@startuml
frame "Azure" {
  boundary "IpSec" as azure_ipsec
  boundary "SWH network" as azure_net
  collections "SWH workers\nDB replica\n..." as azure_workers
}

frame "VPN users" {
    collections "Open VPN users" as openvpn_users
}

cloud "Internet" as internet

frame "CESI Rocquencourt" {
    boundary "FW DSI" as dsi_fw

    boundary "VLAN 210 - swh-public" as vlan_public 

    together {
        together g1 {
            node louvre {
                boundary "IpSec" as louvre_ipsec
                interface "router" as louvre_fw
                boundary "OpenVPN" as louvre_openvpn
            }

            node "pergamon" as pergamon
            node "tate" as tate
            node "moma" as moma

            collections production_kafka [
                Production journals
                --
                (4 instances)
            ]

        }
    }
    boundary "VLAN 400 - swh-production" as vlan_production

    collections production_services [
        Production services
        ------
        databases
        workers
        ...
    ]
    frame New {
    node "SWH Firewall" as swh_fw
    together {
    frame Staging as frame_staging {
        boundary "VLAN 443 - swh-staging" as vlan_staging
        node staging_rp [
            Staging RP
            --
            SSL termination 
            fo *.staging.swh.network
        ]
        collections staging_kafka [
            Staging journals
            --
            (2? instances)
        ]
        staging_rp .[hidden]l. staging_kafka
        collections staging_services [
            Staging services
            ------
            web
            databases
            workers
            ...
        ]
    }
    frame Admin as frame_admin {
        node admin_rp [
            Admin RP
            --
            SSL temination
            for *.admin.swh.network(?)
        ]
        boundary "VLAN 442 - admin" as vlan_admin

        node netbox as admin_netbox
    }
    }
    }
}

azure_net -- azure_ipsec
azure_ipsec -- internet
internet -- dsi_fw
azure_workers -- azure_net
openvpn_users -- internet 
louvre_fw -r- louvre_openvpn

louvre_fw -- vlan_production : default gw

vlan_public -- louvre_fw
louvre_fw -l- louvre_ipsec

vlan_public -u- dsi_fw

pergamon -u- vlan_public
pergamon -d- vlan_production

tate -u- vlan_public
tate -d- vlan_production

moma -u- vlan_public
moma -d- vlan_production

staging_services -u- vlan_staging
production_services -u- vlan_production

production_kafka -u- vlan_public
production_kafka -d- vlan_production

swh_fw -r- vlan_public
swh_fw -d- vlan_staging : default gateway

staging_rp -u- vlan_public
staging_rp -.- vlan_staging

vlan_admin -u- swh_fw : default gateway

admin_netbox -u- vlan_admin

staging_kafka -u- vlan_public
staging_kafka -- vlan_staging

admin_rp -- vlan_admin
admin_rp -u- vlan_public
@enduml