Skip to content

🌐 Networking

This document provides an overview of our network architecture, security zones, and connectivity patterns.

Network Architecture Overview

graph TB
    subgraph "External Zone"
        Users[External Users]
        Contributors[Contributors]
    end

    subgraph "Security Gateway"
        ApiGateway[API Gateway]
        Auth[Authentication]
        WAF[Web Application Firewall]
    end

    subgraph "Azure Virtual Network"
        subgraph "Compute Layer"
            WebApp[Web Application]
            ApiService[API Services]
            BackgroundJobs[Background Jobs]
        end

        subgraph "Data Layer"
            PostgreSQL[PostgreSQL Database]
            Redis[Redis Cache]
            BlobStorage[Blob Storage]
        end

        subgraph "Monitoring Layer"
            AppInsights[Application Insights]
            LogAnalytics[Log Analytics]
            Grafana[Grafana]
        end
    end

    Users -.->|HTTPS + Auth| ApiGateway
    Contributors -.->|IP Whitelisted| ApiGateway

    ApiGateway --> Auth
    Auth --> WAF
    WAF --> WebApp
    WAF --> ApiService

    WebApp --> PostgreSQL
    WebApp --> Redis
    WebApp --> BlobStorage

    ApiService --> PostgreSQL
    ApiService --> Redis
    ApiService --> BlobStorage

    BackgroundJobs --> PostgreSQL
    BackgroundJobs --> Redis

    WebApp --> AppInsights
    ApiService --> AppInsights
    BackgroundJobs --> LogAnalytics

Network Security Zones

graph LR
    subgraph "External Access Zone"
        ExtZone[External Customer Accessible<br/>Requires Credentials]
    end

    subgraph "VNet Restricted Zone"
        VNetZone[Limited to VNet<br/>Internal Network Only]
    end

    subgraph "Contributor Zone"
        ContribZone[IP Whitelisted Contributors<br/>Specific IP Addresses]
    end

    ExtZone -.->|"Red dotted line"| ApiGateway2[API Gateway]
    VNetZone -->|"Blue solid line"| InternalServices[Internal Services]
    ContribZone -.->|"Blue dashed line"| AdminServices[Admin Services]

Key Components

Storage & Databases

  • Azure SQL Database
  • Blob Storage
  • Managed Identity Services
  • SQL Server

API Services

  • Multiple API endpoints for different services
  • Managed API Gateway
  • Authentication and authorization layers

Resource Management

  • Resource management services
  • Monitoring and logging services
  • Configuration management

Network Security

Security Controls

  • All external-facing services require authentication
  • Internal services are accessible only within VNet
  • Contributor services use IP whitelisting for additional security
  • Encryption in transit for all network traffic
  • Encryption at rest for all stored data

Access Patterns

  • API Gateway serves as the primary entry point for external requests
  • Backend services communicate within the secure VNet
  • Database access is strictly controlled through service principals and managed identities

Connectivity Rules

  • External traffic must pass through API Gateway and authentication
  • Direct database access is not allowed from external networks
  • All internal service-to-service communication is logged and monitored
  • Regular security audits ensure proper network segmentation

Maintenance & Updates

  • Network configuration changes follow the established change management process
  • Security patches are applied following the vulnerability management procedure
  • Network tests are performed regularly to ensure proper segmentation
  • Network monitoring is in place to detect unusual traffic patterns