Dominique Hallan
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights New
    • Engagement control
    • Make a copy
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Engagement control Make a copy Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    # EmpowerHealth - Comprehensive Architecture Design Document ## Executive Summary The EmpowerHealth platform is a cloud-native healthcare analytics application designed to process Epic EMR data through Snowflake, providing AI-powered DRG analysis and patient risk scoring. This architecture leverages Azure services for infrastructure, hosting, and backup ML capabilities, while primarily utilizing Snowflake's Cortex AI for machine learning workloads. ## Table of Contents 1. [High-Level System Architecture](#high-level-system-architecture) 2. [Frontend Architecture](#frontend-architecture) 3. [Backend Services Architecture](#backend-services-architecture) 4. [Data & ML Pipeline Architecture](#data--ml-pipeline-architecture) 5. [Infrastructure & Networking](#infrastructure--networking) 6. [Security & Compliance Architecture](#security--compliance-architecture) 7. [CI/CD & Deployment Pipeline](#cicd--deployment-pipeline) 8. [Monitoring & Observability](#monitoring--observability) 9. [Implementation Details](#implementation-details) 10. [Cost Optimization Strategy](#cost-optimization-strategy) --- ## High-Level System Architecture This diagram shows the complete end-to-end architecture from users to data processing: ```mermaid graph TB %% User Layer subgraph "User Access Layer" DOCTOR[Healthcare Providers] ADMIN[Hospital Administrators] ANALYST[Data Analysts] end %% Frontend Infrastructure subgraph "Frontend Infrastructure" DNS[Azure DNS] CDN[Azure Front Door CDN] WAF[Azure WAF] CERT[Key Vault Certificates] end %% Application Layer subgraph "Application Layer" REACT[React Frontend] STATICWEB[Azure Static Web Apps] BLOB[Blob Storage Static Hosting] end %% Authentication subgraph "Authentication & Authorization" AAD[Azure AD B2C] SAML[Hospital SSO/SAML] JWT[JWT Tokens] end %% Backend Infrastructure subgraph "Backend Infrastructure" ALB[Application Gateway] APPSERVICE[App Service] FASTAPI[FastAPI Application] CACHE[Azure Cache for Redis] end %% Data Platform subgraph "Data Platform" SNOWFLAKE[Snowflake Data Cloud] STAGING[Data Staging] WAREHOUSE[Data Warehouse] MODELS[ML Models] end %% Primary ML Engine subgraph "Primary ML Engine (Snowflake)" CORTEX[Snowflake Cortex AI] DRG_SF[DRG Classification] RISK_SF[Risk Scoring] NLP_SF[Clinical NLP] end %% Backup ML Engine subgraph "Backup ML Engine (Azure)" AML[Azure Machine Learning] TEXTANALYTICS[Text Analytics for Health] OPENAI[Azure OpenAI Service] FUNCTIONS_ML[Azure Functions ML] end %% External Data Sources subgraph "Data Sources" EPIC[Epic EMR] HL7[HL7 FHIR] LABS[Lab Systems] PHARMACY[Pharmacy Systems] end %% Security & Monitoring subgraph "Security & Monitoring" KEYVAULT[Key Vault] MONITOR[Azure Monitor] ACTIVITYLOG[Activity Log] ALERTS[Event Grid Alerts] end %% User Connections DOCTOR --> DNS ADMIN --> DNS ANALYST --> DNS %% Frontend Flow DNS --> CDN CDN --> WAF WAF --> CERT CERT --> STATICWEB STATICWEB --> REACT STATICWEB --> BLOB %% Authentication Flow REACT --> AAD AAD --> SAML AAD --> JWT %% Backend Flow REACT --> ALB ALB --> APPSERVICE APPSERVICE --> FASTAPI FASTAPI --> CACHE %% Data Platform Connections FASTAPI --> SNOWFLAKE SNOWFLAKE --> STAGING STAGING --> WAREHOUSE WAREHOUSE --> MODELS %% Primary ML Flow MODELS --> CORTEX CORTEX --> DRG_SF CORTEX --> RISK_SF CORTEX --> NLP_SF %% Backup ML Flow (dotted lines) FASTAPI -.-> AML FASTAPI -.-> TEXTANALYTICS FASTAPI -.-> OPENAI FASTAPI -.-> FUNCTIONS_ML %% Data Ingestion EPIC --> STAGING HL7 --> STAGING LABS --> STAGING PHARMACY --> STAGING %% Security Connections FASTAPI --> KEYVAULT APPSERVICE --> MONITOR ALB --> ACTIVITYLOG MONITOR --> ALERTS %% Styling classDef users fill:#e8f5e8,stroke:#2e7d32,stroke-width:3px,color:#000 classDef frontend fill:#e3f2fd,stroke:#1565c0,stroke-width:3px,color:#000 classDef auth fill:#fff3e0,stroke:#f57c00,stroke-width:3px,color:#000 classDef backend fill:#f3e5f5,stroke:#7b1fa2,stroke-width:3px,color:#000 classDef data fill:#e0f2f1,stroke:#00695c,stroke-width:3px,color:#000 classDef ml_primary fill:#e8f5e8,stroke:#388e3c,stroke-width:3px,color:#000 classDef ml_backup fill:#ffebee,stroke:#c62828,stroke-width:3px,color:#000 classDef sources fill:#f1f8e9,stroke:#689f38,stroke-width:3px,color:#000 classDef security fill:#fce4ec,stroke:#ad1457,stroke-width:3px,color:#000 class DOCTOR,ADMIN,ANALYST users class DNS,CDN,WAF,CERT,REACT,STATICWEB,BLOB frontend class AAD,SAML,JWT auth class ALB,APPSERVICE,FASTAPI,CACHE backend class SNOWFLAKE,STAGING,WAREHOUSE,MODELS data class CORTEX,DRG_SF,RISK_SF,NLP_SF ml_primary class AML,TEXTANALYTICS,OPENAI,FUNCTIONS_ML ml_backup class EPIC,HL7,LABS,PHARMACY sources class KEYVAULT,MONITOR,ACTIVITYLOG,ALERTS security ``` ### Architecture Overview The EmpowerHealth system follows a modern cloud-native architecture with the following key principles: - **Microservices Architecture**: Loosely coupled services that can be developed, deployed, and scaled independently - **Infrastructure as Code**: All infrastructure managed through Terraform for consistency and repeatability - **Security by Design**: Multi-layered security approach with defense in depth - **High Availability**: Multi-zone deployment with auto-scaling and failover capabilities - **Cost Optimization**: Environment-specific resource allocation and auto-scaling --- ## Frontend Architecture The frontend layer provides a secure, scalable, and performant user interface for healthcare professionals: ```mermaid graph TB subgraph "Global Distribution" subgraph "DNS Layer" DNS[Azure DNS] HEALTH[Health Checks] end subgraph "CDN Layer" FD_GLOBAL[Azure Front Door Global] EDGE[Edge Locations] CACHE_POLICY[Cache Policies] end end subgraph "Security Layer" WAF_LAYER[Azure WAF] BOT_CONTROL[Bot Control] RATE_LIMIT[Rate Limiting] GEO_BLOCK[Geo Blocking] SSL_TERM[SSL Termination] end subgraph "Multi-Environment Hosting" subgraph "Development Environment" SWA_DEV[Static Web Apps Dev] BLOB_DEV[Blob Storage Dev] CDN_DEV[Azure CDN Dev] end subgraph "Staging Environment" SWA_STAGE[Static Web Apps Staging] BLOB_STAGE[Blob Storage Staging] CDN_STAGE[Azure CDN Staging] end subgraph "Production Environment" SWA_PROD[Static Web Apps Production] BLOB_PROD[Blob Storage Production] CDN_PROD[Azure CDN Production] end end subgraph "React Application" COMPONENTS[React Components] STATE[State Management] ROUTING[React Router] API_CLIENT[API Client] subgraph "UI Components" DASHBOARD[DRG Dashboard] PATIENT_VIEW[Patient Details] ANALYTICS[Analytics Views] SETTINGS[Settings Panel] end end subgraph "Frontend Authentication" MSAL_AUTH[MSAL Auth] AAD_SDK[Azure AD B2C SDK] JWT_STORE[JWT Storage] SESSION_MGT[Session Management] end %% DNS Flow DNS --> HEALTH DNS --> FD_GLOBAL FD_GLOBAL --> EDGE EDGE --> CACHE_POLICY %% Security Flow FD_GLOBAL --> WAF_LAYER WAF_LAYER --> BOT_CONTROL WAF_LAYER --> RATE_LIMIT WAF_LAYER --> GEO_BLOCK WAF_LAYER --> SSL_TERM %% Environment Routing SSL_TERM --> SWA_DEV SSL_TERM --> SWA_STAGE SSL_TERM --> SWA_PROD SWA_DEV --> BLOB_DEV SWA_STAGE --> BLOB_STAGE SWA_PROD --> BLOB_PROD BLOB_DEV --> CDN_DEV BLOB_STAGE --> CDN_STAGE BLOB_PROD --> CDN_PROD %% Application Layer CDN_DEV --> COMPONENTS CDN_STAGE --> COMPONENTS CDN_PROD --> COMPONENTS COMPONENTS --> STATE COMPONENTS --> ROUTING COMPONENTS --> API_CLIENT COMPONENTS --> DASHBOARD COMPONENTS --> PATIENT_VIEW COMPONENTS --> ANALYTICS COMPONENTS --> SETTINGS %% Authentication Integration COMPONENTS --> MSAL_AUTH MSAL_AUTH --> AAD_SDK AAD_SDK --> JWT_STORE JWT_STORE --> SESSION_MGT %% Styling classDef dns fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px classDef cdn fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef security fill:#ffebee,stroke:#c62828,stroke-width:2px classDef hosting fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef react fill:#e0f2f1,stroke:#00695c,stroke-width:2px classDef auth fill:#fff3e0,stroke:#f57c00,stroke-width:2px class DNS,HEALTH dns class FD_GLOBAL,EDGE,CACHE_POLICY cdn class WAF_LAYER,BOT_CONTROL,RATE_LIMIT,GEO_BLOCK,SSL_TERM security class SWA_DEV,SWA_STAGE,SWA_PROD,BLOB_DEV,BLOB_STAGE,BLOB_PROD,CDN_DEV,CDN_STAGE,CDN_PROD hosting class COMPONENTS,STATE,ROUTING,API_CLIENT,DASHBOARD,PATIENT_VIEW,ANALYTICS,SETTINGS react class MSAL_AUTH,AAD_SDK,JWT_STORE,SESSION_MGT auth ``` ### Frontend Components Explained **DNS & Global Distribution:** - Azure DNS provides DNS management with health checks and failover - Azure Front Door CDN ensures global content delivery with sub-100ms latency - Edge locations cache static assets close to users worldwide **Security Layer:** - Azure WAF protects against common web exploits (OWASP Top 10) - Bot control prevents automated attacks - Rate limiting protects against DDoS - Geo-blocking restricts access by location if needed **Multi-Environment Strategy:** - Separate environments for development, staging, and production - Each environment has its own Static Web Apps instance, Blob storage, and CDN distribution - Allows for safe testing and gradual rollouts **React Application Features:** - Modern React 18+ with hooks and functional components - State management using Redux Toolkit or Zustand - React Router for client-side routing - Optimized API client with request/response interceptors --- ## Backend Services Architecture The backend provides secure API services and integrates with both Snowflake and Azure ML services: ```mermaid graph TB subgraph "Load Balancing & Ingress" ALB[Application Gateway] TG_DEV[Target Pool Dev] TG_STAGE[Target Pool Staging] TG_PROD[Target Pool Production] subgraph "Health Monitoring" HC_DEV[Health Check Dev] HC_STAGE[Health Check Staging] HC_PROD[Health Check Production] end end subgraph "VNet Network Architecture" subgraph "Public Subnet" NAT[NAT Gateway] PIP[Public IP] end subgraph "Private Subnet AZ-1" AS_DEV[App Service Dev] INSTANCE_DEV1[VM Instance Dev-1] INSTANCE_DEV2[VM Instance Dev-2] end subgraph "Private Subnet AZ-2" AS_STAGE[App Service Staging] INSTANCE_STAGE1[VM Instance Stage-1] INSTANCE_STAGE2[VM Instance Stage-2] end subgraph "Private Subnet AZ-3" AS_PROD[App Service Production] INSTANCE_PROD1[VM Instance Prod-1] INSTANCE_PROD2[VM Instance Prod-2] INSTANCE_PROD3[VM Instance Prod-3] end end subgraph "FastAPI Application Layer" subgraph "API Endpoints" AUTH_API[Authentication API] PATIENT_API[Patient API] DRG_API[DRG Analysis API] ML_API[ML Inference API] ADMIN_API[Admin API] end subgraph "Business Logic" DRG_LOGIC[DRG Classification Logic] RISK_LOGIC[Risk Scoring Logic] REPORT_LOGIC[Report Generation] AUDIT_LOGIC[Audit Logging] end subgraph "Data Connectors" SF_CONNECTOR[Snowflake Connector] CACHE_CONNECTOR[Redis Connector] ML_CONNECTOR[ML Service Connector] end end subgraph "Caching & Session Management" REDIS_DEV[Azure Cache Dev] REDIS_STAGE[Azure Cache Staging] REDIS_PROD[Azure Cache Prod Cluster] subgraph "Cache Strategies" QUERY_CACHE[Query Result Cache] SESSION_CACHE[Session Cache] ML_CACHE[ML Prediction Cache] end end subgraph "Network Security Groups" NSG_ALB[ALB NSG] NSG_APP[App Service NSG] NSG_REDIS[Redis NSG] end %% Load Balancer Flow ALB --> TG_DEV ALB --> TG_STAGE ALB --> TG_PROD TG_DEV --> HC_DEV TG_STAGE --> HC_STAGE TG_PROD --> HC_PROD %% Network Flow PIP --> ALB ALB --> NSG_ALB NSG_ALB --> AS_DEV NSG_ALB --> AS_STAGE NSG_ALB --> AS_PROD AS_DEV --> INSTANCE_DEV1 AS_DEV --> INSTANCE_DEV2 AS_STAGE --> INSTANCE_STAGE1 AS_STAGE --> INSTANCE_STAGE2 AS_PROD --> INSTANCE_PROD1 AS_PROD --> INSTANCE_PROD2 AS_PROD --> INSTANCE_PROD3 %% NAT Gateway for outbound INSTANCE_DEV1 --> NAT INSTANCE_STAGE1 --> NAT INSTANCE_PROD1 --> NAT %% FastAPI Layer INSTANCE_DEV1 --> AUTH_API INSTANCE_STAGE1 --> PATIENT_API INSTANCE_PROD1 --> DRG_API INSTANCE_PROD2 --> ML_API INSTANCE_PROD3 --> ADMIN_API AUTH_API --> DRG_LOGIC PATIENT_API --> RISK_LOGIC DRG_API --> REPORT_LOGIC ML_API --> AUDIT_LOGIC DRG_LOGIC --> SF_CONNECTOR RISK_LOGIC --> CACHE_CONNECTOR REPORT_LOGIC --> ML_CONNECTOR %% Caching CACHE_CONNECTOR --> REDIS_DEV CACHE_CONNECTOR --> REDIS_STAGE CACHE_CONNECTOR --> REDIS_PROD REDIS_PROD --> QUERY_CACHE REDIS_PROD --> SESSION_CACHE REDIS_PROD --> ML_CACHE %% Security NSG_ALB --> NSG_APP NSG_APP --> NSG_REDIS %% Styling classDef lb fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef network fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef compute fill:#e0f2f1,stroke:#00695c,stroke-width:2px classDef api fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef cache fill:#ffebee,stroke:#c62828,stroke-width:2px classDef security fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px class ALB,TG_DEV,TG_STAGE,TG_PROD,HC_DEV,HC_STAGE,HC_PROD lb class NAT,PIP network class AS_DEV,AS_STAGE,AS_PROD,INSTANCE_DEV1,INSTANCE_DEV2,INSTANCE_STAGE1,INSTANCE_STAGE2,INSTANCE_PROD1,INSTANCE_PROD2,INSTANCE_PROD3 compute class AUTH_API,PATIENT_API,DRG_API,ML_API,ADMIN_API,DRG_LOGIC,RISK_LOGIC,REPORT_LOGIC,AUDIT_LOGIC,SF_CONNECTOR,CACHE_CONNECTOR,ML_CONNECTOR api class REDIS_DEV,REDIS_STAGE,REDIS_PROD,QUERY_CACHE,SESSION_CACHE,ML_CACHE cache class NSG_ALB,NSG_APP,NSG_REDIS security ``` ### Backend Architecture Explained **Load Balancing & High Availability:** - Application Gateway distributes traffic across multiple Availability Zones - Health checks ensure only healthy instances receive traffic - Auto-scaling maintains desired capacity and replaces unhealthy instances **Network Security:** - Private subnets ensure backend instances are not directly accessible from internet - NAT Gateway provides secure outbound internet access for software updates - Multiple layers of network security groups control traffic flow **FastAPI Application Design:** - RESTful API