SASE-DESIGN.md v1.5 · Filter highlights nodes across both diagrams · ◆ SASE vs Azure-native diff tab shows what changed · ▶ Walkthrough traces SASE-specific scenarios step by step · Admin vs ZTNA trade-off in doc §3 · Press Esc to reset
%%{init: {'themeVariables': {'fontSize': '23px'}}}%%
flowchart TB
subgraph T0["Tier 0 - STEP-010 - External Users and Devices"]
direction LR
VISITOR["B2C Visitors\nPublic internet - no SASE agent"]
CORPUSER["Park Administrators\nCorporate office - SD-WAN appliance\nBaseline: no per-user GSA - see SASE-DESIGN Appendix D"]
RANGER["Park Rangers\nField device - GSA ZTNA agent"]
end
subgraph T1["Tier 1 - STEP-030 - Internet Edge B2C only (OSI L3-L7) - UNCHANGED"]
direction LR
AFD["Azure Front Door Premium\nGeo-routing to nearest PoP REQ-1.1\nUNCHANGED - B2C path only"]
WAF["Azure WAF\nOWASP DRS and custom rules REQ-1.3\nUNCHANGED - B2C path only"]
DDOS["DDoS Protection Standard\nVolumetric attack mitigation REQ-1.2\nUNCHANGED"]
end
subgraph T2["Tier 2 - STEP-020 - Identity and ZTNA Gate (OSI L5-L7)"]
direction LR
B2CID["Entra External ID B2C\nSocial login REQ-2.1\nUNCHANGED"]
ADMINID["Entra ID + Conditional Access\nRisk-based MFA REQ-2.2\nIdentity is the SASE control plane"]
EPA["Entra Private Access ZTNA\nApp-level connector\nNEW - Replaces P2S VPN and S2S VPN\nADR-S002"]
end
subgraph T3["Tier 3 - STEP-040 and STEP-041 - SASE PoP Layer (NEW - replaces 12x VWAN and 24x Azure Firewall)"]
direction LR
SASEPOP["SASE PoPs - 100+ global locations\nNearest PoP terminates all admin and ranger sessions\nFWaaS - IDPS, TLS inspection, threat intelligence\nADR-S001"]
SDWAN["SD-WAN Fabric\nBranch offices to nearest SASE PoP\nNEW - Replaces ExpressRoute S2S VPN and VWAN\nADR-S003"]
SWG["Secure Web Gateway SWG\nEntra Internet Access\nNEW - Internet-bound access control for admin and ranger"]
CASB["CASB - Defender for Cloud Apps\nSaaS app control, DLP, shadow IT\nNEW in SASE context"]
RBI["Remote Browser Isolation RBI\nCloud browser container at SASE PoP\nNEW - PARTNER REQUIRED\nZscaler / Prisma / Menlo - not Microsoft native\nQ-S08"]
end
subgraph T4["Tier 4 - STEP-050 - Private Access Connector (NEW - replaces 12 Hub VNets and 24 Azure Firewalls)"]
direction LR
PACONN["Entra Private Access Connector\nLightweight VM in each app VNet\nOutbound-only to SASE PoP - no inbound public IP\nNEW - ADR-S004"]
end
subgraph T5A["App VNet 1 of 24 - STEP-060A - B2C Public App Tier (OSI L4-L7) - MODIFIED"]
direction LR
AGW["App Gateway + WAF v2\nURL routing and WAF L7 REQ-1.3\nTLS termination L6\nMODIFIED - Front Door connects directly via Private Link"]
WEBNSG["NSG - Web Subnet\nMODIFIED - Allow Front Door tag L4 REQ-3.1"]
APPSVR["B2C App Servers\nUnchanged workloads"]
end
subgraph T5B["App VNet 2 of 24 - STEP-060B - Admin and Ranger Private App Tier (OSI L4-L7) - MODIFIED"]
direction LR
ADMINAGW["Internal App Gateway + WAF v2\nNo public IP\nMODIFIED - receives from PACONN subnet\nURL routing and WAF L7 REQ-1.3"]
ADMINNSG["NSG - Internal App Subnet\nMODIFIED - Allow PACONN subnet L4 REQ-3.1"]
ADMINSVR["Admin and Ranger App Servers\nUnchanged workloads"]
end
subgraph T6["Tier 6 - STEP-070 - Regional Data Tier x12 (OSI L3-L4) - UNCHANGED"]
direction LR
DATANSG["NSG - Data Subnet\nAllow Web Tier ASG only L4 REQ-3.2"]
PE["Private Endpoints\nPrivate IP only L3 REQ-3.3"]
DB["Azure SQL - Metadata\nCosmos DB - Documents\nMulti-region write - geo-replication"]
T6EU["EU Region copy\n(same structure)"]
T6APAC["APAC Region copy\n(same structure)"]
end
subgraph T7["Tier 7 - STEP-080 - Security Operations (ENHANCED with SASE telemetry)"]
direction LR
MDFC["Defender for Cloud\nCSPM and workload protection REQ-4.2\nUNCHANGED"]
SENTINEL["Microsoft Sentinel\nSIEM and SOAR REQ-4.3\nENHANCED - ingests SASE telemetry"]
AZMON["Azure Monitor\nLog Analytics\nUNCHANGED"]
