It been a while since I wrote my last blog and this is going to be my first after I transitioned, my role as Azure Application Architect, to GDT. There is a good reason for it and, I think, the wait is well worth! I was heavily absorbed rebuilding my Demo applications to align with Azure Reference Architectures and best practices! As an architect, you must have proofs in your hands to back up the claims and be prepared to show what’s inside the box! That’s exactly what I was doing- preparing for the demos!
Live Demo: https://angular5-gdtdemo.azurewebsites.net
Today, I am going to demonstrate a solution that is following Azure Reference Architectures- App Service Web Application, N-Tier Application and Azure Container Instance- all of them with SQL Server as back-end data store. I have not come across any company that produce error-free codes in the first release! So, we have to be prepared to monitor and debug application in production with APM products. Rather than creating application components for individual architecture, I have combined them to work together but they can be separated to work independently. Picture worth 1000 words, let’s look at the architecture diagram!
Figure 1: Azure Reference Architecture Diagram (Customized and Simplified)
App Service Web Application Solution Components
- Angular 5 (user interface, HTTPS)
- ASP.NET MVC and Entity Framework with full dotnet framework (API)
- API Gateway (HTTPS only) to expose real API
- SQL Server as Service (PaaS)
- AppDynamics for APM
Figure 2: Azure App Service Web Application Reference Architecture
N-Tier Application Solution Components
- Angular 5 (user interface, HTTPS)
- ASP.NET MVC and Entity Framework with full dotnet framework (API)
- API Gateway(HTTPS only) to expose real API from VM in private vNET
- SQL Server on Virtual Machine (IaaS)
- AppDynamics for APM
Figure 3: Azure N-tier Reference Architecture with vNET and VMs
Azure Container Instance Solution Components
- Angular 5 (user interface, HTTPS)
- ASP.NET MVC and Entity Framework with full dotnet framework (API)
- API Gateway (HTTPS only) to expose real API
- SQL Server as Service (PaaS)
- AppDynamics for APM
Figure 4: Azure Container Instance Reference Architecture with App Service
You can visit Azure Architecture Center for architectures and design patterns. There is no one size that would fit all organizations! You do have to Discover the Application and Infrastructure stack dependencies to know the current state, look for opportunities and target solutions and draw the migration plan. Wouldn’t it nice to review some kind of Architecture Framework like TOGAF 9.2? I don’t want to say follow every step of it! Not to divert the attention from Azure Cloud but you can read about TOGAF here–
Figure 5: TOGAF 9.2 Architecture Framework
Okay, you have too many choices to build your target solution! So, which architecture do you pick? The answer is- it depends and you have to customize the architecture to fit your environment. Not sure which option is right for you- Azure App Service, Virtual Machines, Windows Containers? Migrate to the Cloud can help you find the right mix.
Figure 6: Migrate to the Cloud
Application Security
Security is important to every organization because organizations are required to comply with the regulations. If your system is compromised, you can end up with monetary loss, reputational loss and you are likely to be investigated by the watch dogs! You should focus on end to end security (not just point to point security). Security Certificates are not too expensive and you should always secure the transport layer (HTTPS with TLS 1.2). API or Business Tier must implement claim based Authentication and Authorization and users/clients are not allowed to access protected resources. There are many choices to secure API’s but here is how this demo solution it being protected from unauthorized access-
- Angular5 (User Interface) is browser based and it is not trusted. So, we have to secure the API at the server-side.
- API Gateway: Stop the unauthorized callers at the gateway and don’t allow them to engage your underlying resources. Microsoft provides easy to use API Keys but it really does not help much for Angular5 application because you can’t hide the secrete! We are using jwt bearer token to protect the non-public API’s. You can configure API Policies to validate jwt token at Azure Portal (this function is no longer available at Publisher Portal as of end of May 2018). To keep things simple, we are using Symmetric encryption key to validate the signature but it’s easy to implement PKI (certificate based) alternative. Also, we had to configure CORS to allow cross domain calls by the browser.
- ASP.NET API: Client must pass jwt bearer token at the Authorization header. We are using same Symmetric encryption key to validate the signature. Apart from that API hosted on VM in private vNET not accessible from outside. Validation is done with custom jwt handler in code.
Figure 7: Unlimited Product Policy at API Gateway
Application Performance Monitoring (APM)
Our solution would be incomplete unless we monitor performance of the distributed applications. There are many tools in the market but we are opting for AppDynamics because of it’s road-map to support Azure resources including Azure Containers. Among other APM success criteria we want to-
- Identify and solve the production and non-production issues as they occur or before too many users are impacted.Identify and solve the production and non-production issues as they occur or before too many users are impacted.
- Provide end to end visibility of events/transactions within applications and correlate them for effective diagnosis.
- Dashboard to show the heath of the enterprise which can be drill-down into details by process or application.
I visited the demo applications from three (3) different browsers on two different devices. At this moment, AppDynamics is not hooked up with Container but it is coming. AppDynamics is integrated with Angular (User Experience) and with API (back-end ASP.NET). Let’s see what AppDynamics discovered!
Sessions from Real-time User Experience
Pages and AJAX Calls from Angular
API Dashboard
API Transaction Snapshots
API- Transaction Snapshots from Docker Container
Error at API- Single Record of Truth!
Conclusion
Selection of architecture is very important. You don’t want to make big mistake building the foundation! Again, there is no one size fits all! You have to strike a balance and customize the architecture to satisfy your requirements while looking for opportunities to improve. Thank you for reading the post and let me take this opportunity to do little bit of selling! GDT can help you on Discovery, Migration Planning, Implementation and Managed Services (Monitoring Cloud Resources and Applications). Contact GDT’s Cloud Experts at cloudteam@gdt.com. They would love to hear from you.