Co-authored-by: Cursor <cursoragent@cursor.com>
27 KiB
Phoenix Operating Model - Architecture Diagrams
Visual representations of the Phoenix operating model architecture
This document contains mermaid diagrams visualizing the Phoenix operating model, including control planes, entity relationships, access models, promotion flows, and integration patterns.
1. Control Plane Overview
High-level view of the five orthogonal control planes and their relationships.
graph TB
subgraph commercial [Commercial Plane]
Client[Client<br/>Billing Profile]
Billing[Billing & Invoicing]
Contracts[Contracts & MSAs]
end
subgraph tenancy [Tenancy Plane]
Tenant[Tenant<br/>Domain & Identity]
Identity[Identity Provider]
RBAC[RBAC Namespace]
end
subgraph subscription [Subscription Plane]
Subscription[Subscription<br/>Service Bundle]
Quotas[Quotas & Limits]
Policies[Policy Packs]
end
subgraph environment [Environment Plane]
Environment[Environment<br/>Lifecycle Stage]
Network[Network Isolation]
Data[Data Isolation]
end
subgraph content [Content & DevOps Plane]
Enterprise[Enterprise]
Portfolio[Portfolio]
Product[Product]
Application[Application]
Component[Component]
end
Client -->|owns| Tenant
Tenant -->|contains| Subscription
Subscription -->|provisions| Environment
Application -->|deploys to| Environment
Client -.->|billing ID| Subscription
Tenant -.->|identity ID| Environment
Subscription -.->|quota ID| Environment
Application -.->|content ID| Environment
style Client fill:#e1f5ff
style Tenant fill:#fff4e1
style Subscription fill:#e8f5e9
style Environment fill:#fce4ec
style Enterprise fill:#f3e5f5
2. Entity Relationship Diagram
Complete graph showing the hierarchical relationships between all entities.
erDiagram
Client ||--o{ Tenant : "owns"
Tenant ||--o{ Subscription : "contains"
Subscription ||--o{ Environment : "provisions"
Client {
string id
string name
LegalEntity legalEntity
Contract contract
InvoicingConfig invoicingConfig
}
Tenant {
string id
string name
string[] primaryDomains
IdentityProvider identityProvider
string rbacNamespace
ComplianceProfile complianceProfile
}
Subscription {
string id
string name
SubscriptionType type
ServiceBundle[] serviceBundles
Quotas quotas
PolicyPack[] policyPacks
}
Environment {
string id
string name
EnvironmentType type
NetworkIsolation networkIsolation
DataIsolation dataIsolation
}
Enterprise ||--o{ Portfolio : "contains"
Portfolio ||--o{ Product : "contains"
Product ||--o{ Application : "contains"
Application ||--o{ Component : "contains"
Application ||--o{ GitRepo : "uses"
Enterprise {
string id
string name
Ownership ownership
}
Portfolio {
string id
string name
Ownership ownership
}
Product {
string id
string name
Ownership ownership
}
Application {
string id
string name
Ownership ownership
}
Component {
string id
string name
ContentType contentType
string version
}
Application }o--|| Environment : "deploys to"
3. Multi-Region Landing Zone Architecture
Sovereign cloud deployments per region, landing zones, and cross-region connectivity.
