mirror of
https://github.com/cna-bootcamp/phonebill.git
synced 2025-12-06 08:06:24 +00:00
149 lines
6.0 KiB
Plaintext
149 lines
6.0 KiB
Plaintext
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor': '#ffffff', 'primaryTextColor': '#000000', 'primaryBorderColor': '#000000', 'lineColor': '#000000'}}}%%
|
|
|
|
graph TB
|
|
%% 인터넷 및 외부
|
|
subgraph "Internet & External"
|
|
Internet[🌐 Internet<br/>HTTPS Traffic]
|
|
KOS[🏢 KOS-Order System<br/>On-premises<br/>Private Connection]
|
|
end
|
|
|
|
%% Azure Edge Services
|
|
subgraph "Azure Edge (Global)"
|
|
AFD[☁️ Azure Front Door<br/>Entry Point: *.phonebill.com<br/>DDoS Protection Standard<br/>CDN + WAF Policy]
|
|
end
|
|
|
|
%% Azure Virtual Network
|
|
subgraph "Azure VNet (10.0.0.0/16) - Korea Central"
|
|
|
|
%% Gateway Subnet
|
|
subgraph "Gateway Subnet (10.0.4.0/24)"
|
|
AppGW[🛡️ Application Gateway<br/>Public IP: 20.194.xxx.xxx<br/>Private IP: 10.0.4.10<br/>Standard_v2 + WAF<br/>SSL Termination]
|
|
|
|
subgraph "WAF Configuration"
|
|
WAF[🔒 Web Application Firewall<br/>• OWASP CRS 3.2<br/>• Rate Limiting: 100/min<br/>• Prevention Mode<br/>• Custom Rules]
|
|
end
|
|
end
|
|
|
|
%% Application Subnet
|
|
subgraph "Application Subnet (10.0.1.0/24)"
|
|
subgraph "AKS Cluster Network"
|
|
LB[⚖️ Internal Load Balancer<br/>ClusterIP: 10.0.1.100<br/>Service Distribution]
|
|
|
|
subgraph "Pod Network (CNI)"
|
|
AuthSvc[🔐 Auth Service<br/>ClusterIP: 10.0.1.10<br/>Port: 8080<br/>Replicas: 3-10]
|
|
|
|
BillSvc[📊 Bill-Inquiry Service<br/>ClusterIP: 10.0.1.20<br/>Port: 8080<br/>Replicas: 3-15]
|
|
|
|
ProductSvc[🔄 Product-Change Service<br/>ClusterIP: 10.0.1.30<br/>Port: 8080<br/>Replicas: 2-8]
|
|
end
|
|
end
|
|
|
|
subgraph "Service Bus Private Endpoint"
|
|
SBEndpoint[📨 Service Bus PE<br/>10.0.1.200<br/>sb-phonebill-prod.servicebus.windows.net]
|
|
end
|
|
|
|
subgraph "Key Vault Private Endpoint"
|
|
KVEndpoint[🔑 Key Vault PE<br/>10.0.1.210<br/>kv-phonebill-prod.vault.azure.net]
|
|
end
|
|
end
|
|
|
|
%% Database Subnet
|
|
subgraph "Database Subnet (10.0.2.0/24)"
|
|
subgraph "PostgreSQL Private Endpoint"
|
|
PGEndpoint[🗃️ PostgreSQL PE<br/>10.0.2.10<br/>phonebill-prod.postgres.database.azure.com<br/>Port: 5432 (SSL required)]
|
|
end
|
|
|
|
subgraph "Read Replica Endpoints"
|
|
PGReplica[📚 Read Replica PE<br/>10.0.2.20<br/>phonebill-replica.postgres.database.azure.com<br/>Read-only Access]
|
|
end
|
|
end
|
|
|
|
%% Cache Subnet
|
|
subgraph "Cache Subnet (10.0.3.0/24)"
|
|
subgraph "Redis Private Endpoint"
|
|
RedisEndpoint[⚡ Redis Cache PE<br/>10.0.3.10<br/>phonebill-prod.redis.cache.windows.net<br/>Port: 6380 (SSL)<br/>Premium P2 Cluster]
|
|
end
|
|
end
|
|
end
|
|
|
|
%% Network Security Groups
|
|
subgraph "Network Security (NSG Rules)"
|
|
subgraph "Gateway NSG"
|
|
