- Resource Groups • Network Zones • Identity • Security
- 1 Purpose
- 2 Architecture Overview
- 3 Resource Group Layout
- 4 Network Zones & Topology
- 5 Identity & Access Control
- 6 Security Foundations
- 7 Deployment Options
- 8 Reference Bicep Snippet
- 9 Monitoring and Observability
- 10 Compliance and Governance
- 11 Cost Optimization Guidelines
- 12 Disaster Recovery Strategy
- 13 Sample Topology Diagram
- 14 Benefits
- 15 Takeaway
Resource Groups • Network Zones • Identity • Security #
1 Purpose #
EA 2.0 is cloud-agnostic in theory but Azure-native in practice.
Deploying on Azure provides first-class services for identity, storage, compute, integration, and analytics — everything needed for an intelligent, event-driven architecture platform hosted inside a sovereign boundary.
The reference deployment defines a repeatable blueprint for secure, multi-tenant EA 2.0 environments.
2 Architecture Overview #
[User / Teams / Power BI]
│
▼
[Natural-Language Query UI (React Web App)]
│
▼
[Reasoning API – Azure Functions / App Service]
│
▼
[Knowledge Graph – Azure Cosmos DB (Gremlin)]
│
▼
[Data Lake / Blob Storage + Synapse / ADF Pipelines]
│
▼
[Integration Plane – Event Hub / Logic Apps / Service Bus]
│
▼
[Outbound Connectors – ServiceNow, Policy Gov, APIs]
All components reside within controlled resource groups segmented by function.
3 Resource Group Layout #
| Resource Group | Purpose | Key Resources |
|---|---|---|
rg-ea2-core | Core runtime services | App Service Plan, Functions, Cosmos DB |
rg-ea2-data | Storage & ETL | Blob Storage, Synapse, ADF |
rg-ea2-connectors | Integration plane | Logic Apps, Event Hub, API Mgmt |
rg-ea2-security | Identity & secrets | Key Vault, Managed Identity |
rg-ea2-monitoring | Observability | Log Analytics, Monitor, Sentinel |
rg-ea2-network | Networking & zones | VNet, Subnets, NSGs, Private Endpoints |
4 Network Zones & Topology #
EA 2.0 operates within three network zones for defense-in-depth:
| Zone | Contains | Connectivity |
|---|---|---|
| Front Zone | React UI, App Gateway, CDN | Public HTTPS only |
| Middle Zone | Reasoning API, Functions, Event Hub | Private Endpoints + VNet Integration |
| Data Zone | Cosmos DB, Blob, Synapse | No internet egress |
- Use VNet peering for cross-zone traffic.
- Enforce network rules with NSGs and private DNS.
- Enable Azure Firewall for egress inspection.
5 Identity & Access Control #
EA 2.0 relies on Microsoft Entra ID (formerly Azure AD) for all auth.
| Role | Purpose | Typical Access |
|---|---|---|
| Viewer | Read NLQ and Dashboards | Power BI, Graph Read only |
| Analyst | Create queries, validate DQ | Functions, Logic Apps |
| Admin | Configure connectors | Key Vault, ADF Pipelines |
| Service Principal | Automation agent | Managed Identity |
Authentication → OpenID Connect (JWT).
Authorization → Role-based via Entra groups.
6 Security Foundations #
| Control Area | Azure Feature | Purpose |
|---|---|---|
| Secret Management | Key Vault + RBAC | Centralized API keys |
| Encryption | Managed Keys (KMS) | At rest and in transit |
| Identity Isolation | Entra Conditional Access | Restrict external sign-ins |
| Audit Logging | Azure Monitor / Sentinel | End-to-end traceability |
| Data Protection | Purview / Sensitivity Labels | Policy driven governance |
Security baseline aligns to NIST 800-53 and CIS Azure Benchmarks.
7 Deployment Options #
| Mode | Use Case | Provisioning Method |
|---|---|---|
| Pilot (MVP) | Single tenant sandbox | ARM Template / Bicep |
| Enterprise | Multi-region HA + Dev/Test zones | Terraform / Azure Landing Zone |
| Sovereign Cloud | Government / regulatory tenant | Azure Gov / Stack Hub Blueprint |
8 Reference Bicep Snippet #
resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
name: 'ea2-cosmos'
location: resourceGroup().location
kind: 'GlobalDocumentDB'
properties: {
databaseAccountOfferType: 'Standard'
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
locations: [
{ locationName: resourceGroup().location, failoverPriority: 0 }
]
isVirtualNetworkFilterEnabled: true
}
}
Repeatable for Functions, Storage, and Monitor.
9 Monitoring and Observability #
EA 2.0 pipes telemetry into Log Analytics workspace:
- Function invocation latency
- Cosmos RU consumption
- Connector success rate
- Audit event volume
- Error traces by policy
Dashboards in Power BI and Azure Monitor give ops teams real-time health.
10 Compliance and Governance #
- Apply Azure Policy for location restrictions, tagging, and resource locks.
- Enable Defender for Cloud for threat protection.
- Log all admin actions in Activity Log + Sentinel SIEM.
- Integrate EA 2.0 graph with Purview for asset discovery and DQ alignment.
11 Cost Optimization Guidelines #
| Component | Cost Driver | Optimization |
|---|---|---|
| Cosmos DB | Request Units (RUs) | Autoscale + partition strategy |
| Functions | Execution time | Durable Functions / batch jobs |
| ADF / Synapse | Pipeline runs | Event-triggered runs |
| Monitor | Log retention | 30-day default + export to Blob |
12 Disaster Recovery Strategy #
- Cosmos DB multi-region replication.
- Storage geo-redundancy (GRS).
- Function App slot swap rollback.
- Configuration backups in Git and Key Vault export.
RPO ≤ 1 hour, RTO ≤ 2 hours.
13 Sample Topology Diagram #
┌────────────────────────────┐
│ Front Zone (VNet1) │
│ React UI + App Gateway │
└───────────┬────────────────┘
│ Private Link
┌───────────▼────────────────┐
│ Middle Zone (VNet2) │
│ Reasoning API + LogicApps │
└───────────┬────────────────┘
│ Private Endpoint
┌───────────▼────────────────┐
│ Data Zone (VNet3) │
│ Cosmos DB + Storage │
└────────────────────────────┘
14 Benefits #
✅ Completely tenant-sovereign deployment.
✅ Modular resource groups simplify management.
✅ Meets ISO 27001 / GDPR controls out of the box.
✅ Scales from pilot to enterprise without redesign.
✅ Supports federation with Azure Gov and SaaS systems.
15 Takeaway #
Infrastructure is the trust fabric of EA 2.0.
Deploying on Azure turns the blueprint into a living, secure, and compliant system — ready to host real-time governance and AI-driven decisioning at scale.