graph TB
subgraph global [Global Phoenix Platform]
ControlPlane[Control Plane<br/>Coordinated]
end
subgraph region1 [Region 1 - Nation A]
LandingZone1[Landing Zone 1<br/>Sovereign Cloud]
Tenant1A[Tenant 1A]
Tenant1B[Tenant 1B]
Subscription1A[Subscription 1A]
Environment1A[Environment 1A<br/>PROD]
end
subgraph region2 [Region 2 - Nation B]
LandingZone2[Landing Zone 2<br/>Sovereign Cloud]
Tenant2A[Tenant 2A]
Subscription2A[Subscription 2A]
Environment2A[Environment 2A<br/>PROD]
end
subgraph region3 [Region 3 - Nation C]
LandingZone3[Landing Zone 3<br/>Sovereign Cloud]
Tenant3A[Tenant 3A]
Subscription3A[Subscription 3A]
Environment3A[Environment 3A<br/>AIR-GAPPED]
end
ControlPlane -.->|governance| LandingZone1
ControlPlane -.->|governance| LandingZone2
ControlPlane -.->|governance| LandingZone3
LandingZone1 --> Tenant1A
LandingZone1 --> Tenant1B
Tenant1A --> Subscription1A
Subscription1A --> Environment1A
LandingZone2 --> Tenant2A
Tenant2A --> Subscription2A
Subscription2A --> Environment2A
LandingZone3 --> Tenant3A
Tenant3A --> Subscription3A
Subscription3A --> Environment3A
LandingZone1 <-->|cross-region<br/>connectivity| LandingZone2
LandingZone2 -.->|governance only| LandingZone3
style LandingZone1 fill:#e1f5ff
style LandingZone2 fill:#e1f5ff
style LandingZone3 fill:#e1f5ff
style Environment3A fill:#ffebee
4. Decentralized Control Planes
Distributed governance across regions showing regional autonomy with coordination.
graph TB
subgraph coordination [Coordination Layer]
EventBus[Event Bus]
GovernanceAPI[Governance API]
AuditLog[Audit Log]
end
subgraph region1 [Region 1 Control Plane]
CP1_Commercial[Commercial Plane]
CP1_Tenancy[Tenancy Plane]
CP1_Subscription[Subscription Plane]
CP1_Environment[Environment Plane]
CP1_Content[Content & DevOps]
end
subgraph region2 [Region 2 Control Plane]
CP2_Commercial[Commercial Plane]
CP2_Tenancy[Tenancy Plane]
CP2_Subscription[Subscription Plane]
CP2_Environment[Environment Plane]
CP2_Content[Content & DevOps]
end
subgraph region3 [Region 3 Control Plane]
CP3_Commercial[Commercial Plane]
CP3_Tenancy[Tenancy Plane]
CP3_Subscription[Subscription Plane]
CP3_Environment[Environment Plane]
CP3_Content[Content & DevOps]
end
CP1_Commercial <--> EventBus
CP1_Tenancy <--> EventBus
CP1_Subscription <--> EventBus
CP1_Environment <--> EventBus
CP1_Content <--> EventBus
CP2_Commercial <--> EventBus
CP2_Tenancy <--> EventBus
CP2_Subscription <--> EventBus
CP2_Environment <--> EventBus
CP2_Content <--> EventBus
CP3_Commercial <--> EventBus
CP3_Tenancy <--> EventBus
CP3_Subscription <--> EventBus
CP3_Environment <--> EventBus
CP3_Content <--> EventBus
EventBus --> GovernanceAPI
EventBus --> AuditLog
CP1_Tenancy <-->|federated identity| CP2_Tenancy
CP2_Tenancy -.->|governance only| CP3_Tenancy
style CP1_Commercial fill:#e1f5ff
style CP1_Tenancy fill:#fff4e1
style CP1_Subscription fill:#e8f5e9
style CP1_Environment fill:#fce4ec
style CP1_Content fill:#f3e5f5
5. Content Hierarchy
Enterprise content management hierarchy from Enterprise to Component.
