RMAN Duplicate PITR without connection to Target database

I would like to understand which network requirements are needed following the least privilege needed policy in order to perform a DUPLICATE DATABASE UNTIL SCN in this scenario My environment is Azure, and I have Oracle 12.2 and a RMAN Catalog in 19c **Production Network ( Subscription Azure Pro )** Server A -- Database A Server B -- Database B Server X -- Database X -- RMAN Catalog Backups are taken in Servers A and B on a daily basis following an incremental strategy. The pieces are stored in a BLOB storage account which is presented as a local FS in each of the servers. **QA Network ( Subscription Azure QA )** Server C -- Database C Server D -- Database D There's network connectivity at the moment between the Production Subscription and the QA Subscription, but it is blocked by a Firewall. The idea is to request the necessary firewall rules in order to perform DUPLICATE RMAN without connecting to the Target Databases ( Servers A and B ). I know it is possible, as the documentation states > If you are performing a backup based RMAN duplicate and using a recovery catalog as well, **it is not required to connect to the source database as TARGET in RMAN**. This technique is advantageous where network connections from the auxiliary host to the source database are restricted or prone to intermittent disruptions. **In duplication without a TARGET connection, the source database is unaffected by the duplication.** If I follow this scenario, I would need, at least 2 Firewall rules between the subscriptions: - Network connectivity between QA Server C and RMAN CATALOG ( ssh 22 and database port ) - Network connectivity between QA Server D and RMAN CATALOG ( ssh 22 and database port ) However, how are the backup pieces moved to the target servers ? That is the part I don't get it. If the backup pieces are stored on the Servers A and B, should I request Firewall rules also for the Production Serves A and B ? I mean, I understand RMAN will know where the pieces are stored, but they are in the Servers A and B. Either I have to move the pieces to the target databases and use the option backup location or I am missing something. I would appreciate some insights here, as I can't find in the documentation anything regarding on how using this technique is literally restoring the pieces. If I did not explain something right, let me know Thank you