Purpose
This document defines the environment-specific realization of a BSFG estate containing:
- Enterprise
- IDMZ
- Plant A
- Plant B
It answers:
- what zones exist
- how each zone is realized
- which hosts and VIPs belong to each zone
- which identities belong to each zone
- which team owns each zone
It does not define the cross-zone authorization and federation policy in detail.
That belongs in the companion:
- Federation Relationship Matrix: Enterprise + IDMZ + 2 Plants
Relationship to Other Documents
This document instantiates:
- Reference Deployment Pattern: Triad-HA with Keepalived Failover
It assumes cross-zone behavior will be governed by:
- Reference Interaction Pattern: Cross-Zone BSFG Federation
Environment Summary
| Zone | Purpose | Deployment Pattern | Controller Exposure | Operational Owner |
|---|---|---|---|---|
| Enterprise | Corporate integration hub | Triad-HA | VIP on 9443 | Enterprise platform team |
| IDMZ | Mediated inter-zone relay and control zone | Triad-HA | VIP on 9443 | IDMZ / network platform team |
| Plant A | Autonomous plant OT zone | Triad-HA | VIP on 9443 | Plant A engineering / IT |
| Plant B | Autonomous plant OT zone | Triad-HA | VIP on 9443 | Plant B engineering / IT |
Zone Realization Rule
Each zone in this environment is realized as a Triad-HA instance:
- Alpha
- Beta
- Gamma
- Keepalived VIP
- local JetStream quorum
- active/passive BSFG controller
- zone-local artifact storage where applicable
This means the full estate contains:
- 4 zones
- 4 Triad-HA instances
- 12 hosts total
Zone Inventory
| Zone | Alpha | Beta | Gamma | VIP | Certificate Identity | Notes |
|---|---|---|---|---|---|---|
| Enterprise | enterprise-alpha |
enterprise-beta |
enterprise-gamma |
10.0.1.10 |
enterprise-bsfg |
Corporate integration zone |
| IDMZ | idmz-alpha |
idmz-beta |
idmz-gamma |
10.1.1.10 |
idmz-bsfg |
Mediated relay zone |
| Plant A | plant-a-alpha |
plant-a-beta |
plant-a-gamma |
10.2.1.10 |
plant-a-bsfg |
Plant A OT zone |
| Plant B | plant-b-alpha |
plant-b-beta |
plant-b-gamma |
10.3.1.10 |
plant-b-bsfg |
Plant B OT zone |
Host Role Matrix
| Host | Zone | Role | Keepalived | BSFG Controller | JetStream | Artifact Storage |
|---|---|---|---|---|---|---|
enterprise-alpha |
Enterprise | Alpha | MASTER-preferred | Active when VIP held | Yes | Yes |
enterprise-beta |
Enterprise | Beta | BACKUP | Standby | Yes | Yes |
enterprise-gamma |
Enterprise | Gamma | No | No | Yes | No |
idmz-alpha |
IDMZ | Alpha | MASTER-preferred | Active when VIP held | Yes | Yes, compact |
idmz-beta |
IDMZ | Beta | BACKUP | Standby | Yes | Yes, compact |
idmz-gamma |
IDMZ | Gamma | No | No | Yes | No |
plant-a-alpha |
Plant A | Alpha | MASTER-preferred | Active when VIP held | Yes | Yes |
plant-a-beta |
Plant A | Beta | BACKUP | Standby | Yes | Yes |
plant-a-gamma |
Plant A | Gamma | No | No | Yes | No |
plant-b-alpha |
Plant B | Alpha | MASTER-preferred | Active when VIP held | Yes | Yes |
plant-b-beta |
Plant B | Beta | BACKUP | Standby | Yes | Yes |
plant-b-gamma |
Plant B | Gamma | No | No | Yes | No |
Zone Endpoint Map
| Zone | Service Endpoint | Purpose |
|---|---|---|
| Enterprise | https://10.0.1.10:9443 |
Enterprise zone BSFG Connect RPC endpoint |
| IDMZ | https://10.1.1.10:9443 |
IDMZ zone BSFG Connect RPC endpoint |
| Plant A | https://10.2.1.10:9443 |
Plant A zone BSFG Connect RPC endpoint |
| Plant B | https://10.3.1.10:9443 |
Plant B zone BSFG Connect RPC endpoint |
Zone Identity Map
| Zone | Certificate Identity | Example DNS Name | Example SAN IP |
|---|---|---|---|
| Enterprise | enterprise-bsfg |
bsfg-ent.example.com |
10.0.1.10 |
| IDMZ | idmz-bsfg |
bsfg-idmz.example.com |
10.1.1.10 |
| Plant A | plant-a-bsfg |
bsfg-planta.local |
10.2.1.10 |
| Plant B | plant-b-bsfg |
bsfg-plantb.local |
10.3.1.10 |
Identity validation is based on configured certificate identity policy, typically using subject or SAN.
