DESIGN.md v0.6 · Filter highlights nodes across both diagrams · ▶ Walkthrough traces scenarios step by step · Press Esc to reset
→ View SASE architecture
flowchart TB
subgraph T0["Tier 0 - STEP-010 - External Users and Devices"]
direction LR
VISITOR["B2C Visitors\nPublic internet"]
CORPUSER["Park Administrators\nCorporate network only"]
RANGER["Park Rangers\nField offices and park sites"]
end
subgraph T1["Tier 1 - STEP-030 - Internet Edge (OSI L3-L7) - B2C path only - bypasses VWAN"]
direction LR
AFD["Azure Front Door Premium\nGeo-routing to nearest Spoke REQ-1.1"]
WAF["Azure WAF\nOWASP Top 10, SQLi, XSS REQ-1.3"]
DDOS["DDoS Protection Standard\nVolume attack mitigation REQ-1.2"]
end
subgraph T2["Tier 2 - STEP-020 - Identity and Access (OSI L5-L7)"]
direction LR
B2CID["Entra External ID (B2C)\nSocial login REQ-2.1"]
ADMINID["Entra ID + Conditional Access\nRisk-based MFA or block REQ-2.2"]
end
subgraph T3["Tier 3 - STEP-040 and STEP-041 - Private Connectivity Only (OSI L1-L3)"]
direction LR
ER["Azure ExpressRoute\nDedicated private circuit L1/L2\nCorp admin primary"]
VWAN["12x Azure Virtual WAN\nOne per region L3\nRouting Intent - all private traffic to Hub FW\nAdmin and Ranger paths only - not B2C"]
VPNS2S["VPN Gateway S2S\nIPSec site-to-site L3\nCorp admin backup"]
VPNP2S["VPN Gateway P2S\nIPSec per-device L3\nRanger field and park access"]
end
subgraph T4["Tier 4 - STEP-050 - Hub VNet (12 total) - Convergence Point for ALL traffic (OSI L3-L7)"]
direction LR
AZFW["2x Azure Firewall Premium per region - 24 total\nPublic interface receives B2C from Front Door\nIDPS and TLS inspection L7\nPort and protocol enforcement L4\nRouting Intent - mandatory next hop for T3 private traffic L3\nREQ-4.1"]
end
subgraph T5A["Spoke VNet 1 of 24 - STEP-060A - B2C Public Spoke (OSI L4-L7)"]
direction LR
AGW["App Gateway + WAF v2\nURL routing and WAF L7 REQ-1.3\nTLS termination L6\nB2C public traffic"]
WEBNSG["NSG - Public Web Subnet\nAllow App Gateway only L4\nREQ-3.1"]
APPSVR["B2C App Servers\nPublic-facing workloads"]
end
subgraph T5B["Spoke VNet 2 of 24 - STEP-060B - Admin and Ranger Private Spoke (OSI L4-L7)"]
direction LR
ADMINAGW["App Gateway + WAF v2 (Internal)\nNo public IP - Hub FW access only\nURL routing and WAF L7 REQ-1.3\nTLS termination L6\nAdmin and Ranger traffic"]
ADMINNSG["NSG - Internal App Subnet\nAllow Internal AGW only L4\nREQ-3.1"]
ADMINSVR["Admin and Ranger App Servers\nInternal workloads"]
end
subgraph T6["Tier 6 - STEP-070 - Regional Data Tier x12 - Private Endpoints per Spoke (OSI L3-L4)"]
direction LR
DATANSG["NSG - Data Subnet\nAllow Web Tier ASG only L4\nREQ-3.2"]
PE["Private Endpoints\nOne per Spoke VNet - Private IP only L3\nREQ-3.3"]
DB["Azure SQL - Metadata\nCosmos DB - Documents\nMulti-region write - geo-replication"]
T6EU["EU Region copy\n(same structure)"]
T6APAC["APAC Region copy\n(same structure)"]
end
subgraph T7["Tier 7 - STEP-080 - Security Operations (OSI L3-L7 across all tiers)"]
direction LR
MDFC["Defender for Cloud\nCSPM and workload protection\nREQ-4.2"]
SENTINEL["Microsoft Sentinel\nSIEM and SOAR\nREQ-4.3"]
