3-Tier Architecture for A Lift-and-Shift migration strategy

We all know how important it is to ensure our applications are secure when using the Cloud platform. Security in the cloud is a shared responsibility, and Azure gives us an array of #security tools to create a safe environment. I designed a simple 3-tier (web, application, and data tier) application architecture suitable for a lift and shift (rehosting) migration strategy with security being a primary point of focus.

Note: Also, this architecture is suitable in scenarios where one requires full control of the computing services. Moreover, it is assumed that one is currently using a database that supports window authentication and wants to maintain the same while in the cloud.

Dataflow:

- Users initiate a connection over the internet.

- From the internet, the connections go through an Application Gateway which directs traffic to the VMs in a VM scale set of the web tier.

- From the web tier, the traffic is directed to the application tier through an Internal Load Balancer. The application tier is in a private subnet.

- The application data is stored at the SQL server on a virtual machine as it supports window authentication.

Security

The following shows how various Azure services have been used to provide assurances against deliberate attacks and the abuse of the application data.

- Application Gateway: is a layer 7 load balancer and therefore routes traffic between VMs in the VM scale sets of the web tier. It also allows HTTPS requests to the web front end. A web Application Firewall (WAF) is also enabled to protect the application from web-based attacks such as SQL injection, cross-site scripting attacks, and session hijacking.

- Network Security Groups: Restrict traffic between tiers. For instance, the web tier cannot communicate with the data tier since the data tier only allows traffic from the application tier subnet and its subnet.

- Azure Monitor provides monitoring and diagnostics for Azure resources. In this architecture, we use it to set alerts in case of any security-related event based on the logs.

- Key Vaults store and manage application secrets such as passwords and encryption keys.

- The database Firewall also provides additional security by just allowing traffic from the VMs in the application tier to pass through.

- The VMs in the Web tier and Application Tier connect to the file share where the configuration files are stored using a private endpoint. A private endpoint allows the file share to be accessed via the secure private IP address.

- Azure Sentinel provides threat detection and response. In this case, it is used to provide a single solution for attack detection, threat visibility, and threat response.

- Further security to the resources in our VNet is provided by DDoS Protection. DDoS Protection Standard is recommended since it has enhanced DDoS mitigation features.