following OpenAPI 3.0 specification - Async/await patterns for high-concurrency workloads - Structured logging and comprehensive error handling - JWT-based authentication with role-based access control **Caching Strategy:** - Azure Cache for Redis clusters for high-performance data caching - Multi-tier caching: query results, session data, ML predictions - Cache invalidation strategies for data consistency --- ## Data & ML Pipeline Architecture This shows the complete data flow from Epic EMR through Snowflake ML and Azure backup services: ```mermaid graph TB subgraph "Healthcare Data Sources" subgraph "Epic EMR System" EPIC_PROD[Epic Production] EPIC_TEST[Epic Test Environment] EPIC_API[Epic FHIR APIs] end subgraph "Additional Sources" HL7[HL7 Messages] LAB_SYS[Laboratory Systems] PHARMACY[Pharmacy Systems] IMAGING[Medical Imaging] end end subgraph "Data Ingestion Layer" subgraph "Snowflake Ingestion" SNOWPIPE[Snowpipe Auto-Ingestion] STAGE_EXTERNAL[External Stages] STAGE_INTERNAL[Internal Stages] end subgraph "Data Processing" STREAMS[Snowflake Streams] TASKS[Snowflake Tasks] PROCEDURES[Stored Procedures] end end subgraph "Snowflake Data Architecture" subgraph "Raw Data Layer" RAW_PATIENT[Raw Patient Data] RAW_CLINICAL[Raw Clinical Data] RAW_BILLING[Raw Billing Data] RAW_LAB[Raw Lab Results] end subgraph "Cleansed Data Layer" CLEAN_PATIENT[Cleansed Patient Data] CLEAN_CLINICAL[Cleansed Clinical Data] CLEAN_BILLING[Cleansed Billing Data] CLEAN_LAB[Cleansed Lab Results] end subgraph "Analytics Layer" DIM_PATIENT[Patient Dimension] DIM_PROVIDER[Provider Dimension] DIM_DIAGNOSIS[Diagnosis Dimension] FACT_ENCOUNTER[Encounter Facts] FACT_BILLING[Billing Facts] end end subgraph "Primary ML Engine - Snowflake Cortex" subgraph "Cortex AI Functions" EXTRACT[EXTRACT_ANSWER] CLASSIFY[CLASSIFY_TEXT] SENTIMENT[SENTIMENT] SUMMARIZE[SUMMARIZE] TRANSLATE[TRANSLATE] end subgraph "Custom ML Models" DRG_MODEL[DRG Classification Model] RISK_MODEL[Risk Stratification Model] LOS_MODEL[Length of Stay Prediction] READMIT_MODEL[Readmission Risk Model] end subgraph "Feature Engineering" FEATURE_STORE[Feature Store] FEATURE_PIPELINE[Feature Pipelines] FEATURE_MONITORING[Feature Monitoring] end end subgraph "Backup ML Engine - Azure Services" subgraph "Azure Machine Learning" AML_STUDIO[AML Studio] AML_TRAINING[Training Jobs] AML_ENDPOINTS[Model Endpoints] AML_PIPELINES[ML Pipelines] end subgraph "Text Analytics for Health" NER[Named Entity Recognition] ICD_MAPPING[ICD-10 Code Mapping] CLINICAL_EXTRACT[Clinical Information Extraction] end subgraph "Azure OpenAI Service" GPT4[GPT-4 Models] CUSTOM_MODELS[Custom Fine-tuned Models] PROMPT_FLOW[Prompt Flow] end subgraph "Azure Functions" FUNC_INFERENCE[Real-time Inference] FUNC_BATCH[Batch Processing] FUNC_PREPROCESS[Data Preprocessing] end end subgraph "ML Model Deployment & Serving" subgraph "Model Registry" MODEL_REGISTRY[Centralized Model Registry] VERSION_CONTROL[Model Versioning] A_B_TESTING[A/B Testing Framework] end subgraph "Model Serving" REAL_TIME[Real-time Inference] BATCH_SCORING[Batch Scoring] STREAMING[Streaming Inference] end end %% Data Source Flow EPIC_PROD --> SNOWPIPE EPIC_TEST --> SNOWPIPE EPIC_API --> STAGE_EXTERNAL HL7 --> STAGE_EXTERNAL LAB_SYS --> STAGE_INTERNAL PHARMACY --> STAGE_INTERNAL IMAGING --> STAGE_EXTERNAL %% Ingestion Flow SNOWPIPE --> STREAMS STAGE_EXTERNAL --> STREAMS STAGE_INTERNAL --> STREAMS STREAMS --> TASKS TASKS --> PROCEDURES %% Data Layer Flow PROCEDURES --> RAW_PATIENT PROCEDURES --> RAW_CLINICAL PROCEDURES --> RAW_BILLING PROCEDURES --> RAW_LAB RAW_PATIENT --> CLEAN_PATIENT RAW_CLINICAL --> CLEAN_CLINICAL RAW_BILLING --> CLEAN_BILLING RAW_LAB --> CLEAN_LAB CLEAN_PATIENT --> DIM_PATIENT CLEAN_CLINICAL --> DIM_PROVIDER CLEAN_CLINICAL --> DIM_DIAGNOSIS CLEAN_CLINICAL --> FACT_ENCOUNTER CLEAN_BILLING --> FACT_BILLING %% Primary ML Flow FACT_ENCOUNTER --> EXTRACT FACT_ENCOUNTER --> CLASSIFY FACT_ENCOUNTER --> SENTIMENT FACT_ENCOUNTER --> SUMMARIZE FACT_ENCOUNTER --> TRANSLATE EXTRACT --> DRG_MODEL CLASSIFY --> RISK_MODEL SENTIMENT --> LOS_MODEL SUMMARIZE --> READMIT_MODEL DRG_MODEL --> FEATURE_STORE RISK_MODEL --> FEATURE_PIPELINE LOS_MODEL --> FEATURE_MONITORING %% Backup ML Flow (dotted lines) FACT_ENCOUNTER -.-> AML_STUDIO FACT_ENCOUNTER -.-> NER FACT_ENCOUNTER -.-> GPT4 FACT_ENCOUNTER -.-> FUNC_INFERENCE AML_STUDIO -.-> AML_TRAINING AML_TRAINING -.-> AML_ENDPOINTS AML_ENDPOINTS -.-> AML_PIPELINES NER -.-> ICD_MAPPING ICD_MAPPING -.-> CLINICAL_EXTRACT GPT4 -.-> CUSTOM_MODELS CUSTOM_MODELS -.-> PROMPT_FLOW FUNC_INFERENCE -.-> FUNC_BATCH FUNC_BATCH -.-> FUNC_PREPROCESS %% Model Deployment DRG_MODEL --> MODEL_REGISTRY RISK_MODEL --> MODEL_REGISTRY AML_ENDPOINTS -.-> MODEL_REGISTRY MODEL_REGISTRY --> VERSION_CONTROL VERSION_CONTROL --> A_B_TESTING A_B_TESTING --> REAL_TIME A_B_TESTING --> BATCH_SCORING A_B_TESTING --> STREAMING %% Styling classDef sources fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px classDef ingestion fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef data fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef snowflake_ml fill:#e0f2f1,stroke:#00695c,stroke-width:2px classDef azure_ml fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef deployment fill:#ffebee,stroke:#c62828,stroke-width:2px class EPIC_PROD,EPIC_TEST,EPIC_API,HL7,LAB_SYS,PHARMACY,IMAGING sources class SNOWPIPE,STAGE_EXTERNAL,STAGE_INTERNAL,STREAMS,TASKS,PROCEDURES ingestion class RAW_PATIENT,RAW_CLINICAL,RAW_BILLING,RAW_LAB,CLEAN_PATIENT,CLEAN_CLINICAL,CLEAN_BILLING,CLEAN_LAB,DIM_PATIENT,DIM_PROVIDER,DIM_DIAGNOSIS,FACT_ENCOUNTER,FACT_BILLING data class EXTRACT,CLASSIFY,SENTIMENT,SUMMARIZE,TRANSLATE,DRG_MODEL,RISK_MODEL,LOS_MODEL,READMIT_MODEL,FEATURE_STORE,FEATURE_PIPELINE,FEATURE_MONITORING snowflake_ml class AML_STUDIO,AML_TRAINING,AML_ENDPOINTS,AML_PIPELINES,NER,ICD_MAPPING,CLINICAL_EXTRACT,GPT4,CUSTOM_MODELS,PROMPT_FLOW,FUNC_INFERENCE,FUNC_BATCH,FUNC_PREPROCESS azure_ml class MODEL_REGISTRY,VERSION_CONTROL,A_B_TESTING,REAL_TIME,BATCH_SCORING,STREAMING deployment ``` ### ML/AI Strategy Explained **Primary Path - Snowflake Cortex AI:** - **Built-in AI Functions**: Pre-trained models for common ML tasks - **Custom Model Training**: Using Snowflake ML for domain-specific models - **Feature Engineering**: Leverage SQL and Python for feature creation - **Real-time Scoring**: Low-latency inference directly in Snowflake **Backup Path - Azure ML Services:** - **Azure Machine Learning**: For custom model development when Snowflake capabilities are insufficient - **Text Analytics for Health**: Medical-specific NLP for clinical text processing - **Azure OpenAI Service**: Large language models for advanced text generation and analysis - **Azure Functions**: Lightweight ML functions for simple inference tasks **Model Deployment Strategy:** - A/B testing framework for comparing model performance - Centralized model registry for version