Sneh's Blog

Azure Networking Best Practices: 3-tier Application

sneh srivastava's photo
sneh srivastava
·

4 min read

Deploying a 3-tier application in Azure involves following networking best practices to ensure scalability, security, and performance. Here’s a detailed guide:

Overview of 3-Tier Architecture

  • Tier 1: Frontend (Presentation Layer):

    • Hosted on Azure App Service, Virtual Machines, or Containers.

    • Exposed to users via a Load Balancer or Azure Front Door.

  • Tier 2: Backend (Application Layer):

    • Hosted on Azure Virtual Machines, AKS, or App Service.

    • Handles business logic.

  • Tier 3: Database (Data Layer):

    • Azure SQL Database, Cosmos DB, or Managed Database services.

    • Stores and retrieves data securely.

Networking Best Practices

1. Isolate Each Tier Using Subnets

  • Purpose: Isolates workloads for better security and traffic control.

  • Create an Azure Virtual Network (VNet) with three subnets:

    1. Frontend Subnet: For the presentation layer (e.g., web servers or app gateways).

    2. Backend Subnet: For the application logic layer.

    3. Database Subnet: For Azure SQL Database or other data services.

Example:

    VNet Address Space: 10.0.0.0/16
    Frontend Subnet: 10.0.1.0/24
    Backend Subnet: 10.0.2.0/24
    Database Subnet: 10.0.3.0/24

2. Use Network Security Groups (NSGs)

  • Purpose: Enforce access control at the subnet or VM level.

  • Configure NSGs with the least privilege principle:

    • Frontend Subnet: Allow inbound HTTP/HTTPS (ports 80/443).

    • Backend Subnet: Allow traffic only from the frontend subnet.

    • Database Subnet: Allow traffic only from the backend subnet.

3. Deploy an Azure Load Balancer

  • Frontend:

    • Use an Application Gateway for HTTP(S) traffic with features like path-based routing and Web Application Firewall (WAF).

    • For global scalability, use Azure Front Door.

  • Backend:

    • Use an Internal Load Balancer (ILB) to distribute traffic within the backend subnet.

4. Use Private Endpoints for Database Access

  • Purpose: Prevent direct exposure of the database to the internet.

  • Enable Private Link to connect the database to the backend subnet over a private IP.

5. Configure Route Tables

  • Purpose: Control traffic flow between subnets.

  • Use custom route tables to:

    • Direct traffic from the frontend to backend and backend to database.

    • Route internet-bound traffic through an Azure Firewall or NAT Gateway.

6. Secure Ingress and Egress Traffic

  • Use Azure Firewall or a Network Virtual Appliance (NVA) for centralized traffic inspection.

  • For outbound internet traffic:

    • Use a NAT Gateway to manage source NATing.

    • Restrict traffic to specific destinations using Azure Firewall rules.

7. Enable DDoS Protection

  • Use Azure DDoS Protection Standard to safeguard against Distributed Denial of Service attacks on your public endpoints.

8. Implement Identity-Based Access

  • Use Managed Identities to allow the application tier to securely access resources (e.g., databases) without storing secrets.

  • Configure Azure Key Vault for managing application secrets.

9. Monitor and Log Network Traffic

  • Enable Azure Network Watcher for network monitoring.

  • Use NSG Flow Logs and integrate with Azure Monitor or Log Analytics to analyze traffic patterns.

  • Set up alerts for unusual traffic patterns.

10. Use Redundancy and High Availability

  • Deploy resources across Availability Zones or Availability Sets to ensure high availability.

  • Use Geo-Replication for databases like Azure SQL Database for disaster recovery.

Example Deployment

Application Architecture

  1. Frontend Layer:

    • Hosted on Azure App Service with a Public IP and secured by Azure Front Door.

    • NSG allows HTTP/HTTPS traffic from the internet.

  2. Backend Layer:

    • Hosted on Virtual Machines behind an Internal Load Balancer.

    • NSG restricts inbound traffic to the backend subnet only from the frontend subnet.

  3. Database Layer:

    • Azure SQL Database accessed through a Private Endpoint.

    • NSG allows inbound traffic only from the backend subnet.

Diagram

Internet
   |
[Azure Front Door / App Gateway] - Public IP
   |
[Frontend Subnet]
   |
[Internal Load Balancer]
   |
[Backend Subnet]
   |
[Azure SQL Database / Cosmos DB]

Best Practices Checklist

  • Use VNet Subnets to isolate tiers.

  • Apply NSGs to enforce traffic control.

  • Secure database access using Private Link.

  • Inspect traffic with Azure Firewall or a third-party NVA.

  • Enable DDoS Protection for public-facing resources.

  • Use Monitoring and Alerts for proactive traffic management.

Read the Microsoft Guide here

AzureCloudnetworkingApplication Development3-tier-architecturebest practices