Skip to content

Data Flow

This page documents how data moves between services: which protocols are used, how each connection is authenticated, and what data is exchanged.

Inter-service communication matrix

Section titled “Inter-service communication matrix”
FromToProtocolAuthPurpose
Cloud SPACloud BackendREST (/api/v1/*)JWT BearerAll CRUD operations
Cloud SPACloud BackendWebSocket (/api/ws/*)JWT query param ?token=Real-time security alerts, VPN sessions
Cloud BackendManagement BackendHTTP (/internal/v1/*)X-Internal-Token (shared secret)License state fetch
Management BackendCloud BackendHTTP (/internal/license/refresh)HMAC signature (CLOUD_WEBHOOK_HMAC_SECRET)License activation push
Edge ApplianceCloud BackendHTTP (/api/v1/devices/*, /api/v1/commands)Provisioning key (per tenant)Device registration, command polling
Edge ApplianceIngestorHTTP (POST /v1/ingest)X-Device-Key headerTelemetry batch upload
Cloud BackendMicrosoft Entra IDOIDC (HTTP)OAuth client credentialsPlatform SSO and per-tenant OIDC
Cloud BackendResendHTTPAPI keyTransactional email
Cloud BackendNVD / CISA / MITREHTTPAPI key (NVD) / publicCVE feed synchronization
Management SPAManagement BackendREST (/api/v1/*)JWT BearerTenant management

Sequence: browser REST request

Section titled “Sequence: browser REST request”
sequenceDiagram
    participant Browser
    participant CloudSPA as Cloud SPA
    participant API as Cloud Backend API
    participant SQL as Azure SQL

    Browser->>CloudSPA: Navigate to /incidents
    CloudSPA->>API: GET /api/v1/incidents (Bearer token)
    API->>API: Validate JWT, extract tenant_id + user_id
    API->>API: Check RBAC permission (incidents:read)
    API->>SQL: SELECT … WHERE tenant_id = SESSION_CONTEXT(...)
    SQL-->>API: Rows (RLS enforced)
    API-->>CloudSPA: 200 JSON
    CloudSPA-->>Browser: Render incidents list

Sequence: WebSocket real-time alert

Section titled “Sequence: WebSocket real-time alert”
sequenceDiagram
    participant Browser
    participant API as Cloud Backend API
    participant SQL as Azure SQL

    Browser->>API: WS upgrade /api/ws/security?token=<jwt>
    API->>API: Validate JWT, register connection in hub
    Note over API: hub maps tenant_id → []connections

    loop External alert arrives
        API->>SQL: INSERT security_alert (via webhook or ingestor)
        API->>API: Broadcast to all hub connections for tenant_id
        API-->>Browser: WS message { type: "alert", ... }
    end

    Browser->>API: WS close
    API->>API: Remove connection from hub

Sequence: Management → Cloud license activation

Section titled “Sequence: Management → Cloud license activation”
sequenceDiagram
    participant MgmtFE as Management SPA
    participant MgmtBE as Management Backend
    participant CloudBE as Cloud Backend

    MgmtFE->>MgmtBE: POST /api/v1/tenants/:id/license
    MgmtBE->>MgmtBE: Update tenant_licenses table (Mgmt DB)
    MgmtBE->>CloudBE: POST /internal/license/refresh (HMAC signed)
    CloudBE->>CloudBE: Verify HMAC signature
    CloudBE->>CloudBE: Update tenant_licenses + tenant_features (Cloud DB)
    CloudBE-->>MgmtBE: 200 OK
    MgmtBE-->>MgmtFE: License activated
    Note over CloudBE: Tenant active. Without activation, login is blocked.

Sequence: Edge device telemetry ingest

Section titled “Sequence: Edge device telemetry ingest”
sequenceDiagram
    participant Edge as Edge Appliance
    participant CloudBE as Cloud Backend
    participant Ingestor as Ingestor Service
    participant SQL as Azure SQL

    Edge->>CloudBE: POST /api/v1/devices/register (X-Provisioning-Key)
    CloudBE->>SQL: INSERT device, return device_key
    CloudBE-->>Edge: { device_key }

    loop Telemetry batch (periodic)
        Edge->>Ingestor: POST /v1/ingest (X-Device-Key)
        Note right of Edge: body: [{ kind: "telemetry", ... }, ...]
        Ingestor->>SQL: INSERT ingest_events (partitioned by tenant)
        Ingestor-->>Edge: 204 No Content
    end

    loop Command polling
        Edge->>CloudBE: GET /api/v1/commands (X-Device-Key)
        CloudBE-->>Edge: [{ command: "update_snap", ... }]
    end

Environment variable dependencies

Section titled “Environment variable dependencies”

The connections above depend on these environment variables being set correctly on each service:

VariableSet onPurpose
CLOUD_INTERNAL_API_TOKENCloud Backend + Management BackendShared M2M Bearer secret
CLOUD_WEBHOOK_HMAC_SECRETCloud Backend + Management BackendHMAC signing key for license webhook
MANAGEMENT_API_URLCloud BackendURL of Management Backend (Cloud → Mgmt calls)
CLOUD_API_URLManagement BackendURL of Cloud Backend (Mgmt → Cloud webhook)
VITE_API_URLCloud FrontendCloud Backend API origin
VITE_WS_URLCloud FrontendWebSocket base URL

See Cloud Backend local dev and Management local dev for full variable lists.