GatewayNSG[🔒 App Gateway NSG<br/>• Allow HTTPS (443) from Internet<br/>• Allow HTTP (80) from Internet<br/>• Allow GatewayManager<br/>• Deny All Other]
|
|
end
|
|
|
|
subgraph "Application NSG"
|
|
AppNSG[🔒 AKS NSG<br/>• Allow 80,443 from Gateway Subnet<br/>• Allow 5432 to Database Subnet<br/>• Allow 6380 to Cache Subnet<br/>• Allow 443 to Internet (KOS)<br/>• Allow Azure Services]
|
|
end
|
|
|
|
subgraph "Database NSG"
|
|
DBNSG[🔒 Database NSG<br/>• Allow 5432 from App Subnet<br/>• Deny All Other<br/>• Management from Azure]
|
|
end
|
|
end
|
|
|
|
%% Traffic Flow - Inbound
|
|
Internet ==> AFD
|
|
AFD ==> AppGW
|
|
AppGW ==> LB
|
|
LB ==> AuthSvc
|
|
LB ==> BillSvc
|
|
LB ==> ProductSvc
|
|
|
|
%% Service to Data Flow
|
|
AuthSvc --> PGEndpoint
|
|
BillSvc --> PGEndpoint
|
|
ProductSvc --> PGEndpoint
|
|
|
|
%% Read Replica Access
|
|
BillSvc -.-> PGReplica
|
|
|
|
%% Cache Access
|
|
AuthSvc --> RedisEndpoint
|
|
BillSvc --> RedisEndpoint
|
|
ProductSvc --> RedisEndpoint
|
|
|
|
%% Message Queue Access
|
|
BillSvc --> SBEndpoint
|
|
ProductSvc --> SBEndpoint
|
|
|
|
%% Security Access
|
|
AuthSvc --> KVEndpoint
|
|
BillSvc --> KVEndpoint
|
|
ProductSvc --> KVEndpoint
|
|
|
|
%% External System Access
|
|
BillSvc -.-> KOS
|
|
ProductSvc -.-> KOS
|
|
|
|
%% DNS Resolution
|
|
subgraph "Private DNS Zones"
|
|
DNS1[🌐 privatelink.postgres.database.azure.com<br/>PostgreSQL DNS Resolution]
|
|
DNS2[🌐 privatelink.redis.cache.windows.net<br/>Redis DNS Resolution]
|
|
DNS3[🌐 privatelink.servicebus.windows.net<br/>Service Bus DNS Resolution]
|
|
DNS4[🌐 privatelink.vaultcore.azure.net<br/>Key Vault DNS Resolution]
|
|
end
|
|
|
|
%% Network Policies
|
|
subgraph "Kubernetes Network Policies"
|
|
NetPol[📜 Network Policies<br/>• Default Deny All<br/>• Allow Ingress from App Gateway<br/>• Allow Egress to Data Services<br/>• Allow Egress to External (KOS)<br/>• Inter-service Communication Rules]
|
|
end
|
|
|
|
%% Monitoring & Logging
|
|
subgraph "Network Monitoring"
|
|
NetMon[📊 Network Monitoring<br/>• NSG Flow Logs<br/>• Application Gateway Logs<br/>• VNet Flow Logs<br/>• Connection Monitor]
|
|
end
|
|
|
|
%% 스타일링
|
|
classDef internetClass fill:#e3f2fd,stroke:#0277bd,stroke-width:2px
|
|
classDef azureEdgeClass fill:#e8f5e8,stroke:#388e3c,stroke-width:2px
|
|
classDef networkClass fill:#fff3e0,stroke:#f57c00,stroke-width:2px
|
|
classDef appClass fill:#fce4ec,stroke:#c2185b,stroke-width:2px
|
|
classDef dataClass fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
|
|
classDef securityClass fill:#ffebee,stroke:#d32f2f,stroke-width:2px
|
|
|
|
class Internet,KOS internetClass
|
|
class AFD azureEdgeClass
|
|
class AppGW,LB,NetMon networkClass
|
|
class AuthSvc,BillSvc,ProductSvc,SBEndpoint appClass
|
|
class PGEndpoint,RedisEndpoint,PGReplica dataClass
|
|
class GatewayNSG,AppNSG,DBNSG,WAF,KVEndpoint,NetPol securityClass |