Reference Network Architecture
| Property | Value |
|---|---|
| Controls | SID-TRANS-01, SID-TRANS-04, SID-HARD-03 |
| ISO 27001 | A.8.20 (Network security), A.8.21 (Security of network services), A.8.22 (Segregation of networks), A.8.23 (Web filtering) |
Purpose
This document provides a reference network architecture for SIROS ID deployments, describing port separation, TLS boundaries, network segmentation, and the boundary between platform-provided controls and operator-required infrastructure. It addresses the finding that platform-level network controls (port separation, SSRF protection, TLS) exist but a consolidated reference architecture was not documented.
Deployment Overview
Port Separation
go-wallet-backend
| Port | Service | Bind | Authentication | Network Zone |
|---|---|---|---|---|
| 8080 | HTTP API (user-facing) | 0.0.0.0 | JWT (WebAuthn-issued) | Public (via reverse proxy) |
| 8081 | Admin API | Configurable | Bearer token (pre-shared) | Management only (must be network-restricted) |
| 8082 | WebSocket engine | 0.0.0.0 | JWT in first WS message | Public (via reverse proxy) |
| 8097 | VCTM Registry | 0.0.0.0 | Varies by route | Internal |
Each port runs as a separate http.Server instance with independent routing, enabling distinct network policies per port.
Split-mode deployment: The backend supports distributed deployment where HTTP, WebSocket, and Registry run on separate hosts:
backend_url— HTTP API endpointengine_url— WebSocket endpoint (e.g.wss://ws.wallet.example.com)registry_url— VCTM registry endpointadmin_url— Admin API endpoint
facetec-api
| Port | Service | Authentication | Network Zone |
|---|---|---|---|
| 8080 | All endpoints | JWT or AppKey | Public (via reverse proxy) |
| — | /livez, /readyz, /healthz | None | Management (probes) |
| — | /metrics | None | Management (Prometheus) |
Single port; endpoint-level differentiation for health and metrics.
vc Platform
Each vc service runs independently with its own port:
| Service | HTTP Port | gRPC Port | Network Zone |
|---|---|---|---|
| API Gateway | 8080 | — | Public (credential flows) |
| Issuer | 8080 | — (gRPC client) | Internal |
| Verifier | 8080 | — | Public (via reverse proxy) |
| Registry | 8080 | 8090 | Internal |
Inter-service communication: gRPC with optional mTLS (cert fingerprint and DN pinning).
TLS Boundaries
| Boundary | Protocol | TLS | Authentication |
|---|---|---|---|
| Internet → Reverse Proxy | HTTPS | TLS 1.2+ (operator config) | N/A |
| Reverse Proxy → Application | HTTP or TLS | Optional (operator config) | N/A |
| Application → MongoDB | TCP | Optional mTLS | Client cert |
| go-trust → External registries | HTTPS | TLS 1.2+ (hardened ciphers) | SSRF-protected |
| facetec-api → FaceTec Server | HTTPS | mTLS (optional) | Client cert |
| facetec-api → vc apigw | HTTPS | mTLS + TLS 1.2 | Client cert + Bearer |
| vc issuer ↔ registry | gRPC | mTLS (optional) | Cert fingerprint + DN |
SSRF Protection
Two components implement SSRF protection for outbound HTTP:
go-trust SafeHTTPClient
Applied to all trust resolution HTTP calls (ETSI TSL, DID, OpenID Federation):
- Blocks RFC 1918 private ranges, loopback, link-local
- Blocks cloud metadata endpoints (169.254.169.254)
- DNS rebinding protection (validates resolved IPs before connecting)
- HTTPS-only by default
- Host allowlisting (optional)
- Redirect target validation
vc Config Validation
Applied at configuration load time via safe_uri struct tags:
- DNS resolves configured URLs
- Rejects private IP ranges, loopback, link-local, localhost
Network Segmentation Model
The reference architecture uses four network zones:
Public Zone (DMZ)
- Reverse proxy / ingress controller
- TLS termination
- Routes to wallet backend (8080, 8082), vc verifier, vc API gateway
Application Zone
- All application services
- Inter-service communication (HTTP, gRPC)
- go-trust PDP (must not be directly public)
Data Zone
- MongoDB (wallet backend)
- PostgreSQL (vc, facetec-api)
- Access restricted to application zone
Management Zone
- Admin API (port 8081, management-plane exposure only)
- Prometheus metrics scraping
- CI/CD automation
- Kubernetes probes
Operator Requirements
The platform provides port separation, per-port authentication, and SSRF protection. Operators must implement:
| Requirement | Guidance |
|---|---|
| Reverse proxy / Ingress | Deploy TLS-terminating reverse proxy in front of all public-facing ports |
| Network policies | Restrict inter-zone traffic: data zone accessible only from application zone; management zone isolated from public |
| Admin port isolation | Ensure port 8081 is not reachable from public network; use Kubernetes NetworkPolicy or firewall rules |
| go-trust isolation | Deploy go-trust behind service mesh or restrict to application-zone-only access |
| Metrics endpoint protection | Restrict /metrics to Prometheus infrastructure; do not expose publicly |
| Database access | Restrict MongoDB/PostgreSQL to application-zone source IPs; use mTLS where supported |
| Egress filtering | Control outbound access; go-trust SafeHTTPClient handles SSRF, but other services need operator-level egress rules |
| Rate limiting at edge | Complement application-level rate limiting with infrastructure-level rate limiting at reverse proxy |