REFERENCE ARCHITECTURE
Regulated enterprise (finance & health)
Full defense-in-depth: Sentinel, Fabric isolation, HA Datastores, Archive with retention, Insight audit logs, multi-region option — maps to SOC 2 / LGPD / HIPAA-ready posture.
EnterprisePlan: EnterpriseResilience: multi-regiao
Diagram
Use cases
- Fintech API
- Health records portal
- Gov contractor SaaS
Components
| Layer | Role | Product |
|---|---|---|
| Perimeter | WAF + DDoS + rate limits | Sentinel |
| Edge | TLS 1.3 + HSTS | Gateway |
| Network | Zero-trust private net | Fabric |
| Application | Audited API services | Compute |
| Primary data | HA PostgreSQL | Datastore |
| Compliance store | Immutable archives | Archive |
| Event audit | Tamper-evident log | Conduit |
| Async audit | Compliance jobs | Lane |
| Operations | SIEM-style monitoring | Insight |
Products
Sentinel
View product docs →Gateway
View product docs →Fabric
View product docs →Compute
View product docs →Datastore
View product docs →Archive
View product docs →Autoscale
View product docs →Insight
View product docs →Conduit
View product docs →When to use
- Financial services, health tech, or gov contractors with audit requirements.
- Contracts mandating WAF, encryption at rest, and immutable audit trails.
- Data residency discussions with legal/compliance teams.
When to avoid
- Early-stage MVP without compliance scope.
- Teams without capacity to run incident response playbooks.
Design notes
Audit everything
Insight retention ≥ 365 days. Export logs to Archive for immutable cold storage. Conduit for tamper-evident event streams.
No public Compute
All application Compute on private Fabric. Only Sentinel + Gateway expose public endpoints.
HA by default
Datastore with HA enabled. Autoscale min replicas ≥ 2 in each active zone.
Blueprint
Use this JSON as a starting point when creating a project via the Tesserra API or console. Replace image URLs, domains, and resource references with your values.
json
{
"nome": "Regulated Core",
"resiliencia": "multi-regiao",
"recursos": [
{
"tipo": "fabric",
"nome": "secure-net",
"config": {
"cidr": "10.60.0.0/16",
"publica": false
}
},
{
"tipo": "compute",
"nome": "core-api",
"config": {
"subtipo": "api",
"replicas_min": 2,
"replicas_max": 8
}
},
{
"tipo": "compute",
"nome": "compliance-worker",
"config": {
"subtipo": "worker",
"replicas_min": 1
}
},
{
"tipo": "datastore",
"nome": "primary-db",
"config": {
"engine": "postgres",
"ha": true,
"tamanho_gb": 200
}
},
{
"tipo": "archive",
"nome": "compliance-archive",
"config": {
"tamanho_gb": 2000,
"publico": false
}
},
{
"tipo": "conduit",
"nome": "audit-log",
"config": {
"particoes": 12,
"retencao_horas": 8760
}
},
{
"tipo": "lane",
"nome": "compliance-jobs",
"config": {
"duravel": true
}
},
{
"tipo": "sentinel",
"nome": "perimeter-waf",
"config": {
"modo": "bloquear",
"regras_basicas": true,
"alvo_recurso_id": "core-api"
}
},
{
"tipo": "gateway",
"nome": "public-edge",
"config": {
"dominio": "api.acme.com",
"tls": true,
"alvo_recurso_id": "core-api"
}
},
{
"tipo": "autoscale",
"nome": "ha-scale",
"config": {
"alvo_recurso_id": "core-api",
"metrica": "cpu",
"limiar": 55
}
},
{
"tipo": "insight",
"nome": "siem",
"config": {
"retencao_dias": 365,
"alertas": true
}
}
]
}Related
Secure edge ingress
Defense-in-depth at the perimeter — Sentinel WAF, Gateway TLS termination, Fabric isolation, and Insight security monitoring.
Multi-region active-active
Compute replicas across continental Zones, Gateway geo-routing, asynchronous or synchronous Datastore replication — Business and Enterprise tiers.
B2B SaaS multi-tenant platform
Tenant isolation at the organization layer, Fabric private networking, per-tenant Datastore schemas, Gateway custom domains, Sentinel and Autoscale for enterprise SLAs.