Moonlitic — Technical System Diagram
Azure-native · FHIR R4 · Zero-Trust · 6 engines + Demo · pairs with Moonlitic_Technical_Architecture.html
scope: end-to-end data plane + control plane
trust: Zero-Trust boundary @ Azure VNet
canonical: Moonlitic_Tech_Stack.html
# # # [ MOONLITIC ZERO-TRUST BOUNDARY · Azure VNet · Private Endpoints · mTLS service-to-service ] External Actors & Sources Patient Mobile / Web Clinician Browser / EHR-embed Buyer / Pharma Marketplace UI / API Operator (CxO) Control plane EHRs Epic · Cerner · Allscripts Payers FHIR / X12 837·835 FHIR Aggregators 1upHealth · Particle Health Velo Payments ACH · KYC · 1099-NEC Zoho One CRM · Books AP/AR SendGrid Transactional email Azure Edge · Network Ingress · Identity Azure Front Door + WAF · DDoS Protection API Management Rate limit · JWT validation Identity Microsoft Entra ID OAuth 2.0 / OIDC · RBAC Clear (IAL2) Identity proofing · liveness Twilio Verify SMS / Voice MFA Business Logic · Azure Container Apps · Moonlitic Microservices F01 Consent Engine policy-aware · sub-5ms 42 CFR Part 2 ✓ F02 Clinical Intelligence FHIR-native · CDI CMS-0057-F PA · Da Vinci F03 Claims X12 837·835 · HEDIS SUD ICD-10 tagging ✓ F04 Reconciliation cross-engine retry verifyLedgerState() ✓ F05 Marketplace SKUs · entitlements PROHIBIT_SUD ✓ F06 Payouts real-time royalties Velo · 1099-NEC @moonlitic/shared auth · audit · ledger client SensitiveField · field-crypto Event Bus RabbitMQ / Service Bus Azure FHIR Conversion Stack · Upstream Data Normalization FHIR Converter HL7v2 · C-CDA · JSON → R4 AI Document Intel PDFs · scanned forms Azure Data Factory orchestration · lineage Azure Functions CSV / Excel mapping rules Azure Health Data Services FHIR R4 · DICOM · MedTech Azure Cosmos DB consent state · session Microsoft Fabric Lakehouse · Power BI Azure Confidential Ledger immutable audit · SHA-256 chain Azure Blob Storage documents · forms · exports Security & Observability · Cross-Cutting Azure Key Vault FIPS 140-2 · DEK / KEK Azure Sentinel SIEM · log analytics Defender for Cloud CSPM · workload protection Azure Monitor App Insights · metrics DevSecOps GitHub Actions CI · CodeQL · Dependabot Azure Pipelines + ACR CD · Container Registry Defender DevOps supply chain posture Compliance Frame HIPAA Security & Privacy All 6 admin · 3 physical · 5 technical safeguards BAA chain via Azure 42 CFR Part 2 SUD redisclosure prohibition F01-F04 enforcement (Phase 1) CMS-0057-F (Prior Auth) Da Vinci PAS · 72h urgent Patient/Provider/P2P APIs (Ph3) SOC 2 Type II CC1-CC9 · Sentinel monitoring Readiness in progress GDPR · State Laws TX HB 300 · CA CMIA · NE NDPA stateConsentMiddleware ✓ HTI-5 · 21st Century Cures FHIR R4 US Core Info-blocking exceptions (Ph3) HL7 FAST · TEFCA 12 BUILT / 5 PARTIAL / 3 PLANNED UDAP · X.509 binding (Ph3) NIST 800-53 · FedRAMP-ready ~80% Moderate · 11 policy docs · SSP · POA&M Encryption AES-256-GCM @ field · TLS 1.3 in transit · KV at rest Tamper-evident audit HMAC-SHA256 chained · Confidential Ledger Identity assurance NIST IAL2 (Clear) · AAL2 (Twilio) · zero-trust per call HTTPS · OIDC JWT · OAuth2 mTLS · zero-trust FHIR R4 audit append → FHIR R4 FHIR · OAuth2 client_credentials X12 837 · X12 835 · HL7v2 REST · HMAC webhook · ACH signed URL · FHIR Bundle export managed identity → secrets image deploy Phase 1 audit-fix posture (commit 22c2579) · See COMPLIANCE_AUDIT_2026-05-03.md for delta · Phase 2 / 3 items marked (Ph2 / Ph3)

Legend & Conventions

Azure / Microsoft Cloud (gateways, data, security)
Moonlitic Microservice (Container App, F01-F06)
External system (EHRs, payers, aggregators, SaaS)
Security primitive (lock, key, shield)
Protocol / control-plane label
Zero-Trust Boundary (Azure VNet)

Iconography

cylinderDatastore (FHIR R4 server, Cosmos DB, Fabric, Blob)
chainConfidential Ledger (block/hash chain)
cloudCloud-hosted service (Azure or external SaaS)
gearPipeline / data processing (Functions, Data Factory)
3-stackContainerized service (Azure Container Apps replicas)
shieldDefense / monitoring (Sentinel, Defender)

Arrow / line conventions

Internal data plane (mTLS, FHIR R4)
Azure-managed connection (gateway, deploy, internal)
External integration (FHIR · X12 · ACH · HMAC)
Control plane / security (auth, secrets, audit)
Pairs with Moonlitic_Technical_Architecture.html (layered card view) · Moonlitic_Architecture_Diagram.html (block diagram) · Moonlitic_Tech_Stack.html (stack reference) · MIGRATION_STATUS.md