Web app multi-zone resiliency
The web app multi-zone resiliency architecture deploys a 3-tier web application on Virtual Servers for VPC by using compute, storage, and network cloud resources as well as other Cloud services provisioned across multiple availability zones within a single region.
Architecture diagram
![Web app multi-zone resiliency solution architecture](web-app-multi-zone-architecture.png)
The web, application, and database tiers are deployed on Virtual Servers for VPC (VPC VSIs) across two availability zones within the Workload VPC.
- The virtual servers in the web and app tiers are placed within Placement Groups for host failure protection and are part of Instance Groups for autoscaling. A VPC Application Load Balancer is used to route traffic to healthy application servers.
- The database servers are deployed in active-standby mode. Data replication across availability zones is handled by the database software based on database specific high availability configuration options.
- IBM Storage Protect is used to create database backups to enable data recovery.
All data is encrypted by using customer-provided keys that are managed by Key Protect.
- All storage is encrypted at rest with customer-provided keys.
- Data is encrypted in transit by using TLS encryption. Secrets Manager is used to store and manage SSL/TLS certificates.
- The Cloud Internet Services (CIS) is deployed as a proxy to the public VPC Application Load Balancer that front ends the web tier to provide Distributed Denial of Service (DDoS) protection and Web Application Firewall protection.
Design scope
The web app multi-zone resiliency architecture covers design considerations and architecture decisions for the following aspects and domains (as defined in the Architecture Framework):
- Compute: Virtual servers
- Storage: Primary storage, Backup storage
- Networking: Enterprise connectivity, Segmentation and isolation, Cloud native connectivity, Load balancing, Domain name system
- Security: Data security, Identity and access management, Application security, Infrastructure and endpoint security
- Resiliency: High availability, Backup and restore,
- Service Management: Monitoring, Logging, Auditing, Alerting
The Architecture Framework provides a consistent approach to design cloud solutions by addressing requirements across a set of "aspects" and "domains", which are technology-agnostic architectural areas that need to be considered for any enterprise solution. See Introduction to the Architecture Framework for more details.
Requirements
The following represents a typical set of requirements for enterprise-ready web applications that are deployed in a public cloud.
Aspects | Requirements |
---|---|
Compute | Provide properly isolated compute resources with adequate compute capacity for the applications. |
Storage | Provide storage that meets the application and database performance requirements. |
Networking |
|
Security |
|
Resiliency |
|
Service Management |
|
Components
Aspects | Solution components | How the component is used |
---|---|---|
Compute | Virtual Servers for VPC | Web, app, and database servers |
Storage | Block Storage for VPC | Database servers storage |
Cloud Object Storage | Web app static content, backups, logs (application, operational, and audit) | |
Networking | VPC Virtual Private Network (VPN) Client | Remote access to manage resources in a private network |
Virtual Private Clouds (VPCs), Subnets, Security Groups (SGs), ACLs | VPCs for workload isolation. Subnets, SGs, and ACLs for restricted access to web, app, and database tiers |
|
Local Transit Gateway (TGW) | Connectivity between workload and management VPCs | |
Virtual Private Gateway & Virtual Private Endpoint (VPE) | Private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and so on | |
VPC Application Load Balancer | Application load balancing for web and app tiers | |
Public Gateway | Web app access to the internet | |
Cloud Internet Services (CIS) | Public DNS resolution | |
DNS Services | Private DNS resolution | |
Security | IAM | IBM Cloud Identity & Access Management |
BYO Bastion Host on VPC VSI with PAM SW | Remote access with Privileged Access Management | |
Cloud Internet Services (CIS) | DDoS protection and Web App Firewall | |
Key Protect | Key management service | |
Secrets Manager | Certificate and secrets Management | |
Resiliency | Placement Groups and Instance Groups | To avoid single points of failure and adjust capacity based on load changes |
VPC VSIs, VPC Block across multiple zones in one region | Web, app, database high availability deployment | |
IBM Storage Protect | Database backups | |
Cross-Region Cloud Object Storage Buckets | Backup storage | |
Service Management | IBM Cloud Monitoring | Apps and operational monitoring |
IBM Cloud Logs | Audit events, Apps and operational logs |