V=7`Jbm3ypaC@Gp8u
zd-&~>4(9Lcdp=S5GQBj*x!Pij1J8-eSUeRtmQ8XW2Tq(kuXpE5mim@xG%GMD(-&=-
z>zTb;)59GnoxGBGDl3GQ0(v4D%O;&cz$}_@5Z@uY9ba0J_CDc5g*m9N-KANwkL%c-
zD2+a_f87S@O~HM;LBxP_$)b_d5l)m*c!KpMa(c0Btnd_Ym$})H%I6KAZj+c4t5cZH
z;*D(L`@{@IWEKzgv2k?_tqB*~wuw7~gl_CL)ZK_x3NZ}NA5g+bTa;l&_2F5(jH+~N
zK6msP^e%j^7F2eFg3DM`$fe4lLHZ|UI{$2xCflrffJ+_@-m(5GjbkTN+ya6KL<YZd
z#C!K5%(KBsB77d`LoR)Oh0MboE+h`~$o~MaU~S_6nBv{-U9N!}kLfmf!${tN<{)4@
zWnqTC{C)Ae;{caCPDABxutrRlZsO4$ZBdrgp#H0C{e^?;<;cmvhzkHTv;3_G&~N+S
zasd5}2p}Xzl!F-ly#0R*t!oeCIU)Zqr{aHxMD=|t%wG-$T4n`dGW@~*NpV07L-2nY
zDO@77H-2$TL%@_+01UL-qNR#~c@y~mF3g-DEv6<8B1MEt_`fjPZz16PR+Dng!E-HU
zZ~)Y3wqI9%2+sAAY%IMj5g5W${Afq!Z)S9ADh)xD{&jHP^@r?VsXuTLyTTmg|4l->
zH8VoAm_>MqQy~U&v}yA<CmOz<Ezkr6Kt!{%(Oxg;zaeOmi<Z9#X(3ABO#%Qyj+|QX
zIu7mT{7r?9`+It%|C-(bJpjST%8ahqe-qK7IPrQ8#kT;65mH)o2wE8b&5aI07uAXZ
z@l%kC|G)6HJT@Zu**p}E2>|e3*Aw)wp~1J41R2TEn)+`_w4}ZRrNum9LTC%}K>rJ)
zrRCqE^WT&;%-4sjT7cmuT5tZ%`b&)SLczc<EC56hAqTop|BXSP(!bB|zo`>h0SF!-
zJ=Jw0TC@I5{!7fF$?<ssh#U|Hx>Em*`L*8=T3{D1;5j`#I^w_kiH<-ooCbnWf%1U=
Vfw8dBCy?y=KE?t7#vtfl{|A}M1v3Bu

delta 7260
zcmaJ`1z1#Fw;sAdN*Ed>hM{X{1VlQeq@+u_Q;vXi2?NrtfOI1vh_r+tHI%eSgLGf~
z?*0AsUjKW}v!C;vwf9<k?f2|?=6%;*aGG|)Q&&PkB>`dH-oje@@DWaK9LG9u8|T}0
z`>es`B11;`*}=>s`m5ut&KoX;<$`)^*N0~@asBGJ^?)Oo#DH{`R6fSF3;7`e-q7>}
zmA)TWOpRxf%*W<B6Vu!R(3Bz43fyEfMV-)Z1fBAaSkHO|Y6)vB<0Z(v9&JN5MqLN9
z2KY&cW9~(}w_1vx$Fn+wJ@Y!=+1mbIbtZg$G2?aPdlA=gLlvi(s>$y#(CN)jA^xaq
zy}+UkqNnRCLIDs~P6%!GwEf7F6hH=SX3-6HZQiEZ{dks3Sp^Kkv7kSmF}ppXq9AR?
