Networking

Before You Read

This page explains the networking architecture. For DNS and TLS operations see DNS & TLS Reference. For VPC topology see Infrastructure Topology.

Traffic Flow Overview

graph LR
    subgraph External
        Client["Client Browser / App"]
    end

    subgraph GCP
        DNS["Cloud DNS\n*.{env}.orofi.xyz"]
        LB["GCP Load Balancer\n(Static IP)"]
        subgraph Istio["Istio IngressGateway (istio-system)"]
            IG["oro-gateway\nport 443 → TLS terminate"]
            Kafka_Port["port 39092 → Kafka TCP"]
            Mongo_Port["port 32017 → MongoDB TCP"]
        end
        subgraph App["Application Layer (mTLS)"]
            GW["API Gateway\nNamespace"]
            SVC["Microservice\nNamespace"]
        end
    end

    Client -->|"DNS lookup"| DNS
    DNS -->|"A record → static IP"| LB
    LB -->|"forward"| IG
    IG -->|"VirtualService routing"| GW
    GW -->|"Istio mTLS"| SVC

DNS

All DNS is managed in the orofi-cloud GCP project (a shared project for DNS). Cloud DNS zones are created via infrastructure-management/modules/dns/.

Zone Structure

Zone	Records
dev.orofi.xyz	All *.dev.orofi.xyz records
stage.orofi.xyz	All *.stage.orofi.xyz records
orofi.xyz	Production records [NEEDS TEAM INPUT]

Key DNS Records (Staging)

Hostname	Resolves To	Purpose
*.stage.orofi.xyz	Load balancer static IP	Wildcard — all HTTPS applications
mongodb-ext.stage.orofi.xyz	Load balancer static IP	MongoDB external access (port 32017)
redis.stage.orofi.xyz	Redis instance private IP	Redis cache
db.stage.orofi.xyz	Cloud SQL private IP	Shared DB endpoint
db-int.stage.orofi.xyz	10.128.0.11	Direct internal DB access
microservice-communication-db.stage.orofi.xyz	Cloud SQL private IP	Per-service DB endpoint
microservice-identity-db.stage.orofi.xyz	Cloud SQL private IP	Per-service DB endpoint
microservice-monolith-db.stage.orofi.xyz	Cloud SQL private IP	Per-service DB endpoint
microservice-analytics-db.stage.orofi.xyz	Cloud SQL private IP	Per-service DB endpoint

Key DNS Records (Dev)

Hostname	Resolves To	Purpose
*.dev.orofi.xyz	Load balancer static IP	Wildcard
mongodb-ext.dev.orofi.xyz	Load balancer static IP	MongoDB external
redis.dev.orofi.xyz	Redis private IP	Redis
db.dev.orofi.xyz	Cloud SQL private IP	DB
db-int.dev.orofi.xyz	10.128.0.12	Direct internal
kafka-ui.dev.orofi.xyz	(via wildcard)	Kafka UI
mongoexpress.dev.orofi.xyz	(via wildcard)	Mongo Express
argocd.dev.orofi.xyz	(via wildcard)	ArgoCD
grafana.dev.orofi.xyz	(via wildcard)	Grafana

TLS Termination

TLS is terminated at the Istio IngressGateway. cert-manager handles certificate lifecycle.

Certificate Configuration

The certificate istio-tls-cert is created in istio-system by cert-manager:

# Certificate covers *.{env}.orofi.xyz
spec:
  secretName: istio-tls-cert
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - "*.{env}.orofi.xyz"

Three issuers are available (defined in infrastructure-management/modules/helm/): - letsencrypt-prod — Let's Encrypt production (real certificates) - letsencrypt-staging — Let's Encrypt staging (for testing, not trusted by browsers) - letsencrypt-dev — Development issuer

cert-manager Namespace

cert-manager runs in the cert-manager namespace with a service account in the orofi-cloud project (the shared DNS project). It uses DNS-01 challenge (modifying Cloud DNS records) to prove domain ownership to Let's Encrypt. This works even without a publicly accessible server.

For certificate renewal procedures see DNS & TLS Runbook.

Istio Service Mesh

Istio provides: - mTLS between all services (SPIFFE/SVID identities) - Traffic management (VirtualServices, DestinationRules) - Observability (Prometheus metrics, distributed tracing) - Ingress gateway (north-south traffic) - Egress gateway (controlled outbound traffic)

Istio Version

Version 1.24.2, deployed via Helm charts in infrastructure-management/modules/helm/.

Components

Component	Helm Chart	Namespace	Service Type
istio-base	base	istio-system	N/A (CRDs only)
istio-istiod	istiod	istio-system	ClusterIP
istio-ingressgateway	gateway	istio-system	LoadBalancer
istio-egressgateway	gateway	istio-system	ClusterIP

IngressGateway Ports

# istio-system/istio-ingressgateway service
ports:
  - name: status-port    # 15021/TCP
  - name: http2          # 80/TCP (redirects to HTTPS)
  - name: https          # 443/TCP
  - name: mongodb        # 32017/TCP
  - name: kafka          # 39092/TCP

Gateway Resource

The oro-gateway Gateway resource (in istio-system) configures which hostnames and ports Istio accepts:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: oro-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: istio-tls-cert
    hosts: ["*"]
  - port:
      number: 80
      name: http
      protocol: HTTP
    tls:
      httpsRedirect: true
    hosts: ["*"]
  - port:
      number: 39092
      name: tcp-kafka
      protocol: TCP
    hosts: ["*"]
  - port:
      number: 32017
      name: tcp-mongo
      protocol: TCP
    hosts: ["*"]

VirtualServices

Each microservice and tool has a VirtualService that routes requests from the gateway to the service. VirtualServices are created by the shared Helm chart template.

Example pattern:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: microservice-identity
  namespace: microservice-identity
spec:
  hosts: ["api.{env}.orofi.xyz"]
  gateways: ["istio-system/oro-gateway"]
  http:
  - match:
    - uri:
        prefix: /identity/
    route:
    - destination:
        host: microservice-identity
        port:
          number: 80

mTLS Enforcement

Each namespace has a PeerAuthentication resource set to STRICT mode:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: microservice-identity
spec:
  mtls:
    mode: STRICT

This means any connection to a pod in this namespace that doesn't present a valid Istio certificate (SVID) is rejected.

Exception: Port 6379 (Redis) is excluded from the Istio proxy via the traffic.sidecar.istio.io/excludeOutboundPorts annotation, so Redis traffic bypasses mTLS.

Internal Service Discovery

Inside the cluster, services communicate using Kubernetes DNS:

{service-name}.{namespace}.svc.cluster.local

Example:

kafka.kafka.svc.cluster.local:9092

Services are defined as ClusterIP type — they are not directly accessible from outside the cluster without going through the Istio gateway.

Load Balancer

Each environment has one GCP external load balancer (PREMIUM tier) providing the static IP for the Istio IngressGateway:

# modules/network — static IP resource
resource "google_compute_address" "ingress_static_ip" {
  name         = "${var.project_id}-${var.env}-ingress-static-ip"
  address_type = "EXTERNAL"
  network_tier = "PREMIUM"
}

This static IP is set as the loadBalancerIP on the Istio IngressGateway service.

See Also

• DNS & TLS Reference — managing domains and certs
• Security Model — firewall rules and mTLS
• Infrastructure Topology — VPC and subnet layout
• Certificate Rotation Runbook — when certs fail to renew