control and governance - Multiple serving patterns: real-time, batch, and streaming inference --- ## Infrastructure & Networking This diagram shows the complete Azure infrastructure setup with security zones: ```mermaid graph TB subgraph "Global Infrastructure" subgraph "DNS & CDN" DNS[Azure DNS Hosted Zone] FD_GLOBAL[Azure Front Door Global Distribution] EDGE_CACHE[Edge Location Cache] end subgraph "Certificate Management" KV_CERTS[Key Vault Certificates] MANAGED_CERTS[Managed Certificates] end end subgraph "Azure Region: East US" subgraph "VNet: 10.10.0.0/16" subgraph "Public Subnets" PUB_1[Public Subnet 1<br/>10.10.10.0/24] PUB_2[Public Subnet 2<br/>10.10.20.0/24] PUB_3[Public Subnet 3<br/>10.10.30.0/24] PIP[Public IPs] NAT_1[NAT Gateway 1] NAT_2[NAT Gateway 2] NAT_3[NAT Gateway 3] end subgraph "Private Application Subnets" APP_1[App Subnet 1<br/>10.10.110.0/24] APP_2[App Subnet 2<br/>10.10.120.0/24] APP_3[App Subnet 3<br/>10.10.130.0/24] AS_DEV[App Service Dev] AS_STAGE[App Service Staging] AS_PROD[App Service Production] end subgraph "Private Database Subnets" DB_1[DB Subnet 1<br/>10.10.210.0/24] DB_2[DB Subnet 2<br/>10.10.220.0/24] DB_3[DB Subnet 3<br/>10.10.230.0/24] REDIS_CLUSTER[Azure Cache for Redis] POSTGRES[Azure Database for PostgreSQL] end end subgraph "Network Security Groups" NSG_ALB[ALB NSG<br/>Port 80, 443] NSG_APP[App Service NSG<br/>Port 5000] NSG_REDIS[Redis NSG<br/>Port 6379] NSG_DB[Database NSG<br/>Port 5432] end end subgraph "Load Balancing Layer" ALB[Application Gateway] TG_DEV[Backend Pool Dev] TG_STAGE[Backend Pool Staging] TG_PROD[Backend Pool Production] subgraph "Health Checks" HC_DEV[/health endpoint Dev/] HC_STAGE[/health endpoint Staging/] HC_PROD[/health endpoint Production/] end end subgraph "Auto Scaling" subgraph "Scaling Policies" SCALE_DEV[Scale Set Dev<br/>Min: 1, Max: 2] SCALE_STAGE[Scale Set Staging<br/>Min: 1, Max: 3] SCALE_PROD[Scale Set Production<br/>Min: 2, Max: 10] end subgraph "Azure Monitor Metrics" MON_CPU[CPU Utilization] MON_MEMORY[Memory Utilization] MON_REQUEST[Request Count] MON_LATENCY[Response Latency] end end subgraph "Infrastructure as Code" subgraph "Terraform Modules" TF_VNET[VNet Module] TF_SECURITY[Security Module] TF_COMPUTE[Compute Module] TF_DATABASE[Database Module] TF_MONITORING[Monitoring Module] end subgraph "State Management" TF_STATE[Terraform State] TF_LOCK[State Locking] STORAGE_BACKEND[Storage Account Backend] TABLE_LOCK[Table Storage Lock] end end %% Global Infrastructure Flow DNS --> FD_GLOBAL FD_GLOBAL --> EDGE_CACHE FD_GLOBAL --> KV_CERTS KV_CERTS --> MANAGED_CERTS %% VNet Network Flow PIP --> PUB_1 PIP --> PUB_2 PIP --> PUB_3 PUB_1 --> NAT_1 PUB_2 --> NAT_2 PUB_3 --> NAT_3 NAT_1 --> APP_1 NAT_2 --> APP_2 NAT_3 --> APP_3 %% Application Deployment APP_1 --> AS_DEV APP_2 --> AS_STAGE APP_3 --> AS_PROD %% Database Layer APP_1 --> DB_1 APP_2 --> DB_2 APP_3 --> DB_3 DB_1 --> REDIS_CLUSTER DB_2 --> REDIS_CLUSTER DB_3 --> POSTGRES %% Load Balancer Flow FD_GLOBAL --> ALB ALB --> TG_DEV ALB --> TG_STAGE ALB --> TG_PROD TG_DEV --> HC_DEV TG_STAGE --> HC_STAGE TG_PROD --> HC_PROD TG_DEV --> AS_DEV TG_STAGE --> AS_STAGE TG_PROD --> AS_PROD %% Network Security Groups ALB --> NSG_ALB AS_DEV --> NSG_APP AS_STAGE --> NSG_APP AS_PROD --> NSG_APP REDIS_CLUSTER --> NSG_REDIS POSTGRES --> NSG_DB %% Auto Scaling AS_DEV --> SCALE_DEV AS_STAGE --> SCALE_STAGE AS_PROD --> SCALE_PROD SCALE_DEV --> MON_CPU SCALE_STAGE --> MON_MEMORY SCALE_PROD --> MON_REQUEST SCALE_PROD --> MON_LATENCY %% Terraform Management TF_VNET --> TF_STATE TF_SECURITY --> TF_STATE TF_COMPUTE --> TF_STATE TF_DATABASE --> TF_STATE TF_MONITORING --> TF_STATE TF_STATE --> TF_LOCK TF_LOCK --> STORAGE_BACKEND TF_LOCK --> TABLE_LOCK %% Styling classDef global fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px classDef public fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef private fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef database fill:#e0f2f1,stroke:#00695c,stroke-width:2px classDef security fill:#ffebee,stroke:#c62828,stroke-width:2px classDef lb fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef scaling fill:#fce4ec,stroke:#ad1457,stroke-width:2px classDef terraform fill:#f1f8e9,stroke:#689f38,stroke-width:2px class DNS,FD_GLOBAL,EDGE_CACHE,KV_CERTS,MANAGED_CERTS global class PUB_1,PUB_2,PUB_3,PIP,NAT_1,NAT_2,NAT_3 public class APP_1,APP_2,APP_3,AS_DEV,AS_STAGE,AS_PROD private class DB_1,DB_2,DB_3,REDIS_CLUSTER,POSTGRES database class NSG_ALB,NSG_APP,NSG_REDIS,NSG_DB security class ALB,TG_DEV,TG_STAGE,TG_PROD,HC_DEV,HC_STAGE,HC_PROD lb class SCALE_DEV,SCALE_STAGE,SCALE_PROD,MON_CPU,MON_MEMORY,MON_REQUEST,MON_LATENCY scaling class TF_VNET,TF_SECURITY,TF_COMPUTE,TF_DATABASE,TF_MONITORING,TF_STATE,TF_LOCK,STORAGE_BACKEND,TABLE_LOCK terraform ``` ### Infrastructure Features **Multi-Zone Deployment:** - Resources distributed across multiple Availability Zones for high availability - Automatic failover in case of zone outages - Cross-zone load balancing for optimal performance **Network Security:** - Three-tier subnet architecture (public, application, database) - Network Security Groups act as virtual firewalls at subnet and instance level - Private Endpoints for secure service connectivity **Auto Scaling:** - Environment-specific scaling policies - Azure Monitor metrics-based scaling decisions - Automatic health checks and instance replacement --- ## Security & Compliance Architecture Comprehensive security framework for HIPAA compliance and data protection: ```mermaid graph TB subgraph "Identity & Access Management" subgraph "User Authentication" AAD_POOL[Azure AD B2C Tenant] HOSPITAL_SSO[Hospital SSO/SAML] MFA_CONFIG[Multi-Factor Authentication] PASSWORD_POLICY[Password Policy] end subgraph "Authorization & RBAC" RBAC_ROLES[Azure RBAC Roles] RBAC_MATRIX[Role-Based Access Control] PERMISSION_SETS[Permission Sets] LEAST_PRIVILEGE[Least Privilege Principle] end subgraph "Token Management" JWT_TOKENS[JWT Tokens] TOKEN_ROTATION[Token Rotation] SESSION_MGT[Session Management] REFRESH_TOKENS[Refresh Tokens] end end subgraph "Network Security" subgraph "Perimeter Security" WAF_RULES[WAF Rules Engine] DDOS_PROTECTION[DDoS Protection] BOT_CONTROL[Bot Control] RATE_LIMITING[Rate Limiting] end subgraph "Network Isolation" VNET_ISOLATION[VNet Isolation] PRIVATE_SUBNETS[Private Subnets] NSG_GROUPS[Network Security Groups] PRIVATE_ENDPOINTS[Private Endpoints] end subgraph "Traffic Encryption" TLS_TERMINATION[TLS Termination] END_TO_END_TLS[End-to-End TLS] CERT_MANAGEMENT[Certificate Management] CIPHER_SUITES[Strong Cipher Suites] end end subgraph "Data Protection" subgraph "Encryption at Rest" KV_KEYS[Key Vault Keys] BLOB_ENCRYPTION[Blob Storage Encryption] DISK_ENCRYPTION[Disk Encryption] DB_ENCRYPTION[Database Encryption] end subgraph "Encryption in Transit" HTTPS_ONLY[HTTPS Only] TLS_1_3[TLS 1.3] SNOWFLAKE_TLS[Snowflake TLS] INTERNAL_TLS[Internal