Network Architecture

Overview

This document describes the network architecture of the HealthFlow NDP (National Digital Prescription) platform, including network topology, security zones, connectivity patterns, and infrastructure communications.

Network Topology

Network Zones and Security

Zone Classification

Zone	Purpose	Access Level	CIDR Block	Security Level
Edge Network	Load balancing, DDoS protection	Public	Varies	High
DMZ	API Gateway	Public → Private	10.10.0.0/24	High
Application Network	Microservices	Private	10.10.0.0/16	Medium-High
Infrastructure Network	Service mesh, discovery	Private	10.10.100.0/22	High
Data Network	Databases	Isolated	10.10.200.0/24	Critical
Monitoring Network	Observability	Private	10.10.150.0/24	Medium

Subnet Design

Core Application Subnets

Service Communication Patterns

1. External to Internal Flow

2. Internal Service-to-Service

3. Service to Infrastructure

Port Mapping

External Facing Ports

Port	Protocol	Service	Purpose	Public/Private
443	HTTPS	API Gateway	Secure API access	Public
80	HTTP	API Gateway	HTTP redirect to HTTPS	Public

Internal Service Ports

Port	Protocol	Service	Purpose	Access Level
8080	HTTP	All Microservices	REST API	Internal
9090	HTTP	Prometheus Metrics	Metrics endpoint	Internal

Infrastructure Ports

Port	Protocol	Service	Purpose	Access Level
8500	HTTP	Consul	HTTP API	Internal
8600	DNS	Consul	DNS Interface	Internal
8200	HTTP	Vault	API/UI	Internal
6379	TCP	Redis	Cache	Internal
9092	TCP	Kafka	Message broker	Internal
2181	TCP	Zookeeper	Kafka coordination	Internal

Database Ports

Port	Protocol	Service	Purpose	Access Level
5432	TCP	PostgreSQL	Primary database	Restricted
3306	TCP	MySQL	Pharmacy/Medicine data	Restricted
27017	TCP	MongoDB	Audit logs	Restricted

Monitoring Ports

Port	Protocol	Service	Purpose	Access Level
9090	HTTP	Prometheus	Metrics collection	Internal
3000	HTTP	Grafana	Dashboards	Internal
3100	HTTP	Loki	Log aggregation	Internal

Network Policies

Kubernetes Network Policies

1. API Gateway Ingress Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-gateway-ingress
  namespace: gateway-stack
spec:
  podSelector:
    matchLabels:
      app: traefik
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 0.0.0.0/0 # Allow from internet
      ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 80
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: applications
      ports:
        - protocol: TCP
          port: 8080

2. Application Service Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-service-policy
  namespace: applications
spec:
  podSelector:
    matchLabels:
      tier: application
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Allow from API Gateway
    - from:
        - namespaceSelector:
            matchLabels:
              name: gateway-stack
      ports:
        - protocol: TCP
          port: 8080
    # Allow from other app services
    - from:
        - namespaceSelector:
            matchLabels:
              name: applications
      ports:
        - protocol: TCP
          port: 8080
  egress:
    # Allow to other app services
    - to:
        - namespaceSelector:
            matchLabels:
              name: applications
    # Allow to data stack
    - to:
        - namespaceSelector:
            matchLabels:
              name: data-stack
      ports:
        - protocol: TCP
          port: 5432 # PostgreSQL
        - protocol: TCP
          port: 3306 # MySQL
        - protocol: TCP
          port: 27017 # MongoDB
        - protocol: TCP
          port: 6379 # Redis
        - protocol: TCP
          port: 9092 # Kafka
    # Allow to discovery stack
    - to:
        - namespaceSelector:
            matchLabels:
              name: discovery-stack
      ports:
        - protocol: TCP
          port: 8500 # Consul
        - protocol: TCP
          port: 8600 # Consul DNS
        - protocol: TCP
          port: 8200 # Vault
    # Allow to monitoring
    - to:
        - namespaceSelector:
            matchLabels:
              name: monitoring-stack
      ports:
        - protocol: TCP
          port: 9090 # Prometheus
        - protocol: TCP
          port: 3100 # Loki
    # Allow DNS
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - protocol: UDP
          port: 53

3. Database Isolation Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: database-isolation
  namespace: data-stack
spec:
  podSelector:
    matchLabels:
      tier: database
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Only allow from application namespace
    - from:
        - namespaceSelector:
            matchLabels:
              name: applications
      ports:
        - protocol: TCP
          port: 5432
        - protocol: TCP
          port: 3306
        - protocol: TCP
          port: 27017
    # Allow from monitoring for metrics
    - from:
        - namespaceSelector:
            matchLabels:
              name: monitoring-stack
  egress:
    # Minimal egress - only DNS
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - protocol: UDP
          port: 53

