Fund System Security Architecture

Segmented fund-system architecture with separated business access, system service flows, controlled operations access, and DMZ boundary protection.
Office Network
Internal Enterprise Network
Application Subnet (Business Apps)
Application Subnet (Core)
B/S
C/S
OS
Database Subnet (Private)
Bank
Connectivity
Subnet
DMZ Subnet
External
(Bank)
Business Users
(Finance Dept)
User Access via
SSO / IAM
IT Operations
Privileged Access
via Bastion / PAM
(MFA, Approval,
Session Logging)
OA / ERP
Fund System
Bastion /
Jump Host
Database
Bank Connectivity
Service
(Payment, Statement,
Reconciliation, etc.)
Frontend /
Gateway
(API Gateway /
Reverse Proxy)
Bank Systems
Network ACLs
Security Groups
(Least Privilege)
Network ACLs
Firewall Rules
(Egress Control)
WAF / Firewall
DDoS Protection
(Ingress Filtering)
ℹ️ All inter-subnet traffic is controlled by Firewall Rules, Security Groups and NACLs. | All access is logged and monitored (SIEM / monitoring platform).
Note: This diagram is a reference architecture. Adjust subnets, components and controls based on actual environment and compliance requirements.