Service TLS] end subgraph "Key Management" CMK_ROTATION[Customer Managed Key Rotation] KEY_POLICIES[Key Policies] HSM_KEYS[HSM-backed Keys] PURGE_PROTECTION[Purge Protection] end end subgraph "Security Monitoring" subgraph "Logging & Auditing" ACTIVITY_LOG[Activity Log] RESOURCE_LOGS[Resource Logs] APPLICATION_LOGS[Application Logs] SECURITY_LOGS[Security Event Logs] end subgraph "Threat Detection" SENTINEL[Microsoft Sentinel] DEFENDER[Microsoft Defender for Cloud] THREAT_INTEL[Threat Intelligence] PURVIEW[Microsoft Purview] end subgraph "Monitoring & Alerting" MONITOR[Azure Monitor] EVENT_GRID[Event Grid Alerts] FUNCTIONS_RESPONSE[Functions Auto-response] INCIDENT_MGT[Incident Management] end end subgraph "HIPAA Compliance" subgraph "Administrative Safeguards" SECURITY_OFFICER[Security Officer] WORKFORCE_TRAINING[Workforce Training] ACCESS_MANAGEMENT[Access Management] INCIDENT_PROCEDURES[Incident Procedures] end subgraph "Physical Safeguards" AZURE_FACILITIES[Azure Data Center Security] DEVICE_CONTROLS[Device Controls] WORKSTATION_SECURITY[Workstation Security] MEDIA_CONTROLS[Media Controls] end subgraph "Technical Safeguards" ACCESS_CONTROL[Access Control] AUDIT_CONTROLS[Audit Controls] INTEGRITY_CONTROLS[Integrity Controls] TRANSMISSION_SECURITY[Transmission Security] end end subgraph "Backup & Recovery" subgraph "Data Backup" AUTOMATED_BACKUPS[Automated Backups] POINT_IN_TIME[Point-in-Time Recovery] GEO_REDUNDANT[Geo-Redundant Backup] BACKUP_ENCRYPTION[Backup Encryption] end subgraph "Disaster Recovery" DR_PLAN[Disaster Recovery Plan] RTO_RPO[RTO/RPO Targets] FAILOVER_TESTING[Failover Testing] BUSINESS_CONTINUITY[Business Continuity] end end subgraph "Compliance Validation" subgraph "Security Assessments" PENETRATION_TESTING[Penetration Testing] VULNERABILITY_SCANS[Vulnerability Scanning] SECURITY_REVIEWS[Security Reviews] COMPLIANCE_AUDITS[Compliance Audits] end subgraph "Reporting & Documentation" COMPLIANCE_REPORTS[Compliance Reports] SECURITY_METRICS[Security Metrics] RISK_ASSESSMENTS[Risk Assessments] DOCUMENTATION[Security Documentation] end end %% Identity Flow AAD_POOL --> HOSPITAL_SSO HOSPITAL_SSO --> MFA_CONFIG MFA_CONFIG --> PASSWORD_POLICY AAD_POOL --> RBAC_ROLES RBAC_ROLES --> RBAC_MATRIX RBAC_MATRIX --> PERMISSION_SETS PERMISSION_SETS --> LEAST_PRIVILEGE AAD_POOL --> JWT_TOKENS JWT_TOKENS --> TOKEN_ROTATION TOKEN_ROTATION --> SESSION_MGT SESSION_MGT --> REFRESH_TOKENS %% Network Security Flow WAF_RULES --> DDOS_PROTECTION DDOS_PROTECTION --> BOT_CONTROL BOT_CONTROL --> RATE_LIMITING VNET_ISOLATION --> PRIVATE_SUBNETS PRIVATE_SUBNETS --> NSG_GROUPS NSG_GROUPS --> PRIVATE_ENDPOINTS TLS_TERMINATION --> END_TO_END_TLS END_TO_END_TLS --> CERT_MANAGEMENT CERT_MANAGEMENT --> CIPHER_SUITES %% Data Protection Flow KV_KEYS --> BLOB_ENCRYPTION KV_KEYS --> DISK_ENCRYPTION KV_KEYS --> DB_ENCRYPTION HTTPS_ONLY --> TLS_1_3 TLS_1_3 --> SNOWFLAKE_TLS SNOWFLAKE_TLS --> INTERNAL_TLS KV_KEYS --> CMK_ROTATION CMK_ROTATION --> KEY_POLICIES KEY_POLICIES --> HSM_KEYS HSM_KEYS --> PURGE_PROTECTION %% Monitoring Flow ACTIVITY_LOG --> RESOURCE_LOGS RESOURCE_LOGS --> APPLICATION_LOGS APPLICATION_LOGS --> SECURITY_LOGS SENTINEL --> DEFENDER DEFENDER --> THREAT_INTEL THREAT_INTEL --> PURVIEW MONITOR --> EVENT_GRID EVENT_GRID --> FUNCTIONS_RESPONSE FUNCTIONS_RESPONSE --> INCIDENT_MGT %% HIPAA Compliance SECURITY_OFFICER --> WORKFORCE_TRAINING WORKFORCE_TRAINING --> ACCESS_MANAGEMENT ACCESS_MANAGEMENT --> INCIDENT_PROCEDURES AZURE_FACILITIES --> DEVICE_CONTROLS DEVICE_CONTROLS --> WORKSTATION_SECURITY WORKSTATION_SECURITY --> MEDIA_CONTROLS ACCESS_CONTROL --> AUDIT_CONTROLS AUDIT_CONTROLS --> INTEGRITY_CONTROLS INTEGRITY_CONTROLS --> TRANSMISSION_SECURITY %% Backup & Recovery AUTOMATED_BACKUPS --> POINT_IN_TIME POINT_IN_TIME --> GEO_REDUNDANT GEO_REDUNDANT --> BACKUP_ENCRYPTION DR_PLAN --> RTO_RPO RTO_RPO --> FAILOVER_TESTING FAILOVER_TESTING --> BUSINESS_CONTINUITY %% Compliance Validation PENETRATION_TESTING --> VULNERABILITY_SCANS VULNERABILITY_SCANS --> SECURITY_REVIEWS SECURITY_REVIEWS --> COMPLIANCE_AUDITS COMPLIANCE_REPORTS --> SECURITY_METRICS SECURITY_METRICS --> RISK_ASSESSMENTS RISK_ASSESSMENTS --> DOCUMENTATION %% Styling classDef identity fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px classDef network fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef data fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef monitoring fill:#e0f2f1,stroke:#00695c,stroke-width:2px classDef hipaa fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef backup fill:#ffebee,stroke:#c62828,stroke-width:2px classDef compliance fill:#fce4ec,stroke:#ad1457,stroke-width:2px class AAD_POOL,HOSPITAL_SSO,MFA_CONFIG,PASSWORD_POLICY,RBAC_ROLES,RBAC_MATRIX,PERMISSION_SETS,LEAST_PRIVILEGE,JWT_TOKENS,TOKEN_ROTATION,SESSION_MGT,REFRESH_TOKENS identity class WAF_RULES,DDOS_PROTECTION,BOT_CONTROL,RATE_LIMITING,VNET_ISOLATION,PRIVATE_SUBNETS,NSG_GROUPS,PRIVATE_ENDPOINTS,TLS_TERMINATION,END_TO_END_TLS,CERT_MANAGEMENT,CIPHER_SUITES network class KV_KEYS,BLOB_ENCRYPTION,DISK_ENCRYPTION,DB_ENCRYPTION,HTTPS_ONLY,TLS_1_3,SNOWFLAKE_TLS,INTERNAL_TLS,CMK_ROTATION,KEY_POLICIES,HSM_KEYS,PURGE_PROTECTION data class ACTIVITY_LOG,RESOURCE_LOGS,APPLICATION_LOGS,SECURITY_LOGS,SENTINEL,DEFENDER,THREAT_INTEL,PURVIEW,MONITOR,EVENT_GRID,FUNCTIONS_RESPONSE,INCIDENT_MGT monitoring class SECURITY_OFFICER,WORKFORCE_TRAINING,ACCESS_MANAGEMENT,INCIDENT_PROCEDURES,AZURE_FACILITIES,DEVICE_CONTROLS,WORKSTATION_SECURITY,MEDIA_CONTROLS,ACCESS_CONTROL,AUDIT_CONTROLS,INTEGRITY_CONTROLS,TRANSMISSION_SECURITY hipaa class AUTOMATED_BACKUPS,POINT_IN_TIME,GEO_REDUNDANT,BACKUP_ENCRYPTION,DR_PLAN,RTO_RPO,FAILOVER_TESTING,BUSINESS_CONTINUITY backup class PENETRATION_TESTING,VULNERABILITY_SCANS,SECURITY_REVIEWS,COMPLIANCE_AUDITS,COMPLIANCE_REPORTS,SECURITY_METRICS,RISK_ASSESSMENTS,DOCUMENTATION compliance ``` ### Security Features Explained **Defense in Depth:** - Multiple layers of security controls from network to application level - No single point of failure in security architecture - Comprehensive monitoring and alerting at every layer **HIPAA Compliance:** - Administrative, physical, and technical safeguards implemented - Audit trails for all data access and modifications - Encryption at rest and in transit for all PHI data **Zero Trust Architecture:** - Never trust, always verify approach - Principle of least privilege access - Continuous validation of security posture --- ## CI/CD & Deployment Pipeline Complete automation pipeline for consistent, secure deployments: ```mermaid graph TB subgraph "Development Workflow" subgraph "Source Control" DEV_BRANCH[Feature Branches] STAGING_BRANCH[Staging Branch] MAIN_BRANCH[Main Branch] TAG_RELEASE[Release Tags] end subgraph "Git Workflow" FEATURE_PR[Feature Pull Request] CODE_REVIEW[Code Review] BRANCH_PROTECTION[Branch Protection] MERGE_APPROVAL[Merge Approval] end end subgraph "CI/CD Pipeline" subgraph "Continuous Integration" TRIGGER[GitHub Webhook Trigger] CHECKOUT[Code Checkout] ENV_SETUP[Environment Setup] DEP_INSTALL[Dependency Installation] end subgraph "Testing & Quality" LINT_CHECK[Linting & Code Style] UNIT_TESTS[Unit Tests] INTEGRATION_TESTS[Integration Tests] SECURITY_SCAN[Security Scanning] COVERAGE_REPORT[Coverage Report] end subgraph "Build Process" FRONTEND_BUILD[React Build] BACKEND_BUILD[FastAPI Build] DOCKER_BUILD[Docker Build] ARTIFACT_UPLOAD[Artifact Upload] end end subgraph "Infrastructure Deployment" subgraph "Terraform Workflow" TF_INIT[Terraform Init] TF_PLAN[Terraform Plan] TF_APPLY[Terraform Apply] TF_STATE_LOCK[State Locking] end subgraph "Environment Provisioning" VNET_DEPLOY[VNet Deployment] SECURITY_DEPLOY[Security Groups] COMPUTE_DEPLOY[Compute Resources] MONITORING_DEPLOY[Monitoring Setup] end end subgraph "Application Deployment" subgraph "Frontend Deployment" BLOB_UPLOAD[Blob Storage Upload] CDN_INVALIDATION[CDN Invalidation] SWA_DEPLOY[Static Web Apps Deployment] DNS_UPDATE[DNS Updates] end subgraph "Backend Deployment" AS_DEPLOY[App Service Deploy] HEALTH_CHECK[Health Check] BLUE_GREEN[Blue-Green Deployment] ROLLBACK_READY[Rollback Preparation] end end subgraph "Post-Deployment" subgraph "Validation" SMOKE_TESTS[Smoke Tests] E2E_TESTS[End-to-End Tests] PERFORMANCE_TESTS[Performance Tests] SECURITY_VALIDATION[Security Validation] end subgraph "Monitoring Setup" METRIC_SETUP[Metrics Collection] ALERT_CONFIG[Alert Configuration] DASHBOARD_UPDATE[Dashboard Updates] LOG_AGGREGATION[Log Aggregation] end subgraph "Notifications" TEAMS_NOTIFY[Teams Notifications] EMAIL_NOTIFY[Email Notifications] STATUS_UPDATE[Status Dashboard] DEPLOYMENT_LOG[Deployment Logs] end end subgraph "Environment-Specific Flows" subgraph "Development Flow" DEV_TRIGGER[Dev Branch Push] DEV_TESTS[Dev Testing] DEV_DEPLOY[Dev Deployment] DEV_VALIDATION[Dev Validation] end subgraph "Staging Flow" STAGE_TRIGGER[Staging Branch Merge] STAGE_TESTS[Staging Testing] STAGE_DEPLOY[Staging Deployment] STAGE_VALIDATION[Staging Validation] end subgraph "Production Flow" PROD_TRIGGER[Production Tag] PROD_APPROVAL[Manual Approval] PROD_DEPLOY[Production Deployment] PROD_VALIDATION[Production Validation] end end %% Development Workflow DEV_BRANCH --> FEATURE_PR FEATURE_PR --> CODE_REVIEW CODE_REVIEW --> BRANCH_PROTECTION BRANCH_PROTECTION --> MERGE_APPROVAL MERGE_APPROVAL --> STAGING_BRANCH STAGING_BRANCH --> MAIN_BRANCH MAIN_BRANCH --> TAG_RELEASE %% CI/CD Pipeline Flow TAG_RELEASE --> TRIGGER TRIGGER --> CHECKOUT CHECKOUT --> ENV_SETUP ENV_SETUP --> DEP_INSTALL DEP_INSTALL --> LINT_CHECK LINT_CHECK --> UNIT_TESTS UNIT_TESTS --> INTEGRATION_TESTS INTEGRATION_TESTS --> SECURITY_SCAN SECURITY_SCAN --> COVERAGE_REPORT COVERAGE_REPORT --> FRONTEND_BUILD COVERAGE_REPORT --> BACKEND_BUILD FRONTEND_BUILD --> DOCKER_BUILD BACKEND_BUILD --> DOCKER_BUILD DOCKER_BUILD --> ARTIFACT_UPLOAD %% Infrastructure Deployment ARTIFACT_UPLOAD --> TF_INIT TF_INIT --> TF_PLAN TF_PLAN --> TF_APPLY TF_APPLY --> TF_STATE_LOCK TF_APPLY --> VNET_DEPLOY VNET_DEPLOY --> SECURITY_DEPLOY SECURITY_DEPLOY --> COMPUTE_DEPLOY COMPUTE_DEPLOY --> MONITORING_DEPLOY %% Application Deployment MONITORING_DEPLOY --> BLOB_UPLOAD MONITORING_DEPLOY --> AS_DEPLOY BLOB_UPLOAD --> CDN_INVALIDATION CDN_INVALIDATION --> SWA_DEPLOY SWA_DEPLOY --> DNS_UPDATE AS_DEPLOY --> HEALTH_CHECK HEALTH_CHECK --> BLUE_GREEN BLUE_GREEN --> ROLLBACK_READY %% Post-Deployment DNS_UPDATE --> SMOKE_TESTS ROLLBACK_READY --> SMOKE_TESTS SMOKE_TESTS --> E2E_TESTS E2E_TESTS --> PERFORMANCE_TESTS PERFORMANCE_TESTS --> SECURITY_VALIDATION SECURITY_VALIDATION --> METRIC_SETUP METRIC_SETUP --> ALERT_CONFIG ALERT_CONFIG --> DASHBOARD_UPDATE DASHBOARD_UPDATE --> LOG_AGGREGATION LOG_AGGREGATION --> TEAMS_NOTIFY TEAMS_NOTIFY --> EMAIL_NOTIFY EMAIL_NOTIFY --> STATUS_UPDATE STATUS_UPDATE --> DEPLOYMENT_LOG %% Environment-Specific Flows DEV_BRANCH --> DEV_TRIGGER DEV_TRIGGER --> DEV_TESTS DEV_TESTS --> DEV_DEPLOY DEV_DEPLOY --> DEV_VALIDATION STAGING_BRANCH --> STAGE_TRIGGER STAGE_TRIGGER --> STAGE_TESTS STAGE_TESTS --> STAGE_DEPLOY STAGE_DEPLOY --> STAGE_VALIDATION TAG_RELEASE --> PROD_TRIGGER PROD_TRIGGER --> PROD_APPROVAL PROD_APPROVAL --> PROD_DEPLOY PROD_DEPLOY --> PROD_VALIDATION %% Styling classDef development fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px classDef pipeline fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef infrastructure fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef deployment fill:#e0f2f1,stroke:#00695c,stroke-width:2px classDef validation fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef environment fill:#ffebee,stroke:#c62828,stroke-width:2px class DEV_BRANCH,STAGING_BRANCH,MAIN_BRANCH,TAG_RELEASE,FEATURE_PR,CODE_REVIEW,BRANCH_PROTECTION,MERGE_APPROVAL development class TRIGGER,CHECKOUT,ENV_SETUP,DEP_INSTALL,LINT_CHECK,UNIT_TESTS,INTEGRATION_TESTS,SECURITY_SCAN,COVERAGE_REPORT,FRONTEND_BUILD,BACKEND_BUILD,DOCKER_BUILD,ARTIFACT_UPLOAD pipeline class TF_INIT,TF_PLAN,TF_APPLY,TF_STATE_LOCK,VNET_DEPLOY,SECURITY_DEPLOY,COMPUTE_DEPLOY,MONITORING_DEPLOY infrastructure class BLOB_UPLOAD,CDN_INVALIDATION,SWA_DEPLOY,DNS_UPDATE,AS_DEPLOY,HEALTH_CHECK,BLUE_GREEN,ROLLBACK_READY deployment class SMOKE_TESTS,E2E_TESTS,PERFORMANCE_TESTS,SECURITY_VALIDATION,METRIC_SETUP,ALERT_CONFIG,DASHBOARD_UPDATE,LOG_AGGREGATION,TEAMS_NOTIFY,EMAIL_NOTIFY,STATUS_UPDATE,DEPLOYMENT_LOG validation class DEV_TRIGGER,DEV_TESTS,DEV_DEPLOY,DEV_VALIDATION,STAGE_TRIGGER,STAGE_TESTS,STAGE_DEPLOY,STAGE_VALIDATION,PROD_TRIGGER,PROD_APPROVAL,PROD_DEPLOY,PROD_VALIDATION environment ``` ### CI/CD Features Explained **Automated Testing:** - Comprehensive test suite at multiple levels - Security scanning integrated into pipeline - Performance and load testing for critical paths **Infrastructure as Code:** - All infrastructure managed through Terraform - Version controlled infrastructure changes - Automated provisioning and updates **Environment Promotion:** - Automated deployment to development - Manual approval gates for production - Blue-green deployment strategy for zero downtime --- ## Monitoring & Observability Comprehensive monitoring and alerting for operational excellence: ```mermaid graph TB subgraph "Application Monitoring" subgraph "Frontend Metrics" FE_PERFORMANCE[Page Load Times] FE_ERRORS[JavaScript Errors] FE_USER_ACTIONS[User Interactions] FE_CONVERSION[Conversion Funnel] end subgraph "Backend Metrics" BE_RESPONSE_TIME[API Response Times] BE_THROUGHPUT[Request Throughput] BE_ERROR_RATE[Error Rates] BE_CONCURRENT_USERS[Concurrent Users] end subgraph "ML Model Metrics" ML_ACCURACY[Model Accuracy] ML_LATENCY[Inference Latency] ML_DRIFT[Model Drift] ML_FEATURE_IMPORTANCE[Feature Importance] end end subgraph "Infrastructure Monitoring" subgraph "Compute Metrics" CPU_UTILIZATION[CPU Utilization] MEMORY_USAGE[Memory Usage] DISK_IO[Disk I/O] NETWORK_IO[Network I/O] end subgraph "Load Balancer Metrics" LB_REQUEST_COUNT[Request Count] LB_TARGET_HEALTH[Target Health] LB_RESPONSE_TIME[Response Times] LB_ERROR_RATE[Error Rates] end subgraph "Database Metrics" DB_CONNECTIONS[Connection Pool] DB_QUERY_TIME[Query Performance] DB_DEADLOCKS[Deadlocks] DB_REPLICATION_LAG[Replication Lag] end end subgraph "Snowflake Monitoring" subgraph "Warehouse Metrics" SF_COMPUTE_USAGE[Compute Usage] SF_STORAGE_USAGE[Storage Usage] SF_CREDIT_CONSUMPTION[Credit Consumption] SF_QUERY_HISTORY[Query History] end subgraph "ML Workload Metrics" SF_MODEL_TRAINING[Model Training Jobs] SF_INFERENCE_CALLS[Inference API Calls] SF_CORTEX_USAGE[Cortex AI Usage] SF_FEATURE_ENGINEERING[Feature Engineering Jobs] end end subgraph "Logging & Observability" subgraph "Log Aggregation" APP_LOGS[Application Logs] ACCESS_LOGS[Access Logs] ERROR_LOGS[Error Logs] AUDIT_LOGS[Audit Logs] end subgraph "Distributed Tracing" REQUEST_TRACING[Request Tracing] SERVICE_MAP[Service Dependency Map] LATENCY_BREAKDOWN[Latency Breakdown] ERROR_CORRELATION[Error Correlation] end subgraph "Log Analytics" LOG_SEARCH[Log Search & Query] LOG_PATTERNS[Pattern Recognition] ANOMALY_DETECTION[Anomaly Detection] CORRELATION_ANALYSIS[Correlation Analysis] end end subgraph "Alerting & Incident Management" subgraph "Alert Rules" THRESHOLD_ALERTS[Threshold-based Alerts] ANOMALY_ALERTS[Anomaly-based Alerts] COMPOSITE_ALERTS[Composite Conditions] PREDICTIVE_ALERTS[Predictive Alerts] end subgraph "Notification Channels" TEAMS_ALERTS[Teams Notifications] EMAIL_ALERTS[Email Notifications] SMS_ALERTS[SMS Alerts] PAGERDUTY[PagerDuty Integration] end subgraph "Incident Response" AUTO_REMEDIATION[Auto-remediation] ESCALATION_POLICIES[Escalation Policies] RUNBOOKS[Automated Runbooks] POST_INCIDENT[Post-incident Analysis] end end subgraph "Healthcare-Specific Monitoring" subgraph "Clinical Metrics" DRG_ACCURACY[DRG Classification Accuracy] PATIENT_RISK_SCORES[Patient Risk Score Distribution] ALERT_RESPONSE_TIME[Clinical Alert Response Time] SYSTEM_AVAILABILITY[System Availability] end subgraph "Compliance Monitoring" HIPAA_VIOLATIONS[HIPAA Violation Alerts] ACCESS_PATTERNS[Unusual Access Patterns] DATA_EXPORT_TRACKING[Data Export Tracking] AUDIT_TRAIL_INTEGRITY[Audit Trail Integrity] end subgraph "User Experience" CLINICIAN_SATISFACTION[Clinician Satisfaction] WORKFLOW_EFFICIENCY[Workflow Efficiency] ERROR_IMPACT[Error Impact on Patient Care] ADOPTION_METRICS[Feature Adoption] end end subgraph "Business Intelligence Dashboards" subgraph "Executive Dashboard" SYSTEM_HEALTH[Overall System Health] COST_OPTIMIZATION[Cost Metrics] SECURITY_POSTURE[Security Posture] COMPLIANCE_STATUS[Compliance Status] end subgraph "Operations Dashboard" REAL_TIME_METRICS[Real-time Metrics] INCIDENT_STATUS[Incident Status] DEPLOYMENT_STATUS[Deployment Pipeline] RESOURCE_UTILIZATION[Resource Utilization] end subgraph "Development Dashboard" BUILD_SUCCESS_RATE[Build Success Rate] DEPLOYMENT_FREQUENCY[Deployment Frequency] LEAD_TIME[Lead Time] MTTR[Mean Time to Recovery] end end %% Application Monitoring Flow FE_PERFORMANCE --> BE_RESPONSE_TIME FE_ERRORS --> BE_ERROR_RATE FE_USER_ACTIONS --> BE_CONCURRENT_USERS FE_CONVERSION --> ML_ACCURACY BE_RESPONSE_TIME --> ML_LATENCY BE_THROUGHPUT --> ML_DRIFT BE_ERROR_RATE --> ML_FEATURE_IMPORTANCE %% Infrastructure Monitoring Flow CPU_UTILIZATION --> LB_REQUEST_COUNT MEMORY_USAGE --> LB_TARGET_HEALTH DISK_IO --> LB_RESPONSE_TIME NETWORK_IO --> LB_ERROR_RATE LB_REQUEST_COUNT --> DB_CONNECTIONS LB_TARGET_HEALTH --> DB_QUERY_TIME LB_RESPONSE_TIME --> DB_DEADLOCKS LB_ERROR_RATE --> DB_REPLICATION_LAG %% Snowflake Monitoring Flow SF_COMPUTE_USAGE --> SF_MODEL_TRAINING SF_STORAGE_USAGE --> SF_INFERENCE_CALLS SF_CREDIT_CONSUMPTION --> SF_CORTEX_USAGE SF_QUERY_HISTORY --> SF_FEATURE_ENGINEERING %% Logging Flow APP_LOGS --> REQUEST_TRACING ACCESS_LOGS --> SERVICE_MAP ERROR_LOGS --> LATENCY_BREAKDOWN AUDIT_LOGS --> ERROR_CORRELATION REQUEST_TRACING --> LOG_SEARCH SERVICE_MAP --> LOG_PATTERNS LATENCY_BREAKDOWN --> ANOMALY_DETECTION ERROR_CORRELATION --> CORRELATION_ANALYSIS %% Alerting Flow LOG_PATTERNS --> THRESHOLD_ALERTS ANOMALY_DETECTION --> ANOMALY_ALERTS CORRELATION_ANALYSIS --> COMPOSITE_ALERTS THRESHOLD_ALERTS --> TEAMS_ALERTS ANOMALY_ALERTS --> EMAIL_ALERTS COMPOSITE_ALERTS --> SMS_ALERTS PREDICTIVE_ALERTS --> PAGERDUTY TEAMS_ALERTS --> AUTO_REMEDIATION EMAIL_ALERTS --> ESCALATION_POLICIES SMS_ALERTS --> RUNBOOKS PAGERDUTY --> POST_INCIDENT %% Healthcare Monitoring Flow DRG_ACCURACY --> HIPAA_VIOLATIONS PATIENT_RISK_SCORES --> ACCESS_PATTERNS ALERT_RESPONSE_TIME --> DATA_EXPORT_TRACKING SYSTEM_AVAILABILITY --> AUDIT_TRAIL_INTEGRITY HIPAA_VIOLATIONS --> CLINICIAN_SATISFACTION ACCESS_PATTERNS --> WORKFLOW_EFFICIENCY DATA_EXPORT_TRACKING --> ERROR_IMPACT AUDIT_TRAIL_INTEGRITY --> ADOPTION_METRICS %% Dashboard Flow CLINICIAN_SATISFACTION --> SYSTEM_HEALTH WORKFLOW_EFFICIENCY --> COST_OPTIMIZATION ERROR_IMPACT --> SECURITY_POSTURE ADOPTION_METRICS --> COMPLIANCE_STATUS SYSTEM_HEALTH --> REAL_TIME_METRICS COST_OPTIMIZATION --> INCIDENT_STATUS SECURITY_POSTURE --> DEPLOYMENT_STATUS COMPLIANCE_STATUS --> RESOURCE_UTILIZATION REAL_TIME_METRICS --> BUILD_SUCCESS_RATE INCIDENT_STATUS --> DEPLOYMENT_FREQUENCY DEPLOYMENT_STATUS --> LEAD_TIME RESOURCE_UTILIZATION --> MTTR %% Styling classDef application fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px classDef infrastructure fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef snowflake fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef logging fill:#e0f2f1,stroke:#00695c,stroke-width:2px classDef alerting fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef healthcare fill:#ffebee,stroke:#c62828,stroke-width:2px classDef dashboards fill:#fce4ec,stroke:#ad1457,stroke-width:2px class FE_PERFORMANCE,FE_ERRORS,FE_USER_ACTIONS,FE_CONVERSION,BE_RESPONSE_TIME,BE_THROUGHPUT,BE_ERROR_RATE,BE_CONCURRENT_USERS,ML_ACCURACY,ML_LATENCY,ML_DRIFT,ML_FEATURE_IMPORTANCE application class CPU_UTILIZATION,MEMORY_USAGE,DISK_IO,NETWORK_IO,LB_REQUEST_COUNT,LB_TARGET_HEALTH,LB_RESPONSE_TIME,LB_ERROR_RATE,DB_CONNECTIONS,DB_QUERY_TIME,DB_DEADLOCKS,DB_REPLICATION_LAG infrastructure class SF_COMPUTE_USAGE,SF_STORAGE_USAGE,SF_CREDIT_CONSUMPTION,SF_QUERY_HISTORY,SF_MODEL_TRAINING,SF_INFERENCE_CALLS,SF_CORTEX_USAGE,SF_FEATURE_ENGINEERING snowflake class APP_LOGS,ACCESS_LOGS,ERROR_LOGS,AUDIT_LOGS,REQUEST_TRACING,SERVICE_MAP,LATENCY_BREAKDOWN,ERROR_CORRELATION,LOG_SEARCH,LOG_PATTERNS,ANOMALY_DETECTION,CORRELATION_ANALYSIS logging class THRESHOLD_ALERTS,ANOMALY_ALERTS,COMPOSITE_ALERTS,PREDICTIVE_ALERTS,TEAMS_ALERTS,EMAIL_ALERTS,SMS_ALERTS,PAGERDUTY,AUTO_REMEDIATION,ESCALATION_POLICIES,RUNBOOKS,POST_INCIDENT alerting class DRG_ACCURACY,PATIENT_RISK_SCORES,ALERT_RESPONSE_TIME,SYSTEM_AVAILABILITY,HIPAA_VIOLATIONS,ACCESS_PATTERNS,DATA_EXPORT_TRACKING,AUDIT_TRAIL_INTEGRITY,CLINICIAN_SATISFACTION,WORKFLOW_EFFICIENCY,ERROR_IMPACT,ADOPTION_METRICS