Layered Network Defense: Defense in Depth from Internet to Datastore
flowchart TD
Client["Internet client
(external, untrusted)"]:::extNode DDoS["DDoS scrubbing / CDN
volumetric absorption, geo filtering
[ addresses: DDoS ]"]:::ctrlNode Edge["Edge stateful firewall
permits 443 only
[ addresses: port and protocol abuse ]"]:::ctrlNode WAF["Web Application Firewall
blocks L7 attacks: SQLi, XSS, smuggling
[ addresses: OWASP Top 10 ]"]:::ctrlNode LB["Load balancer / TLS termination
[ addresses: transport integrity ]"]:::ctrlNode App["Application tier — DMZ subnet
N replicas, internal IPs"]:::dataNode Inner["Inner firewall / micro-segmentation
deny by default
[ addresses: lateral movement ]"]:::boundNode Internal["Internal services — private subnet
database, cache, auth service"]:::dataNode Client --> DDoS --> Edge --> WAF --> LB --> App --> Inner --> Internal subgraph cross ["Cross-cutting concerns — span every layer"] IDS["IDS/IPS sensors
taps at every boundary"]:::xIds Crypto["Encryption in transit
TLS / mTLS at every hop"]:::xCrypto Logging["Logging and SIEM
every component emits events"]:::xLog end classDef extNode fill:#eceff1,stroke:#455a64,stroke-width:2px,color:#212529,font-size:14px classDef ctrlNode fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:14px classDef dataNode fill:#fff8e1,stroke:#bfa14a,stroke-width:2px,color:#212529,font-size:14px classDef boundNode fill:#455a64,stroke:#263238,stroke-width:2px,color:#fff,font-size:14px classDef xIds fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:13px classDef xCrypto fill:#ffb74d,stroke:#e65100,stroke-width:2px,color:#212529,font-size:13px classDef xLog fill:#ffe082,stroke:#e65100,stroke-width:2px,color:#212529,font-size:13px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:14px
(external, untrusted)"]:::extNode DDoS["DDoS scrubbing / CDN
volumetric absorption, geo filtering
[ addresses: DDoS ]"]:::ctrlNode Edge["Edge stateful firewall
permits 443 only
[ addresses: port and protocol abuse ]"]:::ctrlNode WAF["Web Application Firewall
blocks L7 attacks: SQLi, XSS, smuggling
[ addresses: OWASP Top 10 ]"]:::ctrlNode LB["Load balancer / TLS termination
[ addresses: transport integrity ]"]:::ctrlNode App["Application tier — DMZ subnet
N replicas, internal IPs"]:::dataNode Inner["Inner firewall / micro-segmentation
deny by default
[ addresses: lateral movement ]"]:::boundNode Internal["Internal services — private subnet
database, cache, auth service"]:::dataNode Client --> DDoS --> Edge --> WAF --> LB --> App --> Inner --> Internal subgraph cross ["Cross-cutting concerns — span every layer"] IDS["IDS/IPS sensors
taps at every boundary"]:::xIds Crypto["Encryption in transit
TLS / mTLS at every hop"]:::xCrypto Logging["Logging and SIEM
every component emits events"]:::xLog end classDef extNode fill:#eceff1,stroke:#455a64,stroke-width:2px,color:#212529,font-size:14px classDef ctrlNode fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:14px classDef dataNode fill:#fff8e1,stroke:#bfa14a,stroke-width:2px,color:#212529,font-size:14px classDef boundNode fill:#455a64,stroke:#263238,stroke-width:2px,color:#fff,font-size:14px classDef xIds fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:13px classDef xCrypto fill:#ffb74d,stroke:#e65100,stroke-width:2px,color:#212529,font-size:13px classDef xLog fill:#ffe082,stroke:#e65100,stroke-width:2px,color:#212529,font-size:13px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:14px
Color Key
Control layers
Data tiers
Boundaries
Cross-cutting observability
Layer Details
Hover or tap any layer to see what it defends and the attack class it primarily addresses. Read top to bottom: untrusted Internet at the top, your most sensitive data at the bottom.