zU|Y&18}LuqFcsr}>HLE|xj7PAWB$>i{bl1q>Xh!*@Lo!k`V&W9BPWxWMVd)Aoq8#X
zm{7gfJ$KF}cq9u+{k+n0*f^BVB1plN`PB(_#PFqL_m=?4*#~qi7b89?FAi3NM)Oqb
zHe0_UL1iRJ0biTAuenU;(*hbF{An9E%+C!nprI%;hLBjV=-tk1o7T#n`D<KjKYT`I
zdsCb$vv5>|>F~={<y3n)wD;D<Y%@Ih-sOC?@3|b93+m!22p*Kgv&rJ&FzPWWWw{lY
zXRy7Rj7$fvMv{CH>sx`_eDrvC$RlWMjnZ=8*pm`%&fsF__2#W!njMSVB)9a|1Z^53
z*Ic|NLChdCW*H=pf0PDKHsPPvJNWc9<C?hPm4r2eR}y#8Et1T<E?Mt>HPC&v@r|i<
z6e5Y`yOSaG0k1@`esDkXg$kBXJuBCptSPl;$sMVH=2l!9n~rjXh5%(u09{o7kyC&A
ziBQ0Fe%FCdg}hZ+Y`Rz^cv-TvuaHA?03Gi>N=mL}*}?!3CKXIaeHb)$&iw>g*<^C8
z;$i!aGp(x24607P8=#8JjL}22oW}9Z0<TPgn=beiL+R<DL!L3sxwJJWah-wsrHvPJ
zQved+w_PP}?!`nJl!O9ndQ50=>QYbFB0uGIh8mC-<rf6avR@bP;<1aLHH5-K*7c>?
zn6clJ#2g`&9U%Lt?k3RJcW{#}Hzw55-Q+T5**?_KS%-)eE+I*0FzjQhkke%g^}+^-
z)n5*_PBAO&4YfE0&zEOtx+x*}olJ?d$?$<d7HbnPod^DduelXptx)V$6QA-LJf&hW
zcpEcEFrp41J!%50D-Ss7oO?tsVC^rnGag>wB)A$m(G{G83kOy~1ftiQUUf~np#@*o
z30LO>%mn*^3<FZgYCHHP{W)=&V_h4``7*&&a{>bDOb+`cUeX-PYm;u()l+5(UX{SI
zwgRnKA}ewl{E(@au!J%#yd8deHBvwR=!QQtx`skTd>%a6AcFcnZy({a_sIg*_Kuzs
za!l(U`Tn3a%}rLA^mzyGl;H#15WZp(4^ohzy%&TuL;V37^A1M!($x6&(`P=xr{_!#
z(VQ*o-aa~FDTRYye5M;zgM!Wc$?*Y2O`*HPsw;C<vp+DK8B5QX`v5c~;i}hI!=fX1
zzFoinSj#6@!gEB?wD_)S?@B7fJBdWfj!|}`<pq0fq6gu?oV#cu5ur~6%DIo+@O<u|
z?U6ZGnNg8g=%^sRpkx~n_T8~ZaCe7R5+{<nvUw5|whuu;q+F25JXab@nAQQ{Z?c^y
znuYkP4L`{*ln0BFq1){zpxPC7s1Ci)h$ncC78FbG?WX<(`v*-8lh&4l>G;!D?`+zg
z9ABPgv<Wi{AMwrB;Uhsyws*Y;QBi%aRni#|I2GjkZ?x%(xc9Nw9W2MU-ePKD)g^nr
zh`J7R5fXg#DmwDRtJ5G3+Zf$c;5%IjMJ<a?K;uLD&mU}q-mblD|Jr4oCI^Ta)P1g+
z+H@u=>`0Eyl-!lpGpm=qZ@E^Ne1v@x8;09cBEYPZV*Sb+i~FQKuv5^_0t38)Rr1CB
z1}u2K;p*wfXMEG3fWBlfI&_3^70)&b)ucGK*!oP3%KF5$ond~*e9}8W&fvJ(bJE1S
z`%YGyTOK1u^GfW8*NASJ^5dkEu9UtgE4;Gh<F|KW+XHGJ=<A@NNaS)=me?hG*{|Po
z#4n#)+HxWPjvgLB)`pWFkn5GYpkif?{WwR1D;%~`xB&mg#tk%O?IS<D-@b;*mzq5<
