Skip to content

3-Tier Architecture on SITE Cloud

This guide describes how to design and implement a 3-tier application architecture on SITE Cloud using load balancing, WAF, SSL termination, application VMs, and database VMs.

Introduction

A 3-tier architecture separates the application into presentation, application, and database layers. A SITE Cloud 3-tier design uses:

Tier Components
Tier 1 Load Balancer, Web Application Firewall, and SSL termination.
Tier 2 Application VMs.
Tier 3 Database VMs.

This guide is intended for system architects, network administrators, and developers designing scalable and secure web applications on SITE Cloud.

Getting Started

This architecture covers:

  • Load balancer configuration for distributing incoming traffic.
  • WAF protection for web application traffic.
  • SSL termination at the load balancer tier.
  • Application VMs in the application tier.
  • Database VMs in the database tier.

Architecture Design

Tier 1: Load Balancer, WAF, and SSL Termination

Component Design guidance
Load Balancer Distribute incoming traffic across application servers in Tier 2. Monitor and adjust load balancing methods based on traffic patterns.
WAF Protect against common web application vulnerabilities. Configure WAF rules and move from learning to blocking mode when ready.
SSL Termination Offload SSL/TLS encryption and decryption from application servers. Use a trusted SSL certificate and enforce secure encryption policies.

Tier 2: Application VMs

The application VM zone hosts application logic, business logic, and presentation-layer components.

Application VMs:

  • Process user requests.
  • Execute application-specific tasks.
  • Generate responses.
  • Communicate with database servers.
  • Run middleware, web servers, and required application components.

Horizontal scaling can be used by adding more application server instances when traffic increases.

Tier 3: Database VMs

The database VM zone hosts database management systems and application data.

Database VMs:

  • Store, retrieve, and manipulate application data.
  • Respond to queries from application servers.
  • Host database engines and related software.
  • Support structured or unstructured application data.

Scaling at this tier can involve vertical scaling, sharding, or replication, depending on the database design.

Implementation

  1. Create the business group.
  2. Enable environment access for the business group.
  3. Create the required subnets.
  4. Create the VMs.
  5. Allocate the VIP to the database cluster.
  6. Create required firewall rules between VMs.
  7. Create a WAF profile.
  8. Create an SSL profile.
  9. Create the load balancer and assign the WAF profile.
  10. Assign the SSL profile.
  11. Allocate a public IP to the business group.
  12. Assign the public IP to the load balancer.
  13. Publish the application.

Subnets

Create two subnets for the architecture:

  • SSA subnet.
  • HSA subnet.

Application VMs are placed in the SSA zone. Database VMs are placed in the HSA zone.

Firewall Rules

Because the architecture follows a zero-trust approach, create only the required firewall rules:

  • App-to-App: SSA to SSA.
  • App-to-DB: SSA to HSA.

Security Configuration

  • Restrict who can configure and manage the tenant.
  • Keep application software updated to patch vulnerabilities.
  • Enable logging and monitoring.
  • Forward relevant events to SITE SIEM.
  • Use SSL certificates from a reputable Certificate Authority.
  • Use strong encryption ciphers and protocols for data in transit.
  • Review SSL configuration periodically.
  • Monitor SSL/TLS vulnerabilities and apply patches promptly.

Glossary

Term Meaning
Load Balancer Distributes network traffic across servers to support availability and performance.
WAF Web Application Firewall, used to protect web applications from cyber threats and vulnerabilities.
SSL Termination Decrypting SSL/TLS traffic at a network point, often the load balancer, before forwarding it to application servers.
SSL Certificate Digital certificate used to verify website authenticity and encrypt traffic between client and server.