Architecture Globale
Vue d'ensemble
L'architecture repose sur une approche hybride multi-sites combinant infrastructure on-premise (VMware vSphere 8 + vSAN) et cloud public (Azure), avec une connectivite securisee par FortiGate.
graph TB
subgraph SITES["Sites INDIO Group"]
subgraph SITE_A["Site Principal"]
FGT_A["FortiGate<br/>VDOM + IPS"]
ESXI_A["4x ESXi 8.0<br/>512 GB RAM"]
VSAN_A["vSAN NVMe"]
end
subgraph SITE_B["Site Secondaire"]
FGT_B["FortiGate<br/>VDOM + IPS"]
ESXI_B["4x ESXi 8.0<br/>512 GB RAM"]
VSAN_B["vSAN NVMe"]
end
end
subgraph AZURE["Azure"]
BLOB["Blob Storage<br/>Immutable"]
ENTRA["Entra ID<br/>SSO + MFA"]
VMS["Azure VMs<br/>DR"]
end
subgraph SOC_ZONE["SOC"]
ELK["Elasticsearch<br/>8 noeuds"]
WAZUH["Wazuh<br/>Cluster HA"]
SOAR["Shuffle SOAR"]
TH["TheHive + Cortex"]
TI["MISP + OpenCTI"]
end
FGT_A <-->|"IPsec/BGP"| FGT_B
FGT_A <-->|"VPN/ExpressRoute"| AZURE
ESXI_A --- VSAN_A
ESXI_B --- VSAN_B
VSAN_A <-->|"Replication"| VSAN_B
WAZUH -->|"Logs"| ELK
ELK --> SOAR
SOAR --> TH
TH --> TI
Zones de securite (VDOM FortiGate)
| Zone |
Fonction |
Niveau de confiance |
| WAN |
Acces Internet, liens operateurs |
Non fiable |
| DMZ |
Proxy Squid, DNS relay |
Faible |
| VPN/ZTNA |
Terminaison ZTNA, acces distants |
Conditionnel |
| USER |
Postes de travail, WiFi entreprise |
Conditionnel |
| PRODUCTION |
Serveurs applicatifs (micro-segmentes) |
Eleve |
| INFRA |
Services d'infrastructure (infra.indio) |
Eleve |
| APPLI |
Applications metier (micro-segmentees) |
Eleve |
| ADMIN |
Administration, bastion Guacamole |
Critique |
| CORE |
Coeur reseau, interconnexions |
Critique |
| SOC |
SIEM, logs, supervision securite |
Critique |
Composants par couche
graph LR
subgraph C1["1. Reseau"]
FortiGate
NSX
VLANs
end
subgraph C2["2. Virtualisation"]
vSphere["vSphere 8"]
vSAN
Ceph
end
subgraph C3["3. OS"]
Rocky9["Rocky Linux 9<br/>ANSSI-BP028"]
end
subgraph C4["4. IaC"]
Terraform
Ansible
Packer
GitLabCI["GitLab CI"]
end
subgraph C5["5. Identite"]
FreeIPA
AD["Active Directory"]
EntraID["Entra ID"]
end
subgraph C6["6. DevOps"]
GitLab
Nexus["Nexus OSS"]
end
subgraph C7["7. Operations"]
Zabbix
Veeam
GLPI
n8n
end
subgraph C8["8. SOC"]
ELK2["ELK Stack"]
Wazuh2["Wazuh"]
SOAR2["Shuffle"]
TI2["MISP/OpenCTI"]
Vault["Vault PKI"]
end
subgraph C9["9. Validation"]
ART["Atomic Red Team"]
Jupyter
end
C1 --> C2 --> C3 --> C4
C4 --> C5 --> C6 --> C7
C7 --> C8 --> C9
Infrastructure physique (lab)
Notre lab de deploiement utilise les ressources suivantes :
| Ressource |
Specification |
| ESXi |
4 hotes (1 physique + 3 nested), 2 clusters |
| vCenter |
vcenter.infra.indio (10.15.100.10) |
| RAM totale |
~600 Go par hote |
| Stockage |
10 To SSD par hote |
| Fortigate |
FGT HA (v7.4.1), 10.15.100.30 |
| VMs |
21 VMs Rocky Linux 9 reparties sur 5 zones |
Adressage reseau reel
| VLAN |
Subnet |
Gateway |
Usage |
| 101 |
10.15.100.0/28 |
.14 |
Hyperviseurs (vCenter, ESXi) |
| 102 |
10.15.100.192/28 |
.206 |
Stockage (Ceph) |
| 103 |
10.15.100.208/28 |
.222 |
Supervision (Zabbix) |
| 105 |
10.15.100.240/28 |
.254 |
Sauvegarde (Veeam) |
| 106 |
10.15.100.64/26 |
.126 |
Services (GLPI, n8n, GitLab, Nexus, Vault, NTP) |
| 107 |
10.15.100.224/28 |
.238 |
Identite (FreeIPA) |
| 108 |
10.15.100.128/26 |
.190 |
Admin (Guacamole bastion) |
| 109 |
10.15.100.16/28 |
.30 |
Management Fortigate |
| 800 |
10.15.80.0/26 |
.62 |
SOC complet (14 VMs) |
| — |
10.15.50.0/29 |
.6 |
DMZ Proxy Squid HA |