z=JnvU-`ajjLR00AVNPy0*%L$NB7)`DW@#)>leko;8I&=o9I}ubOOrfm;Bng=y14zO
z01pj<<P_T)vDmuLBrN|FE33mI{~3imJ+cBB!Ssql=Q1t@tMe`r?$!{4%xkbWq1*Go
z^t+!wO?J3YmzDx0Pe-mL_j2#;t?&EEe91N^a2+Y4+F$L(&`D^dCvoK*5oxva&)}F<
zuv8O%t#g8VKu~R#@;zg%vD8H=U+s;sg@n3F;Hoq&L4L$qf+^}+{8t|GqB)mwQq9xw
ztsOfg@H>@c482vFA*7mMmJC%LJGm-kS3kETUi`H5yl>oqPo%L)%sbX0krRH}92*(3
z&86}~OQ>LBp@oCGV(Etir1eEpD3Yg@<#W0afeE^66@dJ>gg$(Jn24JK&5SgGlM>A&
z5|F5lC;q@sZ9MOOqVF}}Ss1SzP>M<lH4qY*G^ucWc8Z?LJr|+IJm=x(kdJ|NqLZz9
zVmB4DxZnv-;<y6<HK<%G3$xn@ReEoP<45ZoV-e_{|M@VvTpBJ&Cjn<v*;dZJXXC{J
zWG^&XQVGHleDOro65%CRQd!b=@xK0*z~+P?lnN<fDa_^=LY1I2zY3@;VPF#Y*pO3U
zf<V=bAkZJ&Kp*tmbr;UW$?@xd{|`d&;T{+88-=j(h#ibX=E3dRJs>e{DGDnN>w>q2
z%SU7up%sqQ^3g3dr>j!OTQ=OWIk@@G6^}`yr|+!=l5QBn5vXU0$U?Et`Rb_it%rTn
z=?pr1AuIj>`+26WT_cLjPAB0CH%=1{hgQY>lJ3EDsgjdKY{y8pNc(G`xGSnhUc*Rq
zFpaOFmNxn`^m9$IEb7&R{`tegFSGe6KTdmu$E;r%W?(UAvty*eQihABp0YD$@6`9g
zJj1?s8uOV`6%81Fa%`nNK{80Yvg(%-MQ**t0|T?Aa<J{wEfPUU{}~_n4&%RR)c=6<
z4~t@<`?viky)vWA`EPoKcJKettA8BoX*hqO{F7bn(meae?nEp6%l<F)-G9<C23#o4
z+%0*VziqeA8eLpe6rh1$HWnS43h9j)B<nm0H{QmY$lhO&cJF#~gjOr0Sq-wYT<WhL
z7FNyU&CW!lv?;E9Gl|Y<ywCsQNs02^b77h8yb~nq$OtH6Q$N<DD|zw7srHbj_DT{=
z+AzelS2wD$`yhs%io;LpMPOjt{<81`Zj2b2e5&BqsS#uA5rCTG$~yj)3%hDc{}KNy
zu$Bb}muy||a;J%4QIJPWC|&T;kYi}D59Ls`2c>6Ohd+T))Z>D;kuw-5TNA$L>EHU3
zU7lRhOx#BvHu)Zav};O?`3xMV|C}_q{$!p1WnsLr{X|M<sbywEe>3_Ms|*b*pyKUL
zb|*A-ZG_i@kPpzm2svi$v=%v@M5IA3%kNs0(de{4HE+g|SH<b{r|4|(^*XR@>s!Sx
z7l*>OEGRC{d1H^>V_(r>r&hh%9yHDVl9d@kH`;w{tq@m-d({}tioeIKrk{WzprHq)
zk0xGB74MBN6^^x{D-PK`$;-zakecRwYgL8!RnpLcDGo>v^t9@Vo=&xqEacTNaONL-
z&OJRDltUj><UUG+j{@W9a~4aw@Hov`Z6;nZ(e@;xpEsjVOR>o@Ajas{#~sEfJRYZd
z#FFh!W*<k?DC7G@{eGIv2H}W3{ZxJm>$hEZe^@7%2sR3BpJI;Gbhj?6B}d)-^!@D#
z((nM*t{PzcI)opEEecsxoyK_Xc_0N>o+afV@pBBkKn~tFkgVnoiW9xfei}W1uSH0J
zvtFlqdJQIQ_1+$DVy{_6h(yFXcuLYRi-7swKK4`&{oS{Vn<yxJ2CQRz@{^rJA)(Q1