healthcare class SYSTEM_HEALTH,COST_OPTIMIZATION,SECURITY_POSTURE,COMPLIANCE_STATUS,REAL_TIME_METRICS,INCIDENT_STATUS,DEPLOYMENT_STATUS,RESOURCE_UTILIZATION,BUILD_SUCCESS_RATE,DEPLOYMENT_FREQUENCY,LEAD_TIME,MTTR dashboards ``` ### Monitoring Strategy Explained **Proactive Monitoring:** - Real-time metrics collection and analysis - Predictive alerting based on trends and patterns - Automated incident response and remediation **Healthcare-Specific Metrics:** - Clinical accuracy and safety metrics - HIPAA compliance monitoring - Patient care impact measurement **Cost Optimization:** - Resource utilization tracking - Snowflake credit consumption monitoring - Right-sizing recommendations --- ## Implementation Details ### Key Technologies and Versions **Frontend Stack:** - React 18.2+ with TypeScript - Material-UI or Tailwind CSS for styling - React Query for state management - React Router v6 for navigation **Backend Stack:** - FastAPI 0.100+ with Python 3.11 - Pydantic for data validation - SQLAlchemy for database ORM - Pytest for testing **Infrastructure:** - Terraform 1.5+ for infrastructure as code - Azure CLI for deployments - Docker for containerization - GitHub Actions for CI/CD **Database & ML:** - Snowflake Cortex AI for primary ML workloads - Azure Machine Learning for backup ML capabilities - Azure Cache for Redis 7.0+ for caching - Azure Database for PostgreSQL for operational data (if needed) ### Environment Configuration **Development Environment:** ```yaml # terraform/environments/dev/terraform.tfvars environment = "development" vm_size = "Standard_B1s" min_instances = 1 max_instances = 2 enable_deletion_protection = false backup_retention_days = 7 ``` **Staging Environment:** ```yaml # terraform/environments/staging/terraform.tfvars environment = "staging" vm_size = "Standard_B2s" min_instances = 1 max_instances = 3 enable_deletion_protection = true backup_retention_days = 14 ``` **Production Environment:** ```yaml # terraform/environments/prod/terraform.tfvars environment = "production" vm_size = "Standard_D4s_v3" min_instances = 2 max_instances = 10 enable_deletion_protection = true backup_retention_days = 30 zone_redundant = true ``` ### Security Configuration **Azure RBAC Policies:** ```json { "Name": "EmpowerHealth-KeyVault-Reader", "IsCustom": true, "Description": "Read secrets from Key Vault", "Actions": [ "Microsoft.KeyVault/vaults/secrets/read" ], "DataActions": [ "Microsoft.KeyVault/vaults/secrets/getSecret/action" ], "AssignableScopes": [ "/subscriptions/{subscription-id}/resourceGroups/{resource-group}" ] } ``` **Network Security Group Rules:** ```hcl # Allow HTTPS traffic from Azure Front Door resource "azurerm_network_security_rule" "alb_https_ingress" { name = "HTTPS-Inbound" priority = 100 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "443" source_address_prefix = "AzureFrontDoor.Backend" destination_address_prefix = "*" resource_group_name = azurerm_resource_group.main.name network_security_group_name = azurerm_network_security_group.alb.name } # Allow backend traffic from Application Gateway only resource "azurerm_network_security_rule" "app_service_ingress" { name = "AppService-Inbound" priority = 110 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "5000" source_address_prefix = "10.10.10.0/24" destination_address_prefix = "*" resource_group_name = azurerm_resource_group.main.name network_security_group_name = azurerm_network_security_group.app.name } ``` --- ## Cost Optimization Strategy ### Resource Right-Sizing **Environment-Based Scaling:** - **Development**: Single zone, minimal instances - **Staging**: Limited auto-scaling for testing - **Production**: Zone-redundant with aggressive auto-scaling ### Snowflake Cost Management **Warehouse Sizing:** ```sql -- Auto-suspend and resume for cost optimization ALTER WAREHOUSE COMPUTE_WH SET AUTO_SUSPEND = 60 AUTO_RESUME = TRUE INITIALLY_SUSPENDED = TRUE; -- Scale warehouse based on workload ALTER WAREHOUSE COMPUTE_WH SET WAREHOUSE_SIZE = 'SMALL'; ``` **Query Optimization:** - Use clustering keys for large tables - Implement result caching strategies - Monitor and optimize expensive queries ### Azure Cost Controls **Reserved Instances:** - Purchase Azure Reserved Virtual Machine Instances for production workloads with predictable usage - Use Azure Savings Plans for flexible compute discounts **Auto Scaling Policies:** ```hcl resource "azurerm_monitor_autoscale_setting" "app_service" { name = "autoscale-appservice" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location target_resource_id = azurerm_app_service_plan.main.id profile { name = "defaultProfile" capacity { default = 2 minimum = 1 maximum = 10 } rule { metric_trigger { metric_name = "CpuPercentage" metric_resource_id = azurerm_app_service_plan.main.id time_grain = "PT1M" statistic = "Average" time_window = "PT5M" time_aggregation = "Average" operator = "GreaterThan" threshold = 75 } scale_action { direction = "Increase" type = "ChangeCount" value = 1 cooldown = "PT10M" } } } } ``` ### Monthly Cost Estimates **Development Environment:** - Virtual Machines: $25/month - Application Gateway: $18/month - Data transfer: $10/month - **Total: ~$53/month** **Production Environment:** - App Service/VMs: $180/month - Application Gateway: $25/month - Data transfer: $50/month - Azure Front Door: $35/month - Snowflake: $500/month (estimated) - **Total: ~$790/month** --- ## Conclusion This comprehensive architecture provides a robust, scalable, and secure foundation for the EmpowerHealth healthcare analytics platform. The design incorporates: 1. **Multi-layered Security** - From network isolation to application-level authentication 2. **High Availability** - Multi-zone deployment with auto-scaling and failover 3. **Dual ML Strategy** - Primary Snowflake ML with Azure backup capabilities 4. **Complete Automation** - Infrastructure as code and CI/CD pipelines 5. **Comprehensive Monitoring** - Full observability stack with healthcare-specific metrics 6. **Cost Optimization** - Environment-specific resource allocation and scaling The architecture is designed to handle the sensitive nature of healthcare data while providing the performance and reliability required for clinical decision support systems. The dual ML approach ensures that you can leverage Snowflake's powerful Cortex AI capabilities while maintaining flexibility to use Azure ML services when needed. **Next Steps:** 1. Implement Terraform modules for infrastructure provisioning 2. Set up GitHub Actions workflows for CI/CD 3. Configure Snowflake data ingestion from Epic systems 4. Develop and deploy ML models for DRG classification 5. Implement comprehensive monitoring and alerting 6. Conduct security assessments and penetration testing 7. Train healthcare staff on the new system 8. Plan phased rollout strategy

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully