IBM Cloud Docs
Three-tier web application on VCFaaS across MZR

Three-tier web application on VCFaaS across MZR

This reference architecture outlines a resilient, multizone, 3-tier web application deployment on IBM Cloud® for VMware Cloud Foundation as a Service (VCFaaS). Provision compute, storage, and network resources with other cloud services, all within a single region.

Architecture diagram

Web app multizone resiliency solution architecture

The management VPC

  • Contains management resources, such as bastion or jump-servers, that are hosted on VPC Virtual Servers for VPC instances (VSIs). The management VPC is where your administrative staff can manage resources and applications that are hosted in IBM Cloud.
  • Uses the IBM Cloud Virtual Private Network (VPN) for VPC service to enable secure administrative access. For more information, see VPN for VPC overview.
  • Uses Virtual Private Endpoint (VPE) gateways to connect to IBM Cloud services. This enables access to services through private IP addresses within your VPC subnets, and protected by VPC security groups for enhanced security. For more information, see About virtual private endpoint gateways and About security groups.
  • Takes backups of the VSIs by using the IBM Cloud® Backup for VPC service. For more information, see Planning backups. Alternatively, you can use IBM Cloud® Storage Protect.
  • Encrypts all data by using customer-provided keys that Key Protect manages.

The edge VPC

The VMware Cloud Foundation as a Service instance

  • Hosts the web, application, and database tiers deployed on virtual machines (VMs) across two VMware Cloud Foundation as a Service virtual data centers (VDCs). The VDCs are deployed in two different availability zones in an IBM Cloud region.

  • Allows the VDCs to connect to the management VPC through a transit gateway. For more information, see Using Transit Gateway to interconnect VMware Cloud Foundation as a Service with IBM Cloud services.

  • The virtual machines in the web and app tiers are placed on VDC subnets in the two VDCs. A public Application Load Balancer for VPC is used to route traffic to working web servers, while a private Application Load Balancer for VPC is used to route traffic to working application servers.

  • The database servers are deployed in active-standby mode. The database software handles Data replication across availability zones based on database-specific high availability configuration options. An isolated subnet stretches across the two VDCs in the data center group. The database VMs have an interface on this subnet and allow replication traffic to bypass the transit gateway for efficient traffic flow.

  • The VMware Cloud Foundation as a Service Veeam backup service is used to backup the web, application, and database servers. See Managing Veeam for VMware Cloud Foundation as a Service. The VMware Cloud Foundation as a Service Veeam backup service restores VMs at an image level not at a file level. If file level backup and recovery are needed, see IBM® Storage Protect.

  • Encrypt data by selecting the encrypted storage options in VMware Cloud Foundation as a Service. This encryption uses provider-managed keys. If customer-provided keys are required, you can implement software-based encryption on the web, application, and database VMs by using Key Protect to manage keys. To use Linux Unified Key Setup (LUKS) encryption keys with either Hyper Protect Crypto Services or IBM Key Protect, see Protect LUKS encryption keys with Hyper Protect Crypto Services and Key Protect.

  • Data is encrypted in transit by using TLS encryption. Secrets Manager is used to store and manage SSL/TLS certificates.

  • The IBM Cloud® Internet Services (CIS) is deployed as a proxy to the public Application Load Balancer for VPC that front ends the web tier to provide Distributed Denial of Service (DDoS) protection and Web Application Firewall protection.

Design scope

The web app multizone resiliency architecture covers design considerations and architecture decisions for the following aspects and domains (as defined in the Architecture Design Framework):

  • Compute: Virtual servers
  • Storage: Primary storage, backup storage
  • Networking: Enterprise connectivity, segmentation and isolation, cloud native connectivity, load balancing, domain name system
  • Security: Data security, identity and access management, application security, infrastructure, and endpoint security
  • Resiliency: High availability, backup, and restore
  • Service Management: Monitoring, logging, auditing, alerting

Design scope for the multizone web app resiliency architecture
Web app multizone resiliency architecture design scope

The Architecture Design Framework provides a consistent approach to design cloud solutions by addressing requirements across a set of "aspects" and "domains", which are technology-agnostic architectural areas to consider for any enterprise solution. For more information, see Introduction to the Architecture Design Framework.

Requirements

The following table represents a typical set of requirements for enterprise-ready web applications that are deployed in a public cloud.

Web app multizone resiliency requirements
Aspects Requirements
Compute
  • Provide properly isolated compute resources with adequate compute capacity for the applications.
Storage
  • Provide storage that meets the application and database performance requirements.
Networking
  • Deploy workloads in an isolated environment and enforce information flow policies.
  • Provide secure, encrypted connectivity to the cloud’s private network for management purposes.
  • Distribute incoming application requests across available compute resources.
  • Provide public and private DNS resolution.
Security
  • Ensure that all operator actions are run securely through a bastion host.
  • Protect the boundaries of the application against denial-of-service and application-layer attacks.
  • Encrypt all application data in transit and at rest to protect it from unauthorized disclosure.
  • Encrypt all backup data to protect it from unauthorized disclosure.
  • Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure.
  • Encrypt all data by using customer-managed keys to meet regulatory compliance requirements for more security and customer control.
  • Protect secrets through their entire lifecycle and secure them using access control measures.
Resiliency
  • Support application availability targets and business continuity policies.
  • Provide highly available compute, storage, network, and other cloud services to handle application load and performance requirements.
  • Backup application data to enable recovery if unplanned outages occur.
  • Provide highly available storage for security data (logs) and backup data.
Service Management
  • Monitor system and application health metrics and logs to detect issues that might impact the availability of the application.
  • Generate alerts/notifications about issues that might impact the availability of applications to trigger appropriate responses that minimize downtime.
  • Monitor audit logs to track changes and detect potential security problems.
  • Provide a mechanism to identify and send notifications about issues that are found in audit logs.

Components

Web app multizone resiliency components
Aspects Solution components How the component is used
Compute Virtual Servers for VPC Bastion hosts, jump servers
VCFaaS virtual machines Web, app, and database servers
Storage Block Storage for VPC Bastion hosts, jump servers
VCFaaS NFS or vSAN Web, app, and database servers
Cloud Object Storage Web app static content, backups, logs (application, operational, and audit)
Networking VPC Virtual Private Network (VPN) Client Remote access to manage resources in a private network
Virtual Private Clouds (VPCs), Subnets, Security Groups (SGs), ACLs VPCs for workload isolation.
Subnets, SGs, and ACLs for restricted access to web, app, and database tiers
VCFaaS Virtual Data Centers and Subnets VDCs for workload isolation.
Subnets to enable restricted access to web, app, and database tiers by using edge gateway non distributed interfaces
Local Transit Gateway (TGW) Connectivity between workload and management VPCs and VDCs
Virtual Private Gateway & Virtual Private Endpoint (VPE) Private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and more
Application Load Balancer for VPC Application load balancing for web and app tiers
Public Gateway Web app access to the internet
IBM Cloud® Internet Services (CIS) Public DNS resolution
DNS Services Private DNS resolution
Security IAM IBM Cloud Identity and Access Management
BYO Bastion Host on VPC VSI withM SW Remote access with Privileged Access Management
IBM Cloud® Internet Services (CIS) DDoS protection and Web App Firewall
Key Protect Key management service
Secrets Manager Certificate and secrets Management
Resiliency VCFaaS anti-affinity rules To avoid single points of failure
VMs, VCFaaS across multiple zones in one region Web, app, database high availability deployment
Veeam VM backups
IBM Storage Protect Database backups
Cross-Region Cloud Object Storage Buckets Backup storage for IBM Storage Protect
Service Management IBM Cloud Monitoring Apps and operational monitoring
VCFaaS Operations Manager View vDC, vApp, and VM level metrics and to export metric data
IBM Cloud Logs Apps, operational and audit logs