zm=cEg`pdl}ph^!_h7wdEISFv*V~UA4>gABpL}s9hMKhWP(tccea@1*vmH>qeIH5w*
z5R8`}wp;2sB-n#f<ij#8vLDh{4AJHbDb846>%0$V7By_5OKOd)TvYtZ6BCH7(FN%q
zQsQ`$$&kv-sjY|8qAzX3s=8pEEUPSKem`t!pa6lJT;UE56RIitkeU>sY<e%ZZ&Fm+
zToX9v(sGg{`hg!Iz_N{+QQ|!^r%x!?yJs|Hk8jzw$4t$`g)<EUH9Z6qN1fHWix?b+
z7JQw{&`Po`3U0A>eZ;AzJ<V|tz-alE_G96L)w4CshwIAU8hq|Aj99)4B$7jN-Ewts
z4zkaiCUPiF(2gG~wU<THd0cfMOmbf@q|y*r=~WJ^mMRoUbRRdbWp<c)D;$I5glAxy
z8>9-kj<lhN4Oja`%rhmw-quePnk<zQm5C^+a<wGM@?toMmG_NVPEc~snodM+?hzQo
zl12gL-!Cn|(MDwprYVR`NFQj@KIZZ570^k5BF;i{u}al>*CSk(?IY0pU^1g%Y*#=*
z2ziQeqp4*$q6a&vLi-K}F0@7pRWw^e2?fXicR=PC@%m4nIJzR0=;rdknzik}BZI{g
zG@`h)G0Z-PQER;qVM-h@GoTaS*Rb|GMOMho!*`^dOG&nA(d%E$nR?UDY_9|>r)vg$
zCFdxLF-m5*Zm4+61P^#QK1C`LX#mC1PiFi{X6qznd1DD#k%G~}%~>~!9wx4am<m2D
zP^3<OpK%xY9VI10d6I*sh8vPC?iK$?)zqFX%;%BkL<}9MYP$8KR9W{0nR#}Gzl_d8
zib%*Vivk12D=!V5L`(rdV@w~)C?GXG$0+gDaPuRcyEE>OfYNCTi0A-cz!5;<LKsHV
z-CJ(t>|B+ymF`s|&x6HPZ&+uW0P|caW5)JK{^sRysII!@BHlv7$A#`v-d_B%yHnG3
zhphN{obwI^Pa-{)v1f_~b^RhaM7M2n{XR)j5q3iVI-21dLt<`2%MC;QR;DFc$>xKy
zmzSY0?Irp#$ibJ}%-O`44RQd}g#uYtbc7caF9bc3tCRw-WPb8Fzl5)KxB5OYYn_7^
zUe9&%VrMq4)iT#TKnUyw^-x=RkeG-CtwFWr)cACi*>6-jqe|!VW6t^63AT5fUR7*d
zoHy6Po^XYcrlXbF)k%-a#-=COqq7y87&YosGucM&cRuw=MrH^z2QE+`$Q#kFLKk4k
zcP!WBRMB?TxX3weBnb}Xv@PBqKDVkz#ZEA_Nl&f&1hXk5KAI12Uq7^B4qY2f=i|wW
zwkFS<8eTk%-qXm3#3$}|S5CcAWSy}%d7Vp&wQAyT!u;}7JZ!!084u6YIqzn9s^Q03
z56li`3gs`J<cInWN?E{>Z|Eb0rbVf1nTF`+eDW^4=1nm8vy{1E5P8?wi7ko|^<*?F
z=i<wV4Bi;lV>szt!TFO}IO(V$?~3{Z`iR)=cjgXtjuM)&?ZOmj@<N5q4~{DkIQn6=
zelj1~zaGY*`HN&{;SY7$@2%?(6fC(jq9-S>Esvz8sCF(~Qau4q?A_<~+6;ZPnx6BE
z@=kvUvMua^*}sGN-NdML(z2REo~`TOOugCY@+-}IOTjbKHLsgCBSJwfX{cJbw&d?D
zA_8orERDx$Q%7aklrLR+j7qQ5wSooHr=)x2Q+8}~bOH~oHl)7Psqp2Ist#zmskgRg
zmD_-2;~rR#3%UYTZkg-N;cSl2S+=L!_x3(KK0JKNEk+x0u)p%n_@S;LE_1M&kaZV2
