Web app architecture reference
This section discusses the importance of building a 3-tier application and the best practices you can follow. Let’s begin!
What are the expected outcomes?
- Understand the components of a 3-tier application
Pre-requisites
- None
Overview of a 3-tier Architecture
The 3-tier application is a cornerstone architecture that provides a general framework to ensure decoupled and independently scalable application components that can be separately developed, managed, and maintained (often by distinct teams).
It generally consists of the following components:
Presentation tier: the component that user directly interacts with (web page, mobile app UI, etc.)
Logic tier: the code required to translate user actions to application functionality (CRUD database operations, data processing, etc.)
Data tier: the storage media (databases, object stores, caches, file systems, etc.) that hold the data relevant to the application
The image below is the recommended architecture that you can follow.
Security Best Practices
Access control Control access to infrastructure using Cloud Identity and Access Management (IAM).
Data protection Data (e.g. Cloud Storage, Persistent Disk) at rest is encrypted by default on GCP. Alternatively, you can choose to encrypt data with your own key with Cloud Key Management Service (KMS)
Encrypt data in transit with TLS using either self-managed or Google-managed certificates SSL certificates overview.
Enhance data encryption protection with hardware security module using Cloud HSM.
Application protection
Harden OSes following standards (e.g. CIS through Cloud Marketplace). Adopt antivirus and code scanner for vulnerability detection.
Network protection
Mitigate Distributed Denial of Service (DDoS) with Cloud Armor.
Protect outbound communication with Cloud NAT and Cloud VPN.
Limit exposure
Serve inbound communication through Cloud Load Balancing and Proxies placed in the DMZ (Public/private subnets and cloud firewalls).
Place sensitive components (application, database) in the protected layers (Private subnets and cloud firewall rules). Configure firewall rules to allow only required accesses.
Logging and auditing
Collect and analyze logs using Cloud Monitoring. Collect and analyze audit records using Cloud Audit Logs.
Compliance
Maintain compliant state of the infrastructure using Security Command Center. Configure notifications to be triggered when the desired state changes.
Reliability Best Practices
Fault tolerance and Disaster recovery
Maintain business continuity by multi-zones setup with auto-scale to recover in case of fault or disaster events.
Operational Best Practices
Security Information Event Management
Set up security information and event management to have real-time analysis and alerts in case of security risks. Define runbooks and conduct gamedays to maintain resiliency. You can leverage of IDS and IPS for this.