graph TD
Enterprise[Enterprise<br/>Ownership & Governance]
Enterprise --> Portfolio1[Portfolio 1]
Enterprise --> Portfolio2[Portfolio 2]
Enterprise --> Portfolio3[Portfolio 3]
Portfolio1 --> Product1A[Product 1A]
Portfolio1 --> Product1B[Product 1B]
Portfolio2 --> Product2A[Product 2A]
Product1A --> App1A1[Application 1A1]
Product1A --> App1A2[Application 1A2]
Product1B --> App1B1[Application 1B1]
Product2A --> App2A1[Application 2A1]
App1A1 --> Comp1A1A[Component 1A1A<br/>Source Code]
App1A1 --> Comp1A1B[Component 1A1B<br/>IaC]
App1A1 --> Comp1A1C[Component 1A1C<br/>Pipeline]
App1A2 --> Comp1A2A[Component 1A2A<br/>Source Code]
App1B1 --> Comp1B1A[Component 1B1A<br/>Source Code]
App2A1 --> Comp2A1A[Component 2A1A<br/>Source Code]
App2A1 --> Comp2A1B[Component 2A1B<br/>AI Model]
App1A1 --> GitRepo1[Git Repository 1]
App1A2 --> GitRepo2[Git Repository 2]
App1B1 --> GitRepo3[Git Repository 3]
App2A1 --> GitRepo4[Git Repository 4]
style Enterprise fill:#f3e5f5
style Portfolio1 fill:#e1bee7
style Portfolio2 fill:#e1bee7
style Portfolio3 fill:#e1bee7
style Product1A fill:#ce93d8
style App1A1 fill:#ba68c8
style Comp1A1A fill:#ab47bc
6. Access Model (RBAC)
RBAC roles across planes with regional scope and cross-plane delegation.
graph TB
subgraph commercialRoles [Commercial Plane Roles]
FinanceAdmin[Finance Admin]
BillingViewer[Billing Viewer]
CostCenterOwner[Cost Center Owner]
end
subgraph tenancyRoles [Tenancy Plane Roles]
TenantOwner[Tenant Owner]
SecurityAdmin[Security Admin]
IdentityAdmin[Identity Admin]
ComplianceOfficer[Compliance Officer]
end
subgraph subscriptionRoles [Subscription Plane Roles]
SubscriptionOwner[Subscription Owner]
PlatformAdmin[Platform Admin]
ServiceOperator[Service Operator]
Auditor[Read-only Auditor]
end
subgraph environmentRoles [Environment Plane Roles]
EnvOwner[Environment Owner]
ReleaseManager[Release Manager]
Operator[Operator]
Observer[Observer]
end
subgraph contentRoles [Content & DevOps Roles]
EnterpriseArch[Enterprise Architect]
PortfolioLead[Portfolio Lead]
ProductOwner[Product Owner]
DevLead[Dev Lead]
Contributor[Contributor]
Reviewer[Reviewer]
ReleaseApprover[Release Approver]
end
FinanceAdmin -.->|delegation| TenantOwner
TenantOwner -.->|delegation| SubscriptionOwner
SubscriptionOwner -.->|delegation| EnvOwner
EnvOwner -.->|delegation| ReleaseManager
ReleaseManager -.->|delegation| ReleaseApprover
TenantOwner -->|manages| IdentityAdmin
TenantOwner -->|manages| SecurityAdmin
SubscriptionOwner -->|manages| PlatformAdmin
EnvOwner -->|manages| Operator
style FinanceAdmin fill:#e1f5ff
style TenantOwner fill:#fff4e1
style SubscriptionOwner fill:#e8f5e9
style EnvOwner fill:#fce4ec
style EnterpriseArch fill:#f3e5f5
7. Promotion Flow
Code commit through CI/CD to deployment with policy gates and authorization.
sequenceDiagram
participant Dev as Developer
participant Git as Git Repository
participant CI as CI Pipeline
participant Artifact as Artifact Registry
participant Policy as Policy Engine
participant Approval as Approval Workflow
participant Env as Environment
participant Sub as Subscription
Dev->>Git: Commit Code
Git->>CI: Trigger CI Pipeline
CI->>CI: Run Tests
CI->>CI: Security Scan
CI->>CI: Build Artifact
alt Tests Pass
CI->>Artifact: Store Artifact
Artifact->>Policy: Validate Policies
alt Policy Validation Pass
Policy->>Approval: Check Approval Required
alt Approval Required
Approval->>Approval: Request Approval
Approval->>Approval: Wait for Approval
alt Approval Granted
Approval->>Sub: Verify Subscription Authorization
Sub->>Env: Authorize Deployment
Env->>Env: Deploy to Environment
else Approval Denied
Approval->>Dev: Reject Deployment
end
else No Approval Required
Approval->>Sub: Verify Subscription Authorization
Sub->>Env: Authorize Deployment
Env->>Env: Deploy to Environment
end
else Policy Validation Fail
Policy->>Dev: Reject - Policy Violation
end
else Tests Fail
CI->>Dev: Reject - Tests Failed
end
8. Integration Architecture
How control planes interact with existing infrastructure systems.