AZMON["Azure Monitor\nLog Analytics"]
AZPOL["Azure Policy + GitOps\nPreventive controls"]
end
subgraph T8["Tier 8 - STEP-090 - On-premises and Hybrid Systems"]
direction LR
LEGACYSYS["Legacy Park Systems\nTicketing and reservations"]
IOTSENS["IoT Sensors\nWildlife and visitor monitoring"]
GOVAGENCY["Government Agency Systems\nPark authority integration"]
end
VISITOR -->|"SCN-001 SCN-009 SCN-010 Social sign-in"| B2CID
CORPUSER -->|"SCN-002 Corporate identity"| ADMINID
RANGER -->|"SCN-002 Corporate identity"| ADMINID
B2CID --> AFD
AFD --> WAF
WAF --> DDOS
DDOS -->|"SCN-001 SCN-003 SCN-009 SCN-010 - via Microsoft backbone to Hub FW public IP"| AZFW
ADMINID -->|"Primary ExpressRoute"| ER
ADMINID -->|"Backup S2S VPN"| VPNS2S
ADMINID -->|"Ranger field access"| VPNP2S
ER --> VWAN
VPNS2S --> VWAN
VPNP2S --> VWAN
VWAN -->|"All privileged traffic - Routing Intent"| AZFW
AZFW -->|"SCN-001 SCN-009 SCN-010 B2C to Spoke VNet 1"| AGW
AGW --> WEBNSG
WEBNSG --> APPSVR
AZFW -->|"SCN-002 Admin and Ranger to Spoke VNet 2"| ADMINAGW
ADMINAGW --> ADMINNSG
ADMINNSG --> ADMINSVR
APPSVR -->|"REQ-3.1 Web to Data"| DATANSG
ADMINSVR -->|"REQ-3.1 App to Data"| DATANSG
DATANSG -->|"REQ-3.2 ASG-gated"| PE
PE -->|"REQ-3.3 Private IP only"| DB
LEGACYSYS -->|"SCN-007 ExpressRoute"| VWAN
IOTSENS -->|"SCN-006 IoT Hub"| AZFW
GOVAGENCY -->|"SCN-008 ExpressRoute peering"| VWAN
AZFW -.->|"Firewall logs"| AZMON
AGW -.->|"WAF logs"| AZMON
ADMINAGW -.->|"WAF logs"| AZMON
WEBNSG -.->|"NSG flow logs"| AZMON
DATANSG -.->|"NSG flow logs"| AZMON
AZMON -->|"All telemetry REQ-4.3"| SENTINEL
MDFC -->|"Posture alerts REQ-4.2"| SENTINEL
flowchart LR
subgraph INPUTS["Signal Sources - All Tiers"]
direction TB
FWLOG["Azure Firewall\nIDPS alerts and traffic logs"]
WAFLOG["WAF Block Events\nFront Door and App Gateway"]
NSGLOG["NSG Flow Logs\nAll subnets"]
DEFLOG["Defender for SQL\nQuery anomalies"]
IDLOG["Entra ID Protection\nSign-in risk signals"]
SRVLOG["Defender for Servers\nVulnerability findings"]
end
subgraph COLLECT["Collection Layer"]
MON["Azure Monitor\nLog Analytics Workspace\nKQL queryable REQ-4.3"]
end
subgraph POSTURE["Posture Management"]
MDFC2["Defender for Cloud\nCSPM - Security Score\nPCI-DSS, GDPR, ISO 27001, NIST\nREQ-4.2"]
end
subgraph DETECT["Detection and Correlation"]
SENT2["Microsoft Sentinel\nSIEM - AI Fusion detection\nCustom analytics rules\nREQ-4.3"]
end
subgraph PREVENT["Preventive Controls"]
POLICY["Azure Policy\nDeployment-time enforcement"]
GITOPS["GitOps Pipeline\nFirewall Policy as Code\nPR-gated rule changes"]
end
subgraph RESPOND["Automated Response - Playbooks"]
PLAYBOOK["Logic App Playbooks\nSOAR automation"]
BLOCKIP["Block IP at Firewall"]
DISABLE["Disable Entra ID Account"]
ISOLATE["Isolate VM or Subnet"]
ITSM["ITSM Ticket\nSOC escalation"]
end
FWLOG --> MON
WAFLOG --> MON
NSGLOG --> MON
DEFLOG --> MON
IDLOG --> MON
SRVLOG --> MON
MON --> SENT2
MON --> MDFC2
MDFC2 -->|"Posture alerts"| SENT2
SENT2 --> PLAYBOOK
PLAYBOOK --> BLOCKIP
PLAYBOOK --> DISABLE
PLAYBOOK --> ISOLATE
PLAYBOOK --> ITSM
GITOPS -.->|"Policy as code"| POLICY