top of page
Writer's pictureALIF Consulting

Windows N-tier application on Azure

Updated: Jun 4

This reference architecture shows how to deploy virtual machines (VMs) and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.


Use Case

  • Simple web applications

  • Migrate On-Premise Applications to Azure.

  • Build the Application with DevOps

  • Integration with Azure AD for SSO.

  • Unified development of on-premises and cloud applications

Architecture

Azure virtual networks

Architecture Components

The architecture has the following components.

General

Resource group

Resource groups are used to group Azure resources so they can be managed by lifetime, owner, or other criteria.

Availability zones

Availability zones are physical locations within an Azure region. Each zone consists of one or more datacenters with independent power, cooling, and networking. By placing VMs across zones, the application becomes resilient to failures within a zone.


Networking and load balancing

Virtual network and subnets

Every Azure VM is deployed into a virtual network that can be segmented into subnets. Create a separate subnet for each tier.

Application gateway

Application Gateway is a layer 7 load balancer. In this architecture, it routes HTTP requests to the web front end. Application Gateway also provides a web application firewall (WAF) that protects the application from common exploits and vulnerabilities.

Load balancers

Use Azure Standard Load Balancer to distribute network traffic from the web tier to the business tier, and from the business tier to SQL Server.

Network security groups (NSGs)

Use NSGs to restrict network traffic within the virtual network. For example, in the three-tier architecture shown here, the database tier does not accept traffic from the web front end, only from the business tier and the management subnet.

DDoS Protection

Although the Azure platform provides basic protection against distributed denial of service (DDoS) attacks, we recommend using the DDoS Protection Standard, which has enhanced DDoS mitigation features.

Azure DNS

Azure DNS is a hosting service for DNS domains. It provides name resolution using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services.


Virtual machines

SQL Server

Always On Availability Group. Provides high availability at the data tier, by enabling replication and failover. It uses Windows Server Failover Cluster (WSFC) technology for failover.

Active Directory Domain Services (AD DS) Servers

The computer objects for the failover cluster and its associated clustered roles are created in Active Directory Domain Services (AD DS).

Cloud Witness

A failover cluster requires more than half of its nodes to be running, which is known as having a quorum. If the cluster has just two nodes, a network partition could cause each node to think it's the primary node. In that case, you need a witness to break ties and establish a quorum. A witness is a resource such as a shared disk that can act as a tiebreaker to establish a quorum. Cloud Witness is a type of witness that uses Azure Blob Storage.

Jump Box

Also called a bastion host. Traditionally, a secure VM on the network that administrators use to connect to the other VMs. The jump box has an NSG that allows remote traffic only from public IP addresses on a safe list. The NSG should permit Remote Desktop Protocol (RDP) traffic. Azure offers the managed solution Azure Bastion to meet this need.


Scalability considerations

Scale sets

For the web and business tiers, consider using virtual machine scale sets instead of deploying separate VMs. A scale set makes it easy to deploy and manage a set of identical VMs and auto-scale the VMs based on performance metrics. As the load on the VMs increases, additional VMs are automatically added to the load balancer. Consider scale sets if you need to quickly scale out VMs, or need to auto scale.

There are two basic ways to configure VMs deployed in a scale set:

  • Use extensions to configure the VM after it's deployed. With this approach, new VM instances may take longer to start up than a VM with no extensions.

  • Deploy a managed disk with a custom disk image. This option may be quicker to deploy. However, it requires you to keep the image up-to-date.

Subscription limits

Each Azure subscription has default limits in place, including a maximum number of VMs per region. You can increase the limit by filing a support request.

Application Gateway

Application Gateway supports fixed capacity mode or autoscaling mode. Fixed capacity mode is useful for scenarios with consistent and predictable workloads. Consider using autoscaling mode for workloads with variable traffic


Availability considerations

Availability zones provide the best resiliency within a single region. If you need even higher availability, consider replicating the application across two regions, using Azure Traffic Manager for failover

Health probes

Application Gateway and Load Balancer both use health probes to monitor the availability of VM instances.

  • Application Gateway always uses an HTTP probe.

  • Load Balancer can test either HTTP or TCP. Generally, if a VM runs an HTTP server, use an HTTP probe. Otherwise, use TCP.

Cost considerations

Use the Azure Pricing Calculator to estimate costs. Here are some other considerations.

Virtual machine scale sets

Virtual machine scale sets are available on all Windows VM sizes. You are only charged for the Azure VMs you deploy and any additional underlying infrastructure resources consumed, such as storage and networking. There are no incremental charges for the virtual machine scale sets service.

SQL Server

If you choose Azure SQL dBase, you can save on cost because don't need to configure an Always On Availability Group and domain controller machines. There are several deployment options, starting from a single database up to managed instances or elastic pools.

Load balancers

You are charged only for the number of configured load-balancing and outbound rules. Inbound NAT rules are free. There is no hourly charge for the Standard Load Balancer when no rules are configured.


Security considerations

Virtual networks are a traffic isolation boundary in Azure. By default, VMs in one virtual network can't communicate directly with VMs in a different virtual network. However, you can explicitly connect virtual networks by using virtual network peering.

NSGs

Use network security groups (NSGs) to restrict traffic to and from the internet.

DMZ

Consider adding a network virtual appliance (NVA) to create a DMZ between the Internet and the Azure virtual network. NVA is a generic term for a virtual appliance that can perform network-related tasks, such as firewall, packet inspection, auditing, and custom routing.

Encryption

Encrypt sensitive data at rest and use Azure Key Vault to manage the database encryption keys. Key Vault can store encryption keys in hardware security modules (HSMs).

DDoS protection

The Azure platform provides basic DDoS protection by default. This basic protection is targeted at protecting the Azure infrastructure as a whole. Although basic DDoS protection is automatically enabled, we recommend using the DDoS Protection Standard. Standard protection uses adaptive tuning based on your application's network traffic patterns to detect threats. This allows it to apply mitigations against DDoS attacks that might go unnoticed by the infrastructure-wide DDoS policies. Standard protection also provides alerting, telemetry, and analytics through Azure Monitor.

281 views0 comments

Recent Posts

See All

Comments


bottom of page