DNS Resolution

Service Discovery DNS Hierarchy

DNS Configuration

# CoreDNS ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health {
           lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
           max_concurrent 1000
        }
        cache 30
        loop
        reload
        loadbalance
    }

    consul:53 {
        errors
        cache 30
        forward . consul.discovery-stack:8600
    }

Load Balancing Strategies

1. External Load Balancing (Layer 4/7)

Configuration:

• Algorithm: Round Robin with health checks
• Session Persistence: Cookie-based (if needed)
• Health Check: HTTP GET /health every 10s
• Timeout: 30s
• Max Connections: 10,000 per node

2. Internal Service Load Balancing

Strategies:

• Consul-based: Health-aware DNS round robin
• Kubernetes: ClusterIP service with iptables/IPVS
• Client-side: Circuit breakers and retries

Service Mesh (Optional Future Enhancement)

Potential Istio Integration

Security Considerations

Network Security Layers

Security Best Practices

1. Encryption in Transit

   • TLS 1.3 for external connections
   • mTLS between services (optional)
   • Encrypted Kafka topics for sensitive data

2. Encryption at Rest

   • Database encryption (PostgreSQL, MySQL, MongoDB)
   • Encrypted EBS volumes
   • Vault-encrypted secrets

3. Network Segmentation

   • Separate subnets per tier
   • Network policies enforcing least privilege
   • Database isolation in dedicated subnet

4. Access Control

   • API Gateway authentication/authorization
   • Vault-managed credentials
   • Service account RBAC

5. Monitoring & Auditing

   • Network flow logs
   • Security event logging
   • Intrusion detection

Bandwidth and Traffic Estimation

Expected Traffic Patterns

Flow	Peak TPS	Avg Response Size	Bandwidth
External → API Gateway	1,000	10 KB	10 MB/s
Gateway → Services	1,000	2 KB	2 MB/s
Services → Databases	2,000	5 KB	10 MB/s
Services → Redis	5,000	1 KB	5 MB/s
Services → Kafka	500	5 KB	2.5 MB/s
Monitoring Traffic	-	-	5 MB/s

Network Capacity Planning

Recommended Network Bandwidth:

• External: 1 Gbps minimum, 10 Gbps recommended
• Internal: 10 Gbps between nodes
• Storage: 10 Gbps to storage backend

High Availability

Network HA Configuration

HA Features:

• Multi-AZ deployment for all critical services
• Database replication across AZs
• Load balancer health checks
• Automatic failover for stateful services

Disaster Recovery

Network DR Strategy

DR Configuration:

• RPO (Recovery Point Objective): 5 minutes
• RTO (Recovery Time Objective): 30 minutes
• Cross-datacenter database replication
• DNS-based failover
• Regular DR drills

Monitoring and Observability

Network Monitoring

Key Metrics:

• Network throughput per service
• Latency between services
• Error rates and timeouts
• Connection pool utilization
• DNS query performance

Troubleshooting

Common Network Issues

1. Service Cannot Connect to Database

# Check network policy
kubectl describe networkpolicy -n applications

# Test connectivity from pod
kubectl exec -n applications <pod-name> -- nc -zv postgresql.data-stack 5432

# Check DNS resolution
kubectl exec -n applications <pod-name> -- nslookup postgresql.data-stack

2. High Latency Between Services

# Check network latency
kubectl exec -n applications <pod-name> -- ping <target-service>

# Check MTU size
kubectl exec -n applications <pod-name> -- ip link show

# Review network policies
kubectl get networkpolicies -A

3. DNS Resolution Failures

# Check CoreDNS logs
kubectl logs -n kube-system -l k8s-app=kube-dns

# Test DNS from pod
kubectl exec -n applications <pod-name> -- nslookup kubernetes.default

# Check Consul DNS
kubectl exec -n applications <pod-name> -- nslookup service.service.consul

Next Steps

• Gateway Stack - Deploy API Gateway
• Application Stack - Deploy microservices
• Monitoring Stack - Setup network monitoring
• Service Architecture - Service-level architecture

Documentation Maintenance

Last Updated: 2026-03-02
Maintained By: Infrastructure Team
Review Frequency: Quarterly or when infrastructure changes