zy3(W(m`1mhth)`KeC9gREDOT2yn8IW>q~2Xv>;60iT9jprlKtuOqW)tLkcq#*}N3b
z0C#aRQZ>R#tA(?;IiO!yHWr#IxRYGp4=|qP8*2EoX|(`VV@S;Evmp3v<VBb0@zWk%
z(GN&(GMs1a5a7#~8|oet>Pt;uq{&0q`=A}q)iK9j*FcEStv&6iOO>X7oTh3y<dqD3
zT<x@CrRLX=FB0S&`=Zwuobs3nEuyP;V8^z-YMsFIMUnslwHJ~c^R>%UL+0UqJNu;U
zqs*w1RFe@vOJQKZi2blL@v&5sO~*0BNaLKaNf~nENGnc)r?JegxB8X#>ir41dg_D#
zo8){efI5acW-Rt;*`DUZl7!4F$!DRW;N*HtN9_i@(_=jdpLbnJAN8VQl&V{qTKxzQ
ze`8d^&;*mE^-0j705R%PuH@KO<&jpBQ&5r#;T%2CVe$bGqS;Ca9?^PdyTOrGBUI3`
zwe0V+45}~7(RwuhNZ033Zf4SpVO8n{NAo(2RvsrVc55ZJ0vIDNQm7g=bBRYUVa0R5
zPEZtxO1byQ<1!hY@Z4Y2Iek}YC^pX1#{PAbM=?Z5yL8%EjVUT}14*{+nW~b)>JhE2
zkyaw09$rb-Kth|*W`7V%L@i5Bld?RG>Eh<gmpUg#Oxg6N@9nid{Ss@#`)ys?BOlqS
zHb1H22%{PC@ZxdH^!VD@f+XT^MYxVg))WahvTv_FwGrhn)@FG|v@@@c9d^HGJ|}8<
z7G~`0c!~@LziE7_U7*|#sr^BeH#b)$o;Z;KtUJ@OhxCZktgkP;o80s<>9W*INgVq!
zzJ;A4J!j$zRlodvw!;xI!9^hSjF)}QUMT971~&fm^0P+gb(#FvENm9z{s7|>f$F76
zahLil?83(ANrZ%4-AHoOkmGW&_5e&WhJ%?=?=)~Wai42H$>G3D_TpoU>Lq{HGg*fF
zK-NHcx~Dx&M6DQCbylsSnoCRf3>?}~S!g$=a@;6mwEK8KG=N3N3wnK}x*XRCN^d!B
zPI{|Ukcu=oWO;D>Q4CQ{!2KPprjV%aag$fb6{=aEy?hF1?XRj-%yDcm#z}R^pt&3u
zLAoI`{IJWNY817uE4AzEeqA+FOLNc)JU3oLbnZ2DiFvuyWJb|vn?_Z|*_Ug#6iw^R
zRNlN{c818p+gVj5vLfO}*~oT{m_E~~g}mypHtSbfk!JlgvHi%1RpV`F;@v=ipjebD
z?x1qD<<m#}{R5edG)gavuTJ~hZncIUohNd0=I5ToaQcxHZ*B2bWs~F){ktWT00yaE
zp(Xl6I;=K6Fg<M)m-@^dL=9Gxy{@{Mm?@{DfCC%+^rD0QQ`*)=0Z(&lOW1t#HKaWz
zT_WBs2_ZR3ZH$vvjXsci@`C2!>D}1|oBBbL2&o;)@|tTc6Em)yP|e{(ibGb(hE<y4
zm(DZkt5*%|J1FH@F%=4|pIau(0LM;%XXH4KVa9J{DR*^Ytv~mjNHcl3)aLc<#bA_&
z7ouhVD9cF9lV&;3%tA%vE~Tiy)wXtOWUlRsPfVSf;{XZJ)Z$~md=;f4e}59vd0gh_
z>cT<A^LQuxdumsGgaW&&N8V!FyX-Sw9<>U}G^B=)PIC1Th-L(-_k0E+AdzZ<_t~l3
zI-iZ_U8+h&Sn$Ef_}8(`b8AT>MCc;1fL5#2`_#*Q*bHqH+D*y53!VFQ2?hmtk2<6)
z5|(gYAc(Y?`fB9R#(~lA^WT{7!D294QJe|%SXt1+Elqli-q$tX32iMIX`79%kR`jf
zvPcy$g%!<`-MMvOlbx_%4D8&iF?05WWrpKKYfes!kTiUA^_8HB%?)!55X)r|?jUr!
