What it shows:
A strict, zone-based network topology map. It visually segments the infrastructure into logical security tiers (e.g., Client, Presentation/DMZ, Application, Data) separated by physical or virtual firewalls. It defines the exact VLAN boundaries, load balancer placements, and placeholders for IP subnets (xxx.xxx.xxx.xxx/xx).
Why it’s needed:
Routing configurations and physical security enforcement. This acts as the exact blueprint handed to the customer’s Network and Security teams. It visually proves that a compromised web server in Zone 2 cannot directly access the database in Zone 4 without passing through an internal inspection firewall. This diagram is the absolute prerequisite for requesting physical IP addresses and firewall rules.
When to use it:
Highly recommended for SADs and LLDs for any production enterprise deployment. If new IP addresses are being requested, cross-VLAN routing is being configured, or servers are being placed behind a corporate firewall, this diagram is non-negotiable.
When NOT to use it:
Generally best to omit for true Software-as-a-Service (SaaS) where the network fabric is entirely abstracted by the vendor. It can also be skipped for simple, single-tier “flat network” sandbox environments where security zoning is not in scope.
Example:
