3-Tier Architecture on SITE Cloud
This guide describes how to design and implement a 3-tier application architecture on SITE Cloud using load balancing, WAF, SSL termination, application VMs, and database VMs.
Introduction
A 3-tier architecture separates the application into presentation, application, and database layers. A SITE Cloud 3-tier design uses:
| Tier | Components |
|---|---|
| Tier 1 | Load Balancer, Web Application Firewall, and SSL termination. |
| Tier 2 | Application VMs. |
| Tier 3 | Database VMs. |
This guide is intended for system architects, network administrators, and developers designing scalable and secure web applications on SITE Cloud.
Getting Started
This architecture covers:
- Load balancer configuration for distributing incoming traffic.
- WAF protection for web application traffic.
- SSL termination at the load balancer tier.
- Application VMs in the application tier.
- Database VMs in the database tier.
Architecture Design
Tier 1: Load Balancer, WAF, and SSL Termination
| Component | Design guidance |
|---|---|
| Load Balancer | Distribute incoming traffic across application servers in Tier 2. Monitor and adjust load balancing methods based on traffic patterns. |
| WAF | Protect against common web application vulnerabilities. Configure WAF rules and move from learning to blocking mode when ready. |
| SSL Termination | Offload SSL/TLS encryption and decryption from application servers. Use a trusted SSL certificate and enforce secure encryption policies. |
Tier 2: Application VMs
The application VM zone hosts application logic, business logic, and presentation-layer components.
Application VMs:
- Process user requests.
- Execute application-specific tasks.
- Generate responses.
- Communicate with database servers.
- Run middleware, web servers, and required application components.
Horizontal scaling can be used by adding more application server instances when traffic increases.
Tier 3: Database VMs
The database VM zone hosts database management systems and application data.
Database VMs:
- Store, retrieve, and manipulate application data.
- Respond to queries from application servers.
- Host database engines and related software.
- Support structured or unstructured application data.
Scaling at this tier can involve vertical scaling, sharding, or replication, depending on the database design.
Implementation
- Create the business group.
- Enable environment access for the business group.
- Create the required subnets.
- Create the VMs.
- Allocate the VIP to the database cluster.
- Create required firewall rules between VMs.
- Create a WAF profile.
- Create an SSL profile.
- Create the load balancer and assign the WAF profile.
- Assign the SSL profile.
- Allocate a public IP to the business group.
- Assign the public IP to the load balancer.
- Publish the application.
Subnets
Create two subnets for the architecture:
- SSA subnet.
- HSA subnet.
Application VMs are placed in the SSA zone. Database VMs are placed in the HSA zone.
Firewall Rules
Because the architecture follows a zero-trust approach, create only the required firewall rules:
- App-to-App: SSA to SSA.
- App-to-DB: SSA to HSA.
Security Configuration
- Restrict who can configure and manage the tenant.
- Keep application software updated to patch vulnerabilities.
- Enable logging and monitoring.
- Forward relevant events to SITE SIEM.
- Use SSL certificates from a reputable Certificate Authority.
- Use strong encryption ciphers and protocols for data in transit.
- Review SSL configuration periodically.
- Monitor SSL/TLS vulnerabilities and apply patches promptly.
Glossary
| Term | Meaning |
|---|---|
| Load Balancer | Distributes network traffic across servers to support availability and performance. |
| WAF | Web Application Firewall, used to protect web applications from cyber threats and vulnerabilities. |
| SSL Termination | Decrypting SSL/TLS traffic at a network point, often the load balancer, before forwarding it to application servers. |
| SSL Certificate | Digital certificate used to verify website authenticity and encrypt traffic between client and server. |