Network topology diagram
Internet, regions, load balancers, subnets, and security boundaries.
Every infrastructure-as-code setup starts simple—frontend, backend, database—but grows into a topology that spans regions, security zones, and failure domains. This template shows a three-tier network: public load balancers facing the internet, private app servers in isolated subnets, and databases in secure zones that accept traffic only from the app tier.
The diagram makes network policy visible: security groups act as stateful firewalls, private subnets mean no external access, and cross-region backups survive regional outages. When incidents happen or compliance questions arise, this diagram is proof that your network is partitioned correctly.
When to use this template
- Infrastructure documentation — new team members understand the network layout before reading CloudFormation or Terraform code.
- Security reviews — auditors can see which layers are exposed, how security groups restrict traffic, and where backups live.
- Disaster recovery planning — annotate with RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for each tier, so the team knows which failures are acceptable.
How to adapt it
Rename layers to your cloud provider: AWS (VPC, subnet, security group), Azure (virtual network, network security group), or GCP (VPC, firewall rule). Common extensions:
- Add a bastion host (jump box) for SSH access to private servers, protecting the app tier from direct internet exposure.
- Insert monitoring and logging (e.g., CloudWatch, DataDog) as a sidecar that collects metrics from all tiers without affecting traffic flow.
- Show edge cases (NAT Gateway for outbound internet access from private subnets, VPN for office access) to document all the ways traffic enters and leaves your network.
Visual edits regenerate code, so you can reshape regions and security boundaries without Mermaid syntax.
Mermaid code
Copy it anywhere Mermaid is supported — GitHub, Notion, or your docs.
flowchart TD
IGW["Internet Gateway"]
IGW --> LB["Load Balancer<br/>Public subnet"]
LB --> SG["Security Group<br/>Allow HTTP/HTTPS"]
SG --> APP1["App Server 1<br/>Private subnet A"]
SG --> APP2["App Server 2<br/>Private subnet B"]
APP1 --> DB[(["Database<br/>Private subnet C"])]
APP2 --> DB
DB --> BACKUP["Backup<br/>Cross-region"]
APP1 --> CDN["CDN<br/>Cache layer"]
APP2 --> CDN
CDN --> IGW
Frequently asked questions
- What does a network topology diagram show?
- It maps the flow of traffic through your infrastructure: how requests from the internet reach your load balancer, which security groups protect different tiers, which subnets isolate databases from app servers, and how traffic flows out to CDNs or backup regions. It makes the blast radius of each network change visible.
- Why separate public and private subnets?
- Public subnets face the internet (load balancers); private subnets hold app servers and databases that should never accept inbound traffic directly from the internet. If an attacker compromises a web server, private subnets limit what they can reach. The security group (a stateful firewall) controls exactly what traffic is allowed between layers.
- When should I add a CDN or caching layer?
- Add a CDN when serving static assets (images, CSS, JavaScript) to geographically distant users — it caches content at edge locations, reducing latency by 10–100x. If your database is the bottleneck, a cache layer (Redis, Memcached) near your app servers speeds up frequent queries. Both reduce load on origin servers.
- How do I show multi-region failover?
- Add a second VPC in a different region below the database box with a dashed replication arrow. Add a Route 53 (or DNS) node at the top that routes requests to the active region, with a failover rule pointing to the secondary. Visual edits regenerate clean code, so you can sketch redundancy patterns easily.