Physical Deployment Diagram

Physical deployment of the Crew Management System across user access, identity, edge security, Azure entry services, AKS-hosted application services, enterprise data platforms, external integrations, and centralized monitoring/security controls.
USER / CLIENT ZONE
End users access the CMS web application from the browser over enterprise and internet-facing channels.
User
CMS Users
Operational users, supervisors, and administrators accessing CMS screens and business functions
React
Browser / React SPA
Frontend client delivered to the browser for login, workflow actions, documents, notifications, and dashboards
identity + enterprise access
IDENTITY & ENTERPRISE ACCESS ZONE
Authentication and enterprise-controlled access policies are applied before frontend-facing application traffic enters the platform.
Azure AD
Azure AD
Enterprise identity provider for SSO, MFA, and Azure AD token issuance
Zscaler
Zscaler
Enterprise zero-trust access layer controlling user-originated connectivity
TOK
Token Exchange Model
BFF validates Azure AD token, then issues CMS Access Token + Refresh Token for runtime API access
EDGE / PERIMETER ZONE
Public ingress is protected by edge controls before traffic reaches Azure-hosted application entry points.
Akamai
Akamai
Public edge entry enforcing WAF, DDoS protection, bot filtering, and secure routing to the protected origin
Azure Application Gateway
Azure Application Gateway
Protected origin ingress with WAF before traffic enters the private AKS-hosted application environment
API ENTRY & FRONTEND-FACING ACCESS ZONE
Frontend requests enter through API governance and BFF admission before reaching backend services.
IBM API Connect
IBM API Connect
API exposure, governance, policy control, and controlled forwarding for frontend-facing CMS APIs
BFF
BFF Service
Validates tokens, handles request admission, issues CMS tokens, refresh flow, and routes/aggregates frontend requests
AZURE KUBERNETES SERVICE (AKS) APPLICATION ZONE
Core CMS backend services and workflow orchestration components are deployed inside the AKS application cluster.
CMS Backend Services
USR
User Management Service
User retrieval, SailPoint integration, user mapping, and access-related logic
WF
Workflow Service
Workflow validation, submission, approval actions, and process coordination
NT
Notification Service
Internal notification creation, state updates, and outbound trigger coordination
DOC
Document Management Service
Upload/download control, secure retrieval, lifecycle handling, and metadata linking
DASH
Dashboard / Query Service
Dashboard data composition and read-only enterprise analytics retrieval
RPT
Reporting / Export Service
Coordinates generated documents, exports, and reporting-related outputs
Workflow Orchestration Runtime
TMP
Temporal Server / Workers
Durable workflow execution, retries, timers, long-running orchestration, and workflow progression control
data + integrations
DATA PLATFORMS & EXTERNAL INTEGRATION ZONE
Operational data, binary content, enterprise read-only data, and external enterprise services are connected to AKS-hosted backend components.
Azure DocumentDB
Azure DocumentDB
Operational data store for workflow state, notification state, document metadata, preferences, audit linkage, and CMS-owned records
Azure Storage Account (Blob Storage)
Azure Storage Account (Blob Storage)
Binary storage for uploaded files, generated documents, exports, attachments, and secure download content
Microsoft Fabric
Microsoft Fabric
Read-only enterprise analytics source consumed by backend services for dashboard and reporting data
SP
SailPoint IdentityIQ
Enterprise identity governance source for user information, user status, and lifecycle data
RX
RX Notification Service
Outbound enterprise notification provider used for email delivery in the current CMS scope
RX
RX Document Service
Enterprise document generation service used for generated PDF, CSV, and Excel outputs
SECURITY, MONITORING & PROTECTION ZONE
Cross-cutting controls provide observability, malware protection, cloud access control, and data protection across the deployed platform.
Datadog
Datadog
Central observability for logs, metrics, traces, retries, and request correlation across CMS services
CASB
CASB
Cloud access security broker monitoring uploaded content and enforcing file-level cloud access controls
OPS
OPSWAT (Future State)
Future-state deeper malware scanning and document inspection for uploaded files
DEF
Microsoft Defender
Threat detection and security response visibility across the deployed environment
TDP
Transparent Data Protection
Encryption and protection controls for sensitive data at rest and across trusted storage boundaries
Frontend-facing traffic enters only through Akamai → Azure Application Gateway → IBM API Connect → BFF. Backend services are deployed inside AKS, Microsoft Fabric remains read-only, DocumentDB stores operational state, Blob Storage stores binary objects, and cross-cutting monitoring/security controls remain centralized.
User / client zone Identity & enterprise access Edge / perimeter API entry zone AKS application zone Data & integration zone External enterprise services Security & monitoring zone
This physical deployment diagram shows how CMS is physically deployed across user access, identity, edge security, Azure entry services, AKS-hosted backend services, workflow orchestration, enterprise data platforms, external enterprise integrations, and centralized security/monitoring controls.