Architecture Design for Introducing Basic Security and Availability Using Azure
If you have an enterprise application and you want it to be in reach of everyone around the world, you need a strong base. Something that can make your application available 24x7x365, something that ensures your application is secure and performs well.
For ages, application owners used to design their software to meet these requirements. They used to apply best practices and acquire and configure several tools to ensure their software maintains the above mentioned attributes. But maintaining several different tools and configuration was challenging and building a solid infrastructure increases the project cost.
Then, "Cloud" came to the rescue. Cloud provides a solution to the need of a solid infrastructure, tools to build a scale to demand, and reliable and secure software. With its growing age, cloud is getting feature rich. The cloud service providers keep offering new features to help design the new age software.
There are many Cloud service providers out there. The top three leaders are:
· Amazon Web Services (AWS)
· Microsoft Azure
· Google Cloud
Currently, AWS is leading with market share (32.4%) followed by Azure (17.6%).
[Source- Canalys Annual Report]
In this blog, we will understand some of the basic cloud services provided by Azure that can help in introducing security and a level of availability to an application.
I will refer to an enterprise web application that we have developed using Azure services. It is a sales portal that comprises multiple components. Two of the main non-functional requirements of the application were - Security and Availability. Certainly, cloud was a preferred choice.
Let's read through to understand how we used different Azure services to build our cloud solution.
Azure provides a different type of hosting strategy. Two widely used strategies for a large-scale enterprise application hosting are:
We have used VM based hosting for the main web application. Though Azure App Services provide ease of deployment and agility to scale, it comes with a cost. The cost is affected by several different factors, including but not limited to type of hosting, network isolation, team for infrastructure management etc. A standard app service plan will cost you around $292/month while a VM cost us around $70 only. Also, we have a team to manage infrastructure so it leads us to use VMs for hosting our application.
Azure provides its servers/services located in multiple physical locations. This helps in scenarios where any physical failure (fire/flood/blackout) happens in one location, your entire application will not be affected.
We deployed our application instance on two different VMs that are in different regions.
Within a region itself, Azure provides Availability sets. Azure makes sure that the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches.
Given that our application has a significant user base and it is expected to be highly available and scalable, we decided to host our application on two different servers. These servers were then connected to a load balancer.
A load balancer provides horizontal scaling. It allows user requests to be processed by one of the many backend pools (servers). This helps sharing the request load among your hardware pool. We used Azure Application Gateway, which is a web traffic load balancer. It provides an easy interface to configure the request listener, backend pool etc.
Azure Application Gateway is an OSI layer 7 (application layer) load balancer. Unlike traditional load balancer, it can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. We have used path-based routing feature to route certain requests to a specific backend pool based on specific keywords in the request URL.
It in fact allows routing traffic for multiple sites. We used a single gateway to route traffic of our two different applications.
Our application maintains several documents, videos, and it also generates documents on the fly. That means, we need a place to store all these documents. Rather than keeping these documents on our application server, we used Azure blob storage service. This way, we kept our application and data decoupled. Azure blob storage is a block storage scheme that can be accessed over HTTPS. The advantage of using blob storage over file-based system is performance and availability.
Security is one factor that is a non-functional requirement that cannot be ignored. If you have an enterprise application with confidential data, you must consider security as an integral part of your solution. There are different verticals of application security
· Data security
· Infrastructure security
· Prevention of attacks (DDoS, SQL injection etc.)
Here again, Azure provide out of the box security services
Almost every software application has secrets data that are required to connect to several other services, databases etc. Generally, developers add these secrets in a configuration file that is part of your source code. It makes these secrets available to anyone who has access to the source code. Here, your application is at risk.
Now, there are many ways to protect this information, one of the ways is that you can encrypt your configuration file or you can keep these at a place that is not part of your source code. Azure specifically provides a service for this. It is called Azure Key Vault.
We have used Key Vault to keep all our secrets protected. The Azure Key Vault makes sure only authorized users can access the secrets. It also keeps versioning the secrets and allows to auto-renew some of the secrets associated with other Azure services, like Blob Storage.
Azure Web Application Firewall (WAF) is a service that provides centralized protection to your web applications from common exploits and vulnerabilities. WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1, 3.0, and 2.2.9
In our application, we have configured WAF at the Application Gateway. This service reduces a lot of overhead for configuring security measures or extensive data validation in code.
Having a secure network configuration helps us to ensure our infrastructure in securing from unauthorized access. Azure provides a simplified network configuration management. You can create virtual networks, subnets and network security groups.
We have all our Virtual Machines behind a virtual network. The Virtual machines that host application code only has HTTPS port open for the Application gateway. Other VMs or any other resources do not have connectivity to the outside world.
If you want a highly available and reliable software, it is essentially important to have an extensive monitoring as part of your architecture. Monitoring helps you to keep an eye on your system and trace out potential threats of system failure. Azure provides several matrices and diagnostic data for the resources. This data can be easily accessed using Azure Monitor.
We have configured matrices for our virtual machines. This gives us the data such as CPU, memory utilization of the VM. We have configured alerts so that we get notified if the resource utilization of any VM reaches a defined limit.
Application Gateway Logs
We have configured logs on Application Gateway. This provides us information such that what requests are being made to our application, client IP etc.
Along with monitoring, we have also configured VM backups. We periodically backup our virtual machines so that these can be restored in case of any failure. The backups are stored on Azure blob storage. We have also configured alerts in case a backup action fails.
Having said that, we have discussed some of the basic services provided by Azure to design a highly available and secure solution. However, these are not the only services and this is not the only way to design a cloud solution. Rather, it is a minimalistic approach one can use to begin with. Azure has more than 100 cloud services to help you design your next gen software. Good Luck!
Can’t wait to hear more?Subscribe to be notified when we can share more of our solutions. You can opt out at any time.