REFERENCE ARCHITECTURE
Secure edge ingress
Defense-in-depth at the perimeter — Sentinel WAF, Gateway TLS termination, Fabric isolation, and Insight security monitoring.
IntermediatePlan: Pro+Resilience: multi-zona
Diagram
Use cases
- Public payment API
- Healthcare portal
- Government citizen services
Components
| Layer | Role | Product |
|---|---|---|
| Threat surface | Public internet ingress | Sentinel |
| Edge | TLS termination and routing | Gateway |
| Network | DMZ + private subnets | Fabric |
| Application | No direct public ports | Compute |
| Operations | WAF and access log SIEM | Insight |
Products
Sentinel
View product docs →Gateway
View product docs →Fabric
View product docs →Compute
View product docs →Insight
View product docs →When to use
- Public APIs handling PII or payment data.
- Compliance frameworks requiring WAF and audit (SOC 2, PCI scope reduction).
- Exposure to automated attack traffic (bots, scanners).
When to avoid
- Internal-only admin tools on VPN — Fabric-only Compute suffices.
Design notes
Layer order
Internet → Sentinel → Gateway → Compute. Never expose Compute ports directly.
WAF modes
Use block mode in production; warn mode in staging to tune rules without customer impact.
TLS everywhere
Gateway manages certificate rotation. HSTS enabled by default on managed domains.
Blueprint
Use this JSON as a starting point when creating a project via the Tesserra API or console. Replace image URLs, domains, and resource references with your values.
json
{
"nome": "Secure API",
"recursos": [
{
"tipo": "fabric",
"nome": "private-net",
"config": {
"cidr": "10.10.0.0/16",
"publica": false
}
},
{
"tipo": "compute",
"nome": "api-core",
"config": {
"subtipo": "api",
"porta": 8080,
"replicas_min": 2
}
},
{
"tipo": "sentinel",
"nome": "edge-waf",
"config": {
"modo": "bloquear",
"regras_basicas": true,
"alvo_recurso_id": "api-core"
}
},
{
"tipo": "gateway",
"nome": "public-gw",
"config": {
"dominio": "api.acme.com",
"tls": true,
"alvo_recurso_id": "api-core"
}
},
{
"tipo": "insight",
"nome": "sec-insight",
"config": {
"retencao_dias": 90,
"alertas": true
}
}
]
}Related
Single-region web application
Production-ready pattern for SPAs, e-commerce, and public APIs — Compute, Datastore, Gateway, Sentinel, and Insight in one region.
Microservices on private Fabric
Multiple Compute services on an isolated Fabric network, public ingress via Gateway, per-service Datastores and Autoscale policies.
Regulated enterprise (finance & health)
Full defense-in-depth: Sentinel, Fabric isolation, HA Datastores, Archive with retention, Insight audit logs, multi-region option — maps to SOC 2 / LGPD / HIPAA-ready posture.