3bf47efa2b
- Add Well-Architected Framework implementation guide covering all 5 pillars - Create Well-Architected Terraform module (cost, operations, performance, reliability, security) - Add Cloud for Sovereignty compliance guide - Implement data residency policies and enforcement - Add operational sovereignty features (CMK, independent logging) - Configure compliance monitoring and reporting - Add budget management and cost optimization - Implement comprehensive security controls - Add backup and disaster recovery automation - Create performance optimization resources (Redis, Front Door) - Add operational excellence tools (Log Analytics, App Insights, Automation)
Architecture Documentation
Last Updated: 2025-01-27
Status: Comprehensive Architecture Guide
Overview
This directory contains comprehensive architecture documentation for The Order platform, including system design, data models, deployment architecture, and architectural decision records (ADRs).
Documentation Index
Core Architecture
- Cloud for Sovereignty Landing Zone - Complete multi-region architecture
- Sovereignty Landing Zone Summary - Executive summary
System Design
- Microservices Architecture: See service documentation in
services/*/README.md - Data Models: Entity relationships and database schema
- API Design: RESTful APIs with OpenAPI/Swagger documentation
- Security Architecture: Zero-trust, defense in depth
Architecture Principles
Well-Architected Framework
The Order follows Azure Well-Architected Framework principles:
-
Cost Optimization
- Right-sized resources
- Reserved instances
- Cost allocation tags
- Budget alerts
-
Operational Excellence
- Infrastructure as Code
- Automated deployments
- Centralized logging
- Runbooks and playbooks
-
Performance Efficiency
- Regional proximity
- CDN for global delivery
- Auto-scaling
- Performance monitoring
-
Reliability
- Multi-region redundancy
- Availability Zones
- Automated failover
- RTO: 4 hours, RPO: 1 hour
-
Security
- Zero-trust architecture
- Defense in depth
- Data encryption
- Identity and access management
Cloud for Sovereignty
- Data Residency: All data within specified regions
- Data Protection: Customer-managed keys, private endpoints
- Compliance: GDPR, eIDAS, regional requirements
- Operational Control: Management groups, policy governance
System Architecture
High-Level Overview
┌─────────────────────────────────────────────────────────────┐
│ Frontend Applications │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ MCP Legal │ │ Portal Public│ │Portal Internal│ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ API Gateway / Load Balancer │
└─────────────────────────────────────────────────────────────┘
│
┌───────────────────┼───────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Identity │ │ Intake │ │ Finance │
│ Service │ │ Service │ │ Service │
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Dataroom │ │Legal Docs │ │ e-Residency │
│ Service │ │ Service │ │ Service │
└──────────────┘ └──────────────┘ └──────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Shared Infrastructure │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │PostgreSQL│ │ Redis │ │OpenSearch│ │ Azure │ │
│ │ │ │ │ │ │ │ Storage │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
└─────────────────────────────────────────────────────────────┘
Service Architecture
Each service follows a consistent architecture:
Service
├── API Layer (Fastify)
│ ├── Routes
│ ├── Middleware
│ └── Validation
├── Service Layer
│ ├── Business Logic
│ ├── External Integrations
│ └── Error Handling
├── Data Layer
│ ├── Database Queries
│ ├── Caching
│ └── Storage
└── Infrastructure
├── Health Checks
├── Metrics
└── Logging
Data Models
Core Entities
- User: Member of The Order
- Identity: Digital identity (eIDAS/DID)
- Credential: Verifiable credential
- Document: Legal document
- Matter: Legal matter
- Deal: Business transaction
- Payment: Financial transaction
Relationships
See entity relationship diagrams in service-specific documentation.
Deployment Architecture
Regional Deployment
The Order is deployed across 7 non-US commercial Azure regions:
- West Europe (Netherlands) - Primary
- North Europe (Ireland) - Secondary
- UK South (London)
- Switzerland North (Zurich)
- Norway East (Oslo)
- France Central (Paris)
- Germany West Central (Frankfurt)
Per-Region Architecture
Each region includes:
- Hub Virtual Network (gateway, firewall, management)
- Spoke Virtual Network (application, database, storage)
- Azure Firewall
- Key Vault (with private endpoint)
- Storage Account (with private endpoint)
- Log Analytics Workspace
- AKS Cluster (optional)
Network Architecture
- Hub-and-Spoke: Centralized connectivity
- Private Endpoints: Secure service access
- Azure Firewall: Centralized security
- VNet Peering: Hub-to-spoke connectivity
Security Architecture
Zero-Trust Principles
- Identity Verification: Always verify identity
- Least Privilege: Minimum required access
- Network Segmentation: Isolated networks
- Encryption: At rest and in transit
- Monitoring: Continuous security monitoring
Defense in Depth
- Perimeter: Azure Firewall, WAF
- Network: NSGs, Private Endpoints
- Application: Authentication, Authorization
- Data: Encryption, Access Controls
- Identity: MFA, RBAC, PIM
Monitoring & Observability
Metrics
- Application metrics (Prometheus)
- Infrastructure metrics (Azure Monitor)
- Business metrics (Custom dashboards)
Logging
- Structured logging (JSON)
- Centralized log aggregation (Log Analytics)
- Log retention (90 days production)
Tracing
- Distributed tracing (OpenTelemetry)
- Request flow visualization
- Performance analysis
Disaster Recovery
Strategy
- RTO: 4 hours
- RPO: 1 hour
- Primary Region: West Europe
- Secondary Region: North Europe
- Backup Regions: Other 5 regions
Backup Strategy
- Database: Daily full, hourly incremental
- Storage: Cross-region replication
- Configuration: Version controlled
Technology Stack
Frontend
- React 18+
- Next.js 14+
- TypeScript
- Tailwind CSS
- Material-UI
Backend
- Node.js 18+
- TypeScript
- Fastify
- PostgreSQL
- Redis
Infrastructure
- Azure (non-US commercial)
- Kubernetes
- Terraform
- Docker
Monitoring
- Prometheus
- Grafana
- OpenTelemetry
- Log Analytics
Design Decisions
Why Microservices?
- Independent scaling
- Technology diversity
- Team autonomy
- Fault isolation
Why Azure (Non-US)?
- Data sovereignty requirements
- GDPR compliance
- Regional data residency
- Cloud for Sovereignty
Why Kubernetes?
- Container orchestration
- Auto-scaling
- Rolling updates
- Service discovery
Related Documentation
- Cloud for Sovereignty Landing Zone
- Deployment Guides
- Service Documentation
- Infrastructure Documentation
Last Updated: 2025-01-27