graph TB
subgraph planes [Phoenix Control Planes]
Commercial[Commercial Plane]
Tenancy[Tenancy Plane]
Subscription[Subscription Plane]
Environment[Environment Plane]
Content[Content & DevOps Plane]
end
subgraph infrastructure [Existing Infrastructure]
Proxmox[Proxmox<br/>Compute & Storage]
Kubernetes[Kubernetes<br/>Container Orchestration]
Cloudflare[Cloudflare<br/>Zero Trust & Tunnels]
Keycloak[Keycloak<br/>Identity Management]
ArgoCD[ArgoCD<br/>GitOps]
Crossplane[Crossplane<br/>Infrastructure as Code]
Monitoring[Monitoring & Observability]
end
Commercial -->|billing data| Monitoring
Tenancy -->|identity config| Keycloak
Tenancy -->|access policies| Cloudflare
Subscription -->|resource quotas| Kubernetes
Subscription -->|infrastructure| Crossplane
Environment -->|deployment| ArgoCD
Environment -->|compute resources| Proxmox
Environment -->|container workloads| Kubernetes
Content -->|Git repos| ArgoCD
Content -->|IaC| Crossplane
Keycloak -->|identity| Cloudflare
ArgoCD -->|syncs| Kubernetes
Crossplane -->|provisions| Proxmox
Crossplane -->|provisions| Kubernetes
style Commercial fill:#e1f5ff
style Tenancy fill:#fff4e1
style Subscription fill:#e8f5e9
style Environment fill:#fce4ec
style Content fill:#f3e5f5
9. Sovereign Environment Isolation
REGULATED, SOVEREIGN, and AIR-GAPPED environments per region.
graph TB
subgraph standard [Standard Environments]
DEV[DEV<br/>Development]
INT[INT<br/>Integration]
UAT[UAT<br/>User Acceptance]
STAGING[STAGING<br/>Pre-Production]
PROD[PROD<br/>Production]
end
subgraph specialized [Specialized Environments]
REGULATED[REGULATED<br/>Compliance Required]
SOVEREIGN[SOVEREIGN<br/>Data Residency]
AIRGAPPED[AIR-GAPPED<br/>No External Connectivity]
end
subgraph isolation [Isolation Levels]
NetworkIsolation[Network Isolation]
DataIsolation[Data Isolation]
AccessIsolation[Access Isolation]
ComplianceIsolation[Compliance Isolation]
end
DEV --> NetworkIsolation
INT --> NetworkIsolation
UAT --> NetworkIsolation
STAGING --> NetworkIsolation
PROD --> NetworkIsolation
PROD --> DataIsolation
PROD --> AccessIsolation
REGULATED --> NetworkIsolation
REGULATED --> DataIsolation
REGULATED --> AccessIsolation
REGULATED --> ComplianceIsolation
SOVEREIGN --> NetworkIsolation
SOVEREIGN --> DataIsolation
SOVEREIGN --> AccessIsolation
SOVEREIGN --> ComplianceIsolation
SOVEREIGN -->|regional| DataResidency[Regional Data Residency]
AIRGAPPED --> NetworkIsolation
AIRGAPPED --> DataIsolation
AIRGAPPED --> AccessIsolation
AIRGAPPED --> ComplianceIsolation
AIRGAPPED -->|complete| NoExternalConnectivity[No External Connectivity]
style PROD fill:#ffebee
style REGULATED fill:#fff3e0
style SOVEREIGN fill:#e8f5e9
style AIRGAPPED fill:#fce4ec
10. Multi-National Tenant Structure
How international sovereign governments are modeled with tenants.
