HealthFlow NDP Infrastructure

Appearance

Network Architecture ​

Overview ​

This document describes the network architecture of the HealthFlow NDP (National Digital Prescription) platform, including network topology, security zones, connectivity patterns, and infrastructure communications.

Network Topology ​

Network Zones and Security ​

Zone Classification ​

ZonePurposeAccess LevelCIDR BlockSecurity Level
Edge NetworkLoad balancing, DDoS protectionPublicVariesHigh
DMZAPI GatewayPublic β†’ Private10.10.0.0/24High
Application NetworkMicroservicesPrivate10.10.0.0/16Medium-High
Infrastructure NetworkService mesh, discoveryPrivate10.10.100.0/22High
Data NetworkDatabasesIsolated10.10.200.0/24Critical
Monitoring NetworkObservabilityPrivate10.10.150.0/24Medium

Subnet Design ​

Core Application Subnets ​

Service Communication Patterns ​

1. External to Internal Flow ​

2. Internal Service-to-Service ​

3. Service to Infrastructure ​

Port Mapping ​

External Facing Ports ​

PortProtocolServicePurposePublic/Private
443HTTPSAPI GatewaySecure API accessPublic
80HTTPAPI GatewayHTTP redirect to HTTPSPublic

Internal Service Ports ​

PortProtocolServicePurposeAccess Level
8080HTTPAll MicroservicesREST APIInternal
9090HTTPPrometheus MetricsMetrics endpointInternal

Infrastructure Ports ​

PortProtocolServicePurposeAccess Level
8500HTTPConsulHTTP APIInternal
8600DNSConsulDNS InterfaceInternal
8200HTTPVaultAPI/UIInternal
6379TCPRedisCacheInternal
9092TCPKafkaMessage brokerInternal
2181TCPZookeeperKafka coordinationInternal

Database Ports ​

PortProtocolServicePurposeAccess Level
5432TCPPostgreSQLPrimary databaseRestricted
3306TCPMySQLPharmacy/Medicine dataRestricted
27017TCPMongoDBAudit logsRestricted

Monitoring Ports ​

PortProtocolServicePurposeAccess Level
9090HTTPPrometheusMetrics collectionInternal
3000HTTPGrafanaDashboardsInternal
3100HTTPLokiLog aggregationInternal

Network Policies ​

Kubernetes Network Policies ​

1. API Gateway Ingress Policy ​

yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-gateway-ingress
  namespace: gateway-stack
spec:
  podSelector:
    matchLabels:
      app: traefik
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 0.0.0.0/0 # Allow from internet
      ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 80
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: applications
      ports:
        - protocol: TCP
          port: 8080

2. Application Service Policy ​

yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-service-policy
  namespace: applications
spec:
  podSelector:
    matchLabels:
      tier: application
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Allow from API Gateway
    - from:
        - namespaceSelector:
            matchLabels:
              name: gateway-stack
      ports:
        - protocol: TCP
          port: 8080
    # Allow from other app services
    - from:
        - namespaceSelector:
            matchLabels:
              name: applications
      ports:
        - protocol: TCP
          port: 8080
  egress:
    # Allow to other app services
    - to:
        - namespaceSelector:
            matchLabels:
              name: applications
    # Allow to data stack
    - to:
        - namespaceSelector:
            matchLabels:
              name: data-stack
      ports:
        - protocol: TCP
          port: 5432 # PostgreSQL
        - protocol: TCP
          port: 3306 # MySQL
        - protocol: TCP
          port: 27017 # MongoDB
        - protocol: TCP
          port: 6379 # Redis
        - protocol: TCP
          port: 9092 # Kafka
    # Allow to discovery stack
    - to:
        - namespaceSelector:
            matchLabels:
              name: discovery-stack
      ports:
        - protocol: TCP
          port: 8500 # Consul
        - protocol: TCP
          port: 8600 # Consul DNS
        - protocol: TCP
          port: 8200 # Vault
    # Allow to monitoring
    - to:
        - namespaceSelector:
            matchLabels:
              name: monitoring-stack
      ports:
        - protocol: TCP
          port: 9090 # Prometheus
        - protocol: TCP
          port: 3100 # Loki
    # Allow DNS
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - protocol: UDP
          port: 53

3. Database Isolation Policy ​

yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-isolation
  namespace: data-stack
spec:
  podSelector:
    matchLabels:
      tier: database
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Only allow from application namespace
    - from:
        - namespaceSelector:
            matchLabels:
              name: applications
      ports:
        - protocol: TCP
          port: 5432
        - protocol: TCP
          port: 3306
        - protocol: TCP
          port: 27017
    # Allow from monitoring for metrics
    - from:
        - namespaceSelector:
            matchLabels:
              name: monitoring-stack
  egress:
    # Minimal egress - only DNS
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - protocol: UDP
          port: 53

