Infrastructure Topology¶
Before You Read¶
This page assumes familiarity with GCP networking (VPCs, subnets, Private Service Access) and Kubernetes. See Architecture Overview for the application-level view.
GCP Project Layout¶
The platform spans three GCP projects, with an additional shared DNS project:
graph TB
subgraph DNS["Google Cloud DNS\n(orofi-cloud — shared project)"]
DNS1["*.dev.orofi.xyz zone"]
DNS2["*.stage.orofi.xyz zone"]
DNS3["*.orofi.xyz zone (prod)"]
end
subgraph Dev["orofi-dev-cloud\n(Development)"]
DevVPC["VPC: orofi-dev-cloud-dev-vpc\n10.0.0.0/16"]
DevGKE["GKE: orofi-dev-cloud-dev-k8s-cluster\nus-central1-a"]
DevSQL["Cloud SQL: orofi-dev-cloud-dev-oro-mysql-instance\nMySQL 8.0, db-f1-micro, 20GB HDD"]
DevRedis["Redis: orofi-dev-cloud-dev-redis-cache\nSTANDARD_HA, 1GB"]
DevArtReg["Artifact Registry: orofi\nus-central1"]
DevMaven["Artifact Registry: orofi-maven\nus-central1"]
end
subgraph Stage["orofi-stage-cloud\n(Staging)"]
StageVPC["VPC: orofi-stage-cloud-stage-vpc\n11.0.0.0/16"]
StageGKE["GKE: orofi-stage-cloud-stage-k8s-cluster\nus-central1-a"]
StageSQL["Cloud SQL: orofi-stage-cloud-stage-oro-mysql-instance\nMySQL 8.0, db-n1-standard-1, 100GB SSD"]
StageRedis["Redis: orofi-stage-cloud-stage-redis-cache\nSTANDARD_HA, 1GB, 1 replica"]
StagePSC["Private Service Connector\n← from orofi-devops-cloud"]
end
subgraph Prod["Production\n(orofi-prod)"]
ProdNote["[NEEDS TEAM INPUT:\nproduction GCP project details]"]
end
DNS1 --> DevGKE
DNS2 --> StageGKE
DevVPC --> DevGKE
DevVPC --> DevSQL
DevVPC --> DevRedis
StageVPC --> StageGKE
StageVPC --> StageSQL
StageVPC --> StageRedis
StagePSC --> StageSQLVPC Networks¶
Development VPC¶
Defined in infrastructure-management/projects/orofi-dev/network.tf (via modules/network).
| Property | Value |
|---|---|
| VPC Name | orofi-dev-cloud-dev-vpc |
| Subnet Name | orofi-dev-cloud-dev-subnet |
| CIDR | 10.0.0.0/16 |
| Region | us-central1 |
| Cloud NAT | Enabled (for outbound internet access from private nodes) |
| Cloud Router | Enabled |
Firewall Rules (Zero Trust — Dev only):
| Rule Name | Priority | Direction | Source | Action |
|---|---|---|---|---|
orofi-dev-cloud-dev-zerotrust-allow |
700 | Ingress | 35.226.57.140/32, 10.0.0.0/8, 11.0.0.0/16 |
Allow ALL |
orofi-dev-cloud-dev-zerotrust-deny |
800 | Ingress | 0.0.0.0/0 |
Deny ALL |
The zero-trust firewall is enabled in dev (defined via zero_trust = true in the network module). In staging, zero-trust is disabled — access is controlled at the Istio layer instead.
Staging VPC¶
| Property | Value |
|---|---|
| VPC Name | orofi-stage-cloud-stage-vpc |
| Subnet Name | orofi-stage-cloud-stage-subnet |
| CIDR | 11.0.0.0/16 |
| Region | us-central1 |
| Cloud NAT | Enabled |
| Cloud Router | Enabled |
| PSC Auto-connections | From orofi-devops-cloud (cross-project database access) |
GKE Clusters¶
Both clusters are single-zone (us-central1-a) with autoscaling enabled. They use the same Terraform module (modules/k8s).
Development Cluster¶
Defined in: infrastructure-management/projects/orofi-dev/k8s.tf
| Property | Value |
|---|---|
| Cluster Name | orofi-dev-cloud-dev-k8s-cluster |
| Zone | us-central1-a |
| Initial Node Count | 1 |
| Autoscaling Max | 15 |
| Zero Trust Master Access | Enabled (restricted to 35.226.57.140/32, 10.0.0.0/8, 11.0.0.0/16) |
| Workload Identity | Enabled |
Staging Cluster¶
Defined in: infrastructure-management/projects/orofi-staging/k8s.tf
| Property | Value |
|---|---|
| Cluster Name | orofi-stage-cloud-stage-k8s-cluster |
| Zone | us-central1-a |
| Initial Node Count | 1 |
| Autoscaling Max | 15 |
| Zero Trust Master Access | Disabled (open to same IP ranges for convenience) |
| Trusted IP Ranges | 35.226.57.140/32, 10.0.0.0/8, 11.0.0.0/16 |
| Workload Identity | Enabled |
Cloud SQL MySQL¶
Both environments share the same module (modules/datastore) but differ in tier and availability.