Zone Storage Posture
| Zone | JetStream Posture | Artifact Posture | Notes |
|---|---|---|---|
| Enterprise | Largest retention and integration volume | Long-retention enterprise object storage | Audit and document retention dominant |
| IDMZ | Compact but durable zone-local retention | Compact mediated artifact retention | Mediation only, not enterprise archive |
| Plant A | Plant-local durable replay and autonomy | Local plant artifact retention | Supports autonomous operation |
| Plant B | Plant-local durable replay and autonomy | Local plant artifact retention | Supports autonomous operation |
Ownership Matrix
| Zone | Primary Owner | Responsibilities |
|---|---|---|
| Enterprise | Enterprise platform team | Enterprise zone deployment, cert rotation, retention, monitoring, integration ownership |
| IDMZ | IDMZ / network platform team | IDMZ zone operation, mediation-path availability, firewall coordination |
| Plant A | Plant A engineering / IT | Plant A zone deployment, local producers/consumers, local autonomy |
| Plant B | Plant B engineering / IT | Plant B zone deployment, local producers/consumers, local autonomy |
Deployment Instance Notes
Enterprise
- primary aggregation and supervisory integration zone
- expected to expose enterprise-facing streams and retained artifacts
- does not require direct connectivity to plant zones in the canonical mediated model
IDMZ
- real durable zone, not transparent network fabric
- mediates Enterprise ↔ Plant A and Enterprise ↔ Plant B relationships
- does not host “boundary middleware”; it hosts a zone-owned BSFG deployment
Plant A
- autonomous production zone
- remains locally operational when Enterprise or IDMZ is unavailable
- participates only in explicitly configured federation relationships
Plant B
- same realization model as Plant A
- independent of Plant A at substrate level
- no direct plant-to-plant federation in the default estate
Canonical Estate Diagram
flowchart TD
subgraph ENT["ENTERPRISE"]
EA["enterprise-alpha"]
EB["enterprise-beta"]
EG["enterprise-gamma"]
EVIP["VIP: 10.0.1.10"]
end
subgraph IDMZ["IDMZ"]
IA["idmz-alpha"]
IB["idmz-beta"]
IG["idmz-gamma"]
IVIP["VIP: 10.1.1.10"]
end
subgraph PA["PLANT A"]
PAA["plant-a-alpha"]
PAB["plant-a-beta"]
PAG["plant-a-gamma"]
PAVIP["VIP: 10.2.1.10"]
end
subgraph PB["PLANT B"]
PBA["plant-b-alpha"]
PBB["plant-b-beta"]
PBG["plant-b-gamma"]
PBVIP["VIP: 10.3.1.10"]
end
Constraints Preserved by This Realization
- each zone is autonomous at the substrate level
- each zone owns its own durable state
- no cross-zone shared JetStream
- no cross-zone shared object store
- no direct plant-to-plant relationship in the default estate
- no direct enterprise-to-plant relationship in the default estate
- IDMZ remains a durable zone, not a durable boundary transport fabric
What This Document Does Not Define
This document does not define:
- per-peer exported streams
- artifact authorization per relationship
- cursor initialization modes per stream
- federation directionality policy
- forbidden vs allowed peer relationships beyond the default estate assumption
- commissioning procedure
- validation procedure
Those belong in:
- Federation Relationship Matrix: Enterprise + IDMZ + 2 Plants
- runbooks
- validation checklists