DNS Resolution ​

Service Discovery DNS Hierarchy ​

DNS Configuration ​

yaml
# CoreDNS ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health {
           lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
           max_concurrent 1000
        }
        cache 30
        loop
        reload
        loadbalance
    }

    consul:53 {
        errors
        cache 30
        forward . consul.discovery-stack:8600
    }

Load Balancing Strategies ​

1. External Load Balancing (Layer 4/7) ​

Configuration:

  • Algorithm: Round Robin with health checks
  • Session Persistence: Cookie-based (if needed)
  • Health Check: HTTP GET /health every 10s
  • Timeout: 30s
  • Max Connections: 10,000 per node

2. Internal Service Load Balancing ​

Strategies:

  • Consul-based: Health-aware DNS round robin
  • Kubernetes: ClusterIP service with iptables/IPVS
  • Client-side: Circuit breakers and retries

Service Mesh (Optional Future Enhancement) ​

Potential Istio Integration ​

Security Considerations ​

Network Security Layers ​

Security Best Practices ​

  1. Encryption in Transit

    • TLS 1.3 for external connections
    • mTLS between services (optional)
    • Encrypted Kafka topics for sensitive data

  2. Encryption at Rest

    • Database encryption (PostgreSQL, MySQL, MongoDB)
    • Encrypted EBS volumes
    • Vault-encrypted secrets

  3. Network Segmentation

    • Separate subnets per tier
    • Network policies enforcing least privilege
    • Database isolation in dedicated subnet

  4. Access Control

    • API Gateway authentication/authorization
    • Vault-managed credentials
    • Service account RBAC

  5. Monitoring & Auditing

    • Network flow logs
    • Security event logging
    • Intrusion detection

Bandwidth and Traffic Estimation ​

Expected Traffic Patterns ​

FlowPeak TPSAvg Response SizeBandwidth
External β†’ API Gateway1,00010 KB10 MB/s
Gateway β†’ Services1,0002 KB2 MB/s
Services β†’ Databases2,0005 KB10 MB/s
Services β†’ Redis5,0001 KB5 MB/s
Services β†’ Kafka5005 KB2.5 MB/s
Monitoring Traffic--5 MB/s

Network Capacity Planning ​

Recommended Network Bandwidth:

  • External: 1 Gbps minimum, 10 Gbps recommended
  • Internal: 10 Gbps between nodes
  • Storage: 10 Gbps to storage backend

High Availability ​

Network HA Configuration ​

HA Features:

  • Multi-AZ deployment for all critical services
  • Database replication across AZs
  • Load balancer health checks
  • Automatic failover for stateful services

Disaster Recovery ​

Network DR Strategy ​

DR Configuration:

  • RPO (Recovery Point Objective): 5 minutes
  • RTO (Recovery Time Objective): 30 minutes
  • Cross-datacenter database replication
  • DNS-based failover
  • Regular DR drills

Monitoring and Observability ​

Network Monitoring ​

Key Metrics:

  • Network throughput per service
  • Latency between services
  • Error rates and timeouts
  • Connection pool utilization
  • DNS query performance

Troubleshooting ​

Common Network Issues ​

1. Service Cannot Connect to Database ​

bash
# Check network policy
kubectl describe networkpolicy -n applications

# Test connectivity from pod
kubectl exec -n applications <pod-name> -- nc -zv postgresql.data-stack 5432

# Check DNS resolution
kubectl exec -n applications <pod-name> -- nslookup postgresql.data-stack

2. High Latency Between Services ​

bash
# Check network latency
kubectl exec -n applications <pod-name> -- ping <target-service>

# Check MTU size
kubectl exec -n applications <pod-name> -- ip link show

# Review network policies
kubectl get networkpolicies -A

3. DNS Resolution Failures ​

bash
# Check CoreDNS logs
kubectl logs -n kube-system -l k8s-app=kube-dns

# Test DNS from pod
kubectl exec -n applications <pod-name> -- nslookup kubernetes.default

# Check Consul DNS
kubectl exec -n applications <pod-name> -- nslookup service.service.consul

Next Steps ​

Documentation Maintenance ​

Last Updated: 2026-03-02
Maintained By: Infrastructure Team
Review Frequency: Quarterly or when infrastructure changes