zybQoIf(g9n;A^44v&yfD^@Gqw@z%unkCMk3@r7D=n4yk$ZZ(n#gj1wqkIv5ccBmUA
zyNDu=dA?KolW*|vlH!DwG3-p+BOD=(^{Q7(DI`6g`bxN<v+nPL0iEcIuADEiQ=gOb
zha`kERNAe^@|FtM$Kwhno?0gG<8m{P)r-v^mWY&2U!PnA=il61FZ4z8>K6<%a+))M
z(*-r}hI@qBHHGqeq^bA^;ndh@AT}KyMbHgfK6Uz39O@ZXZu#95{+jaG#?%pNC|dUF
zo{_u~G;eT5b?BSBB7n4!v?(zGJ=0Gq)MIMMvSHdz5TBqgyIdIkbj8qcTC3aALJ`Bs
zX>AU@OLOq@vC7Sxw;huthfr*V{Au-*c*P|ucC~{t%3=Z4#GE}_t1038ZZ_PNE*#xz
zqgz)@;vY$l7bj^BY;&#+Y_8H-uTD}PJ?J|o6+d=RJ`$VZC6&=;i&TAG_{r%>X|2GL
zu-z(vNRYmu#Z&fU2=`?hM9fy;UT)t<`l+s2*akVH2|*w~q2JZ@Kgt%FM&OsS{asVn
zVf`VIYj&`_k^V;`Q^DWzQQ+f&F#c7K_?J}v=j4JElkJy={;92%FsuGK(n!F9{j&cy
zQ9Rxs^Hj+aWBi)NfcG!c*y14}lc4<jY=vEr66LmV0AJ*!CPM=u{me;S>5n1$@DUgV
zvNke2O^}`YZ~ea)XK+B|zX~$10|`*z88CX1zd8LA^aT!l8}|30zgIN=3@U*O-xc_O
zf|}yNC1LEmf14EdvS}y;83f|IP4ds6l=!z8(BGr_|1dx~y90ug-h<rzJ5F$aeoE|`
z+il|H;qL6=4maf`BmPSga2{St6ni2N9H3>U{7a;t+v?|rgMa0_i^50@g7e^#^WTp9
zSwH#x%lsUd491Pnxy3vGwh{h;JSr0iPDpd_XR80(@#n!AHy<T(BNJSOkM=*Mi0r@u
z&)|dp{o6(JQeZMcKp+cKchjHi<oU}w|45GLkL2#Kg5U&LjC_At{m<V(Y}OpcDLM$m
sL<$07{o&Zn3cum`&nc7gz*Tvn6#tzJ+HC|7i0Jk{K?8vXd49hA7dWQ;#Q*>R

diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf
index 91532e10c..389c8440f 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf
+++ b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = "7.7.0"
+      version = "7.22.0"
       configuration_aliases = [oci.home]
     }
   }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml
index 29c5fa692..7857d751e 100644
--- a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml
+++ b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml
@@ -105,7 +105,7 @@ variables:
     required: true
 
   lb_subnet_id:
-    title: "Load Balancer Subnet"
+    title: "Default Load Balancer Subnet"
     description: "Existing Subnet where all Load Balancer services will be created by default"
     type: oci:core:subnet:id
     dependsOn: