Three-tier web application on VCFaaS across MZR
This reference architecture outlines a resilient, multizone, 3-tier web application deployment on IBM Cloud® for VMware Cloud Foundation as a Service (VCFaaS). Provision compute, storage, and network resources with other cloud services, all within a single region.
Architecture diagram
The management VPC
- Contains management resources, such as bastion or jump-servers, that are hosted on VPC Virtual Servers for VPC instances (VSIs). The management VPC is where your administrative staff can manage resources and applications that are hosted in IBM Cloud.
- Uses the IBM Cloud Virtual Private Network (VPN) for VPC service to enable secure administrative access. For more information, see VPN for VPC overview.
- Uses Virtual Private Endpoint (VPE) gateways to connect to IBM Cloud services. This enables access to services through private IP addresses within your VPC subnets, and protected by VPC security groups for enhanced security. For more information, see About virtual private endpoint gateways and About security groups.
- Takes backups of the VSIs by using the IBM Cloud® Backup for VPC service. For more information, see Planning backups. Alternatively, you can use IBM Cloud® Storage Protect.
- Encrypts all data by using customer-provided keys that Key Protect manages.
The edge VPC
- Hosts the Application Load Balancer for VPC that distributes incoming traffic to the web and application servers. For more information, see Creating an application load balancer.
The VMware Cloud Foundation as a Service instance
-
Hosts the web, application, and database tiers deployed on virtual machines (VMs) across two VMware Cloud Foundation as a Service virtual data centers (VDCs). The VDCs are deployed in two different availability zones in an IBM Cloud region.
-
Allows the VDCs to connect to the management VPC through a transit gateway. For more information, see Using Transit Gateway to interconnect VMware Cloud Foundation as a Service with IBM Cloud services.
-
The virtual machines in the web and app tiers are placed on VDC subnets in the two VDCs. A public Application Load Balancer for VPC is used to route traffic to working web servers, while a private Application Load Balancer for VPC is used to route traffic to working application servers.
-
The database servers are deployed in active-standby mode. The database software handles Data replication across availability zones based on database-specific high availability configuration options. An isolated subnet stretches across the two VDCs in the data center group. The database VMs have an interface on this subnet and allow replication traffic to bypass the transit gateway for efficient traffic flow.
-
The VMware Cloud Foundation as a Service Veeam backup service is used to backup the web, application, and database servers. See Managing Veeam for VMware Cloud Foundation as a Service. The VMware Cloud Foundation as a Service Veeam backup service restores VMs at an image level not at a file level. If file level backup and recovery are needed, see IBM® Storage Protect.
-
Encrypt data by selecting the encrypted storage options in VMware Cloud Foundation as a Service. This encryption uses provider-managed keys. If customer-provided keys are required, you can implement software-based encryption on the web, application, and database VMs by using Key Protect to manage keys. To use Linux Unified Key Setup (LUKS) encryption keys with either Hyper Protect Crypto Services or IBM Key Protect, see Protect LUKS encryption keys with Hyper Protect Crypto Services and Key Protect.
-
Data is encrypted in transit by using TLS encryption. Secrets Manager is used to store and manage SSL/TLS certificates.
-
The IBM Cloud® Internet Services (CIS) is deployed as a proxy to the public Application Load Balancer for VPC that front ends the web tier to provide Distributed Denial of Service (DDoS) protection and Web Application Firewall protection.
Design scope
The web app multizone resiliency architecture covers design considerations and architecture decisions for the following aspects and domains (as defined in the Architecture Design Framework):
- Compute: Virtual servers
- Storage: Primary storage, backup storage
- Networking: Enterprise connectivity, segmentation and isolation, cloud native connectivity, load balancing, domain name system
- Security: Data security, identity and access management, application security, infrastructure, and endpoint security
- Resiliency: High availability, backup, and restore
- Service Management: Monitoring, logging, auditing, alerting
The Architecture Design Framework provides a consistent approach to design cloud solutions by addressing requirements across a set of "aspects" and "domains", which are technology-agnostic architectural areas to consider for any enterprise solution. For more information, see Introduction to the Architecture Design Framework.
Requirements
The following table represents a typical set of requirements for enterprise-ready web applications that are deployed in a public cloud.
Aspects | Requirements |
---|---|
Compute |
|
Storage |
|
Networking |
|
Security |
|
Resiliency |
|
Service Management |
|
Components
Aspects | Solution components | How the component is used |
---|---|---|
Compute | Virtual Servers for VPC | Bastion hosts, jump servers |
VCFaaS virtual machines | Web, app, and database servers | |
Storage | Block Storage for VPC | Bastion hosts, jump servers |
VCFaaS NFS or vSAN | Web, app, and database servers | |
Cloud Object Storage | Web app static content, backups, logs (application, operational, and audit) | |
Networking | VPC Virtual Private Network (VPN) Client | Remote access to manage resources in a private network |
Virtual Private Clouds (VPCs), Subnets, Security Groups (SGs), ACLs | VPCs for workload isolation. Subnets, SGs, and ACLs for restricted access to web, app, and database tiers |
|
VCFaaS Virtual Data Centers and Subnets | VDCs for workload isolation. Subnets to enable restricted access to web, app, and database tiers by using edge gateway non distributed interfaces |
|
Local Transit Gateway (TGW) | Connectivity between workload and management VPCs and VDCs | |
Virtual Private Gateway & Virtual Private Endpoint (VPE) | Private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and more | |
Application Load Balancer for VPC | Application load balancing for web and app tiers | |
Public Gateway | Web app access to the internet | |
IBM Cloud® Internet Services (CIS) | Public DNS resolution | |
DNS Services | Private DNS resolution | |
Security | IAM | IBM Cloud Identity and Access Management |
BYO Bastion Host on VPC VSI withM SW | Remote access with Privileged Access Management | |
IBM Cloud® Internet Services (CIS) | DDoS protection and Web App Firewall | |
Key Protect | Key management service | |
Secrets Manager | Certificate and secrets Management | |
Resiliency | VCFaaS anti-affinity rules | To avoid single points of failure |
VMs, VCFaaS across multiple zones in one region | Web, app, database high availability deployment | |
Veeam | VM backups | |
IBM Storage Protect | Database backups | |
Cross-Region Cloud Object Storage Buckets | Backup storage for IBM Storage Protect | |
Service Management | IBM Cloud Monitoring | Apps and operational monitoring |
VCFaaS Operations Manager | View vDC, vApp, and VM level metrics and to export metric data | |
IBM Cloud Logs | Apps, operational and audit logs |