Web app cross-region resiliency
The web app cross-region resiliency architecture deploys a 3-tier web application on Virtual Servers for VPC using compute, storage, and network cloud resources as well as other Cloud services provisioned in multiple availability zones across two regions to protect from region-wide natural disasters or outages.
Architecture diagram
![Web app cross-region resiliency solution architecture](web-app-cross-region-architecture.png)
The web, application, and database tiers are deployed on Virtual Servers for VPC (VSIs) within the Workload Virtual Private Cloud (VPC).
- The virtual servers in the web and app tiers are placed within Placement Groups for host failure protection and are part of Instance Groups for autoscaling.
- A VPC Application Load Balancer is used at the web and app tiers to route traffic to healthy application instances.
- IBM Storage Protect is used to create database backups to enable data recovery.
The web application is deployed across two regions by using an active-standby approach to enable failover if an outage of the primary region occurs.
- The web and app tiers are deployed across two availability zones in the primary region and the second region.
- The database tier is deployed in active-standby across two availability zones in the primary region with another standby replica in one availability zone in the second region. Data replication is handled by the database software based on HA/DR configuration settings.
- The Cloud Internet Services (CIS) is configured as a global load balancer to route traffic to the appropriate region.
All data is encrypted using customer-provided keys that are managed by Key Protect.
- All storage is encrypted at rest by using storage encryption with customer-provided keys that are managed by Key Protect. Key Protect is provisioned in the primary region and configured with failover units in the second region.
- Data is encrypted in transit by using TLS encryption. A Secrets Manager instance is deployed in each region to store and manage SSL/TLS certificates.
- The Cloud Internet Services is deployed as a proxy to the public VPC Application Load Balancer that front ends the web tier to provide Distributed Denial of Service (DDoS) protection and Web Application Firewall protection.
Design scope
Following the Architecture Framework, the web app cross-region resiliency architecture covers design considerations and architecture decisions for the following aspects and domains:
-
Compute: Virtual servers
-
Storage: Primary storage, Backup storage
-
Networking: Enterprise connectivity, Segmentation and isolation, Cloud native connectivity, Load balancing, Domain name system
-
Security: Data security, Identity and access management, Application security, Infrastructure and endpoint security
-
Resiliency: High availability, Disaster recovery, Backup and restore,
-
Service management: Monitoring, Logging, Auditing, Alerting
The Architecture Framework provides a consistent approach to design cloud solutions by addressing requirements across a set of "aspects" and "domains", which are technology-agnostic architectural areas that need to be considered for any enterprise solution. See Introduction to the Architecture Framework for more details.
Requirements
Aspects | Requirements |
---|---|
Compute | Provide properly isolated compute resources with adequate compute capacity for the applications. |
Storage | Provide storage that meets the application and database performance requirements. |
Networking |
|
Security |
|
Resiliency |
|
Service management |
|
Components
Aspects | Solution components | How the component is used |
---|---|---|
Compute | Virtual Servers for VPC | Web, app, and database servers |
Storage | Block Storage for VPC | Database servers storage |
Cloud Object Storage | Web app static content, backups, logs (application, operational, and audit logs) | |
Networking | VPC Virtual Private Network (VPN) Client | Remote access to manage resources in a private network |
Virtual Private Clouds (VPCs), Subnets, Security Groups (SGs), ACLs | VPCs for workload isolation Subnets, SGs, and ACLs for restricted access to web, app, and database tiers |
|
Transit Gateway (TGW) | Local Transit Gateway connects the Workload and Management VPCs within a region.
Global Transit Gateway connects VPCs across regions. |
|
Virtual Private Gateway & Virtual Private Endpoint (VPE) | Private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and so on. | |
Public Gateway | Web app access to the internet | |
VPC Application Load Balancer | Application load balancing for web and app tiers | |
Cloud Internet Services (CIS) | Global load balancing between regions. Public DNS resolution. |
|
DNS Services | Private DNS resolution | |
Security | IAM | IBM Cloud Identity & Access Management |
BYO Bastion Host on VPC VSI with PAM SW | Remote access with privileged access management | |
Cloud Internet Services (CIS) | DDoS protection and Web App Firewall | |
Key Protect | Key management service | |
Secrets Manager | Certificate and secrets management | |
Resiliency | Placement Groups and Instance Groups | To avoid single points of failure and adjust capacity based on load changes |
VPC VSIs, VPC Block across multiple zones in two regions | Web, app, database high availability and disaster recovery | |
IBM Storage Protect | Database backups | |
Cross-Region Cloud Object Storage Buckets | Backup storage | |
Service management | IBM Cloud Monitoring | Apps and operational monitoring |
IBM Cloud Logs | Audit events, Apps and operational logs |