Staging Database¶
Defined in: infrastructure-management/projects/orofi-staging/
| Property | Value |
|---|---|
| Instance Name | orofi-stage-cloud-stage-oro-mysql-instance |
| Tier | db-n1-standard-1 |
| Version | MYSQL_8_0 |
| Availability | REGIONAL (high availability, automatic failover) |
| Disk Type | PD_SSD |
| Disk Size | 100 GB |
| Backups | 30 retained, automated daily |
| PITR | Enabled (binary logging) |
| SSL Mode | ENCRYPTED_ONLY |
| Public IP | Disabled |
| Private Network | orofi-stage-cloud-stage-vpc |
| PSC | Enabled |
| Deletion Protection | Enabled |
DNS endpoints:
microservice-communication-db.stage.orofi.xyz → Cloud SQL private IP
microservice-identity-db.stage.orofi.xyz → Cloud SQL private IP
microservice-monolith-db.stage.orofi.xyz → Cloud SQL private IP
microservice-analytics-db.stage.orofi.xyz → Cloud SQL private IP
db.stage.orofi.xyz → Cloud SQL private IP
db-int.stage.orofi.xyz → 10.128.0.11 (internal)
Development Database¶
| Property | Value |
|---|---|
| Instance Name | orofi-dev-cloud-dev-oro-mysql-instance |
| Tier | db-f1-micro |
| Version | MYSQL_8_0 |
| Availability | ZONAL (single zone, no failover) |
| Disk Type | PD_HDD |
| Disk Size | 20 GB |
| Public IP | Disabled |
| Private Network | orofi-dev-cloud-dev-vpc |
Redis Cache¶
Both environments use Cloud Memorystore Redis in STANDARD_HA mode.
| Property | Staging | Dev |
|---|---|---|
| Instance Name | orofi-stage-cloud-stage-redis-cache |
orofi-dev-cloud-dev-redis-cache |
| Tier | STANDARD_HA |
STANDARD_HA |
| Memory | 1 GB | 1 GB |
| Replica Count | 1 | 1 |
| Connect Mode | PRIVATE_SERVICE_ACCESS |
PRIVATE_SERVICE_ACCESS |
| Auth | Enabled | Enabled |
| Persistence | RDB, 6-hour snapshots | RDB, 12-hour snapshots |
| DNS | redis.stage.orofi.xyz |
redis.dev.orofi.xyz |
Load Balancer & Static IPs¶
Each environment has one static IP provisioned as an EXTERNAL PREMIUM-tier global IP. This IP is assigned to the Istio IngressGateway service.
- Dev: Reserved as
orofi-dev-cloud-dev-ingress-static-ip - Staging: Reserved as
orofi-stage-cloud-stage-ingress-static-ip
A separate static IP for MongoDB external access:
- mongodb-ext.stage.orofi.xyz → Load balancer static IP (MongoDB exposed via Istio on port 32017)
- mongodb-ext.dev.orofi.xyz → Load balancer static IP
Artifact Registry¶
Both Docker images and Maven packages are stored in Artifact Registry in the dev project (orofi-dev-cloud), shared across environments for image promotion.
| Repository | Type | Region | URL |
|---|---|---|---|
orofi |
Docker | us-central1 |
us-central1-docker.pkg.dev/orofi-dev-cloud/orofi/ |
orofi-maven |
Maven | us-central1 |
us-central1-maven.pkg.dev/orofi-dev-cloud/orofi-maven/ |
Request Flow: End-to-End¶
sequenceDiagram
participant User as End User
participant DNS as Cloud DNS<br/>(orofi-cloud)
participant ILB as Istio IngressGateway<br/>(Static IP)
participant GW as API Gateway Service<br/>(K8s namespace)
participant SVC as Core Microservice<br/>(K8s namespace)
participant DB as Cloud SQL MySQL<br/>(private IP)
User->>DNS: HTTPS api.orofi.xyz
DNS-->>User: 203.x.x.x (static IP)
User->>ILB: HTTPS:443 (TLS terminated here)
ILB->>GW: HTTP:80 (mTLS inside cluster)
GW->>SVC: HTTP:80 (mTLS via Istio)
SVC->>DB: MySQL:3306 (private VPC)
DB-->>SVC: Query result
SVC-->>GW: Response
GW-->>ILB: Response
ILB-->>User: HTTPS responseSee Also¶
- Security Model — IAM, firewalls, mTLS details
- DNS & TLS — domain management
- Cluster Configuration — GKE node pool details
- Backup & Recovery — backup schedules