graph TB
subgraph client [Client: International Government]
ClientEntity[Government Entity<br/>Legal & Billing]
end
subgraph nation1 [Nation A]
Tenant1A[Tenant 1A<br/>Domain: nation-a.gov]
Subscription1A[Subscription 1A<br/>Product]
Environment1A[Environment 1A<br/>PROD]
LandingZone1[Landing Zone 1<br/>Sovereign Cloud]
end
subgraph nation2 [Nation B]
Tenant2A[Tenant 2A<br/>Domain: nation-b.gov]
Subscription2A[Subscription 2A<br/>Product]
Environment2A[Environment 2A<br/>PROD]
LandingZone2[Landing Zone 2<br/>Sovereign Cloud]
end
subgraph nation3 [Nation C]
Tenant3A[Tenant 3A<br/>Domain: nation-c.gov]
Subscription3A[Subscription 3A<br/>Classified]
Environment3A[Environment 3A<br/>AIR-GAPPED]
LandingZone3[Landing Zone 3<br/>Air-Gapped Cloud]
end
ClientEntity -->|owns| Tenant1A
ClientEntity -->|owns| Tenant2A
ClientEntity -->|owns| Tenant3A
Tenant1A --> Subscription1A
Subscription1A --> Environment1A
Environment1A --> LandingZone1
Tenant2A --> Subscription2A
Subscription2A --> Environment2A
Environment2A --> LandingZone2
Tenant3A --> Subscription3A
Subscription3A --> Environment3A
Environment3A --> LandingZone3
Tenant1A <-->|federated identity| Tenant2A
Tenant2A -.->|governance only| Tenant3A
LandingZone1 <-->|cross-region<br/>connectivity| LandingZone2
LandingZone2 -.->|no connectivity| LandingZone3
style ClientEntity fill:#e1f5ff
style Tenant1A fill:#fff4e1
style Tenant2A fill:#fff4e1
style Tenant3A fill:#fff4e1
style LandingZone3 fill:#ffebee
11. Landing Zone Patterns
Regional sovereign cloud deployments with different patterns.
graph TB
subgraph pattern1 [Pattern 1: Single Region Sovereign]
LZ1[Landing Zone 1<br/>Region A]
T1[Tenant 1]
S1[Subscription 1]
E1[Environment 1<br/>PROD]
end
subgraph pattern2 [Pattern 2: Multi-Region Sovereign]
LZ2A[Landing Zone 2A<br/>Region A]
LZ2B[Landing Zone 2B<br/>Region B]
T2[Tenant 2<br/>Multi-Region]
S2A[Subscription 2A<br/>Region A]
S2B[Subscription 2B<br/>Region B]
E2A[Environment 2A<br/>PROD]
E2B[Environment 2B<br/>PROD]
end
subgraph pattern3 [Pattern 3: Air-Gapped Sovereign]
LZ3[Landing Zone 3<br/>Region C<br/>Air-Gapped]
T3[Tenant 3]
S3[Subscription 3<br/>Classified]
E3[Environment 3<br/>AIR-GAPPED]
end
LZ1 --> T1
T1 --> S1
S1 --> E1
LZ2A --> T2
LZ2B --> T2
T2 --> S2A
T2 --> S2B
S2A --> E2A
S2B --> E2B
LZ2A <-->|cross-region| LZ2B
LZ3 --> T3
T3 --> S3
S3 --> E3
style LZ1 fill:#e1f5ff
style LZ2A fill:#e1f5ff
style LZ2B fill:#e1f5ff
style LZ3 fill:#ffebee
12. Competitive Architecture Comparison
Phoenix vs Azure vs AWS showing decentralized vs centralized models.
