the scenario

I recently completed an IaaS to PaaS cloud migration. This was from a cloud provider outside of the big three (ie. Azure, AWS, GCP) to Azure. Some of the requirements for this migration were as follows:

  • Production App Services are to be Isolated
  • Non-Production App Services are to be separate from Production
  • Documents, submitted to the application, must be stored as Blob supporting metadata
  • All docs submitted must be scanned

the solution

My design took the following approach:

  • Isolating the Production Apps inside an App Service Environment
  • Non-Production Apps would be deployed outside of the App Service Environment, but would have elevated security by enabling the ‘Require Incoming Certificate’ feature
  • The App Services would be exposed via Barracuda CloudGen WAF (number of alternative solutions considered – might create a blog article on this particular decision at some point in the future)
  • The Barracuda CloudGen WAF would be used to scan documents as they were being uploaded – it uses ClamAV
  • The Barracuda CloudGen WAF would be used to send client certificate in order to bind with the Non-Production App Services where ‘Require Incoming Certificate’ was enabled – this would mean that requests directly to the non-Isolated apps would be dropped

the architecture

simplified architecture

how it was deployed

The Solution was defined via Azure Resource Manager templates and deployed via Azure Devops. This includes the following:

  • Barracuda CloudGen WAF – scalable via Virtual Machine ScaleSets (VMSS) – this allows for autoscaling on schedule and to meet increase in demand for resources as the customer footprint on Azure expands
  • Azure SQL Database – Geo-Replication and Failover Group – highly available endpoints for API’s and secondary read-only endpoint for reporting
  • Automated compilation of DB connection string assigned to ApiApp on deployment
  • Automated creation of Database Login and User Account in pipeline, accounting for the same User SID on Primary and Secondary instances, to ensure seamless failover of API’s on the Primary endpoint (look-out for future blog on how I did this)