SASELOGS["SASE Vendor Telemetry\nFWaaS IDPS events, SWG logs, CASB alerts\nNEW signal source vs Azure-native"]
AZPOL["Azure Policy + GitOps\nExtended to SASE policy-as-code"]
end
subgraph T8["Tier 8 - STEP-090 - On-premises and Hybrid (SD-WAN replaces branch ExpressRoute)"]
direction LR
SDWANBR["SD-WAN Branch Nodes\nLegacy parks to nearest SASE PoP\nMODIFIED - replaces dedicated ExpressRoute circuits"]
IOTSENS["IoT Sensors\nAzure IoT Hub - UNCHANGED"]
GOVAGENCY["Government Agencies\nZTNA connector or dedicated ExpressRoute"]
end
VISITOR -->|"SCN-001 SCN-009 SCN-010 Social sign-in"| B2CID
CORPUSER -->|"SCN-002 Corporate network via SD-WAN"| SDWAN
RANGER -->|"SCN-002b ZTNA agent on field device"| EPA
B2CID --> AFD
AFD --> WAF
WAF --> DDOS
DDOS -->|"SCN-001 SCN-003 SCN-009 SCN-010\nFront Door Private Link - no Hub Firewall"| AGW
ADMINID -->|"Conditional Access gate - corporate admin"| SDWAN
ADMINID -->|"Conditional Access gate - ranger ZTNA"| EPA
SDWAN --> SASEPOP
EPA --> SASEPOP
SASEPOP -->|"Proxied app session (after FWaaS IDPS at PoP)"| PACONN
PACONN -.->|"Persistent outbound TLS (connector initiates to PoP)"| SASEPOP
SASEPOP --> SWG
SASEPOP --> CASB
SWG -.->|"RBI policy - partner required - Q-S08"| RBI
PACONN -->|"SCN-002 SCN-002b Admin and Ranger access"| ADMINAGW
AGW --> WEBNSG
WEBNSG --> APPSVR
ADMINAGW --> ADMINNSG
ADMINNSG --> ADMINSVR
APPSVR -->|"REQ-3.1 Web to Data"| DATANSG
ADMINSVR -->|"REQ-3.1 App to Data"| DATANSG
DATANSG -->|"REQ-3.2 ASG-gated"| PE
PE -->|"REQ-3.3 Private IP only"| DB
SDWANBR -->|"SCN-007 SD-WAN to SASE PoP"| SASEPOP
IOTSENS -->|"SCN-006 IoT Hub"| AZMON
GOVAGENCY -->|"SCN-008 ZTNA or ExpressRoute"| SASEPOP
SASELOGS -.->|"SASE telemetry stream"| AZMON
AGW -.->|"WAF and access logs"| AZMON
ADMINAGW -.->|"WAF logs"| AZMON
WEBNSG -.->|"NSG flow logs"| AZMON
DATANSG -.->|"NSG flow logs"| AZMON
AZMON -->|"All telemetry REQ-4.3"| SENTINEL
MDFC -->|"Posture alerts REQ-4.2"| SENTINEL
flowchart LR
subgraph INPUTS["Signal Sources - All Tiers (SASE + Azure)"]
direction TB
FWLOG["SASE FWaaS\nIDPS alerts and TLS events\nNEW vs Azure-native"]
WAFLOG["WAF Block Events\nFront Door and App Gateway\nUNCHANGED"]
SWGLOG["SWG - Entra Internet Access\nURL blocks, web violations\nNEW"]
CASBLOG["CASB - Defender for Cloud Apps\nSaaS anomalies, DLP alerts\nNEW"]
NSGLOG["NSG Flow Logs\nAll subnets\nUNCHANGED"]
DEFLOG["Defender for SQL\nQuery anomalies\nUNCHANGED"]
IDLOG["Entra ID Protection\nSign-in risk signals\nUNCHANGED"]
SRVLOG["Defender for Servers\nVulnerability findings\nUNCHANGED"]
end
subgraph COLLECT["Collection Layer"]
MON["Azure Monitor\nLog Analytics Workspace\nKQL queryable REQ-4.3"]
end
subgraph POSTURE["Posture Management"]
MDFC2["Defender for Cloud\nCSPM - Security Score\nPCI-DSS, GDPR, ISO 27001, NIST\nREQ-4.2"]
end
subgraph DETECT["Detection and Correlation"]
SENT2["Microsoft Sentinel\nSIEM - AI Fusion detection\nCorrelates Azure and SASE signals\nREQ-4.3"]
end
subgraph PREVENT["Preventive Controls"]
POLICY["Azure Policy\nDeployment-time enforcement"]
GITOPS["GitOps Pipeline\nAzure and SASE policy as code\nPR-gated rule changes"]
end
subgraph RESPOND["Automated Response - SASE-enhanced Playbooks"]
PLAYBOOK["Logic App Playbooks\nSOAR automation"]
BLOCKIP["Block IP at SASE FWaaS\nvia SASE vendor API - NEW"]
REVOKEZTNA["Revoke ZTNA Session\nEntra Private Access policy - NEW"]
DISABLE["Disable Entra ID Account\nUNCHANGED"]
ISOLATE["Isolate SD-WAN Branch\nRestrict to remediation VLAN - NEW"]
ITSM["ITSM Ticket\nSOC escalation - UNCHANGED"]
end
FWLOG --> MON
WAFLOG --> MON
SWGLOG --> MON
CASBLOG --> MON
NSGLOG --> MON
DEFLOG --> MON
IDLOG --> MON
SRVLOG --> MON
MON --> SENT2
MON --> MDFC2
MDFC2 -->|"Posture alerts"| SENT2
SENT2 --> PLAYBOOK
PLAYBOOK --> BLOCKIP
PLAYBOOK --> REVOKEZTNA
PLAYBOOK --> DISABLE
PLAYBOOK --> ISOLATE
PLAYBOOK --> ITSM
GITOPS -.->|"Policy as code"| POLICY