graph TB
subgraph phoenix [Phoenix - Decentralized]
P_Control[Distributed Control Planes]
P_Client[Client]
P_Tenant[Tenant]
P_Sub[Subscription]
P_Env[Environment]
P_LandingZone[Landing Zone<br/>Sovereign Cloud]
end
subgraph azure [Azure - Centralized]
A_Control[Centralized Control Plane]
A_Tenant[Azure AD Tenant]
A_Sub[Azure Subscription]
A_RG[Resource Group]
A_Region[Azure Region]
end
subgraph aws [AWS - Centralized]
A_Control2[Centralized Control Plane]
A_Org[AWS Organization]
A_Account[AWS Account]
A_Region2[AWS Region]
end
P_Control --> P_Client
P_Client --> P_Tenant
P_Tenant --> P_Sub
P_Sub --> P_Env
P_Env --> P_LandingZone
A_Control --> A_Tenant
A_Tenant --> A_Sub
A_Sub --> A_RG
A_RG --> A_Region
A_Control2 --> A_Org
A_Org --> A_Account
A_Account --> A_Region2
style P_Control fill:#e8f5e9
style P_LandingZone fill:#c8e6c9
style A_Control fill:#ffebee
style A_Control2 fill:#ffebee
13. Data Flow - Cross-Plane Operations
Data flow showing how operations span multiple control planes.
sequenceDiagram
participant User
participant Commercial as Commercial Plane
participant Tenancy as Tenancy Plane
participant Subscription as Subscription Plane
participant Environment as Environment Plane
participant Content as Content & DevOps Plane
participant Infrastructure as Infrastructure
User->>Tenancy: Authenticate (Identity)
Tenancy->>Tenancy: Validate Identity
Tenancy->>User: Return Tenant Context
User->>Commercial: Request Billing Data
Commercial->>Commercial: Get Client for Tenant
Commercial->>Commercial: Aggregate Billing
Commercial->>User: Return Billing Data
User->>Subscription: Request Resource Provisioning
Subscription->>Tenancy: Verify Tenant Authorization
Subscription->>Commercial: Verify Billing Profile
Subscription->>Subscription: Check Quotas
Subscription->>Environment: Provision Environment
Environment->>Infrastructure: Deploy Resources
Infrastructure->>Environment: Confirm Deployment
Environment->>Subscription: Update Status
Subscription->>User: Confirm Provisioning
User->>Content: Deploy Application
Content->>Content: Build from Git
Content->>Environment: Request Deployment
Environment->>Subscription: Verify Authorization
Subscription->>Environment: Authorize Deployment
Environment->>Infrastructure: Deploy Application
Infrastructure->>Environment: Confirm Deployment
Environment->>Content: Update Status
Content->>User: Confirm Deployment
14. Sequence Diagram - Promotion Flow with Authorization
Detailed sequence diagram showing promotion flow with all authorization gates.
sequenceDiagram
participant Dev as Developer
participant Git as Git Repository
participant CI as CI Pipeline
participant Artifact as Artifact Registry
participant Policy as Policy Engine
participant Approval as Approval Workflow
participant Subscription as Subscription Plane
participant Environment as Environment Plane
participant Infrastructure as Infrastructure
Dev->>Git: Commit Code to Branch
Git->>CI: Webhook Trigger
CI->>CI: Checkout Code
CI->>CI: Run Unit Tests
CI->>CI: Run Integration Tests
CI->>CI: Security Scan (SAST)
CI->>CI: Dependency Scan
CI->>CI: Build Artifact
alt All Tests Pass
CI->>Artifact: Store Artifact + Metadata
Artifact->>Policy: Validate Security Policies
Artifact->>Policy: Validate Compliance Policies
Artifact->>Policy: Validate Governance Policies
alt All Policies Pass
Policy->>Approval: Check Environment Type
alt Environment is PROD or REGULATED
Approval->>Approval: Require Manual Approval
Approval->>ReleaseManager: Send Approval Request
ReleaseManager->>Approval: Review & Approve/Reject
alt Approval Granted
Approval->>Subscription: Verify Subscription Authorization
Subscription->>Subscription: Check Service Bundles
Subscription->>Subscription: Check Quotas
Subscription->>Approval: Authorization Granted
Approval->>Environment: Request Deployment Authorization
Environment->>Environment: Check Deployment Policies
Environment->>Environment: Verify Network Isolation
Environment->>Environment: Verify Data Isolation
Environment->>Approval: Deployment Authorized
Approval->>Infrastructure: Deploy to Environment
Infrastructure->>Infrastructure: Provision Resources
Infrastructure->>Infrastructure: Deploy Application
Infrastructure->>Environment: Deployment Complete
Environment->>Approval: Confirm Deployment
Approval->>Dev: Deployment Successful
else Approval Denied
Approval->>Dev: Deployment Rejected - Approval Denied
end
else Environment is DEV or INT
Approval->>Subscription: Verify Subscription Authorization
Subscription->>Approval: Authorization Granted
Approval->>Environment: Request Deployment Authorization
Environment->>Approval: Deployment Authorized
Approval->>Infrastructure: Deploy to Environment
Infrastructure->>Environment: Deployment Complete
Environment->>Approval: Confirm Deployment
Approval->>Dev: Deployment Successful
end
else Policy Validation Failed
Policy->>Dev: Deployment Rejected - Policy Violation
end
else Tests Failed
CI->>Dev: Build Failed - Tests Failed
end
15. Multi-Region Topology
Network and governance topology across multiple regions.
graph TB
subgraph global [Global Coordination]
GovernanceAPI[Governance API]
EventBus[Event Bus]
AuditLog[Global Audit Log]
end
subgraph region1 [Region 1 - Nation A]
LZ1[Landing Zone 1]
CP1[Control Plane 1]
Network1[Network 1<br/>10.1.0.0/16]
Proxmox1[Proxmox Cluster 1]
K8s1[Kubernetes Cluster 1]
end
subgraph region2 [Region 2 - Nation B]
LZ2[Landing Zone 2]
CP2[Control Plane 2]
Network2[Network 2<br/>10.2.0.0/16]
Proxmox2[Proxmox Cluster 2]
K8s2[Kubernetes Cluster 2]
end
subgraph region3 [Region 3 - Nation C]
LZ3[Landing Zone 3<br/>Air-Gapped]
CP3[Control Plane 3]
Network3[Network 3<br/>10.3.0.0/16]
Proxmox3[Proxmox Cluster 3]
K8s3[Kubernetes Cluster 3]
end
GovernanceAPI --> CP1
GovernanceAPI --> CP2
GovernanceAPI -.->|governance only| CP3
EventBus --> CP1
EventBus --> CP2
EventBus -.->|no connectivity| CP3
AuditLog --> CP1
AuditLog --> CP2
AuditLog -.->|local only| CP3
CP1 --> LZ1
CP2 --> LZ2
CP3 --> LZ3
LZ1 --> Network1
LZ1 --> Proxmox1
LZ1 --> K8s1
LZ2 --> Network2
LZ2 --> Proxmox2
LZ2 --> K8s2
LZ3 --> Network3
LZ3 --> Proxmox3
LZ3 --> K8s3
LZ1 <-->|encrypted tunnel| LZ2
LZ2 -.->|no connectivity| LZ3
style LZ1 fill:#e1f5ff
style LZ2 fill:#e1f5ff
style LZ3 fill:#ffebee
style CP3 fill:#ffebee
Diagram Usage
These diagrams can be used in:
- Architecture presentations
- Technical documentation
- Client proposals
- Implementation guides
- Training materials
All diagrams use mermaid syntax and can be rendered in:
- GitHub/GitLab markdown
- Documentation sites (MkDocs, Docusaurus, etc.)
- Mermaid Live Editor
- VS Code with mermaid extensions
Last Updated: 2025-01-09
Version: 1.0
Status: Complete Architecture Diagrams