# Network Topology

## Overview

This document describes the network architecture for the Ansible-managed infrastructure, including physical and virtual network layouts, security zones, and connectivity patterns.

## Network Diagram

```
Internet
   │
   │ Firewall/Router
   ▼
┌─────────────────────────────────────────────────────────────────┐
│                      Management Network                          │
│                    (192.168.1.0/24 - Example)                   │
│                                                                  │
│  ┌──────────────┐       ┌──────────────┐                       │
│  │   Ansible    │───────│     Gitea    │                       │
│  │   Control    │       │  Repository  │                       │
│  └──────────────┘       └──────────────┘                       │
│                                                                  │
│                   SSH (Port 22, Key-based)                      │
└────────────────────────────┬────────────────────────────────────┘
                             │
            ┌────────────────┼────────────────┐
            │                │                │
            ▼                ▼                ▼
     ┌─────────────┐  ┌─────────────┐  ┌─────────────┐
     │ Hypervisor  │  │ Hypervisor  │  │ Hypervisor  │
     │  (grokbox)  │  │   (hv02)    │  │   (hv03)    │
     └─────┬───────┘  └─────┬───────┘  └─────┬───────┘
           │                │                │
     Virtual Networks (libvirt)
           │                │                │
     ┌─────┴────────────────┴────────────────┴─────┐
     │            VM Network Layer                  │
     │                                              │
     │  ┌──────┐  ┌──────┐  ┌──────┐  ┌──────┐   │
     │  │ Web  │  │ App  │  │  DB  │  │Cache │   │
     │  │  VMs │  │  VMs │  │  VMs │  │ VMs  │   │
     │  └──────┘  └──────┘  └──────┘  └──────┘   │
     └───────────────────────────────────────────┘
```

## Network Zones

### Management Zone
- **Purpose**: Ansible control and infrastructure management
- **CIDR**: 192.168.1.0/24 (example - adjust per environment)
- **Access**: Restricted to operations team
- **Protocols**: SSH (22), HTTPS (443)

### Hypervisor Zone
- **Purpose**: KVM/libvirt hypervisor hosts
- **Access**: Ansible control node via SSH
- **Services**: libvirt (16509), SSH (22)

### Guest VM Zone
- **Purpose**: Application and service VMs
- **Networks**: Multiple virtual networks per purpose
  - Production: 10.0.1.0/24
  - Staging: 10.0.2.0/24
  - Development: 10.0.3.0/24

## Virtual Networking (libvirt)

### Default NAT Network
- **Network**: `default`
- **Type**: NAT
- **Subnet**: 192.168.122.0/24
- **DHCP**: Enabled
- **Use Case**: Development and testing VMs

### Bridged Network
- **Network**: `br0`
- **Type**: Bridge
- **Configuration**: Attached to physical NIC
- **Use Case**: Production VMs requiring direct network access

## Firewall Rules

### Hypervisor Firewall (firewalld/UFW)

**Allowed Inbound**:
- SSH from Ansible control node (port 22)
- libvirt management from control node (port 16509)

**Denied**:
- All other inbound traffic (default deny)

### Guest VM Firewall

**Allowed Inbound**:
- SSH from hypervisor/management network (port 22)
- Application-specific ports (per VM purpose)

**Allowed Outbound**:
- HTTPS for package repositories (port 443)
- DNS queries (port 53)
- NTP time sync (port 123)

## DNS Configuration

- **Primary**: 8.8.8.8 (Google DNS)
- **Secondary**: 1.1.1.1 (Cloudflare DNS)
- **Future**: Internal DNS server for local name resolution

## Related Documentation

- [Architecture Overview](./overview.md)
- [Security Model](./security-model.md)