Deploying a Three-Tier Book Review App on Azure: Architecture and Network Security
This article details the deployment of a secure, scalable three-tier book review application on Microsoft Azure, focusing on the architectural components and network configuration. It highlights a critical lesson learned regarding Network Security Group (NSG) misconfiguration and the importance of explicit trust definitions in cloud networking for private subnet communication.
Read original on Dev.to #architectureThree-Tier Architecture Overview
The article presents a classic three-tier architecture implemented on Azure for a book review application. This layered approach separates concerns, enhancing security, scalability, and maintainability. Each tier operates within specific network configurations, demonstrating a practical application of cloud infrastructure design principles.
- Frontend (Web Tier): Next.js application served by Nginx on Ubuntu, exposed via a Public Azure Load Balancer within public subnets.
- Backend (App Tier): Node.js/Express API running on port 3001, deployed in private subnets and accessible only through an Internal Load Balancer.
- Database (Data Tier): Azure Database for MySQL Flexible Server, configured for multi-AZ high availability and a read replica for scaling, with strict network security group (NSG) rules allowing traffic only from the App Tier on port 3306.
Networking and Security Configuration
A custom Azure Virtual Network (VNet) with a /16 CIDR block is utilized, segmented into six subnets across two availability zones. The core of the security lies in strict Network Security Groups (NSGs) applied per tier, ensuring no public exposure for the backend or database layers. This setup is crucial for isolating components and minimizing attack surfaces.
The NSG Misconfiguration Lesson
A key learning point was a Network Security Group (NSG) misconfiguration where the App Tier NSG initially blocked inbound traffic from the Web Tier on port 3001. Even with a correctly configured internal load balancer, explicit NSG rules were required to permit this internal communication, underscoring that Azure NSGs require explicit trust definitions rather than assuming it.
Addressing the Connectivity Issue
- Updated App Tier NSG: Modified to allow inbound traffic.
- Source Restriction: Configured to accept traffic only from the Web Tier NSG.
- Port Specificity: Opened port 3001 specifically for the internal backend API communication.
This hands-on experience reinforces the importance of meticulous network security configuration in cloud environments. Understanding how virtual networks, subnets, load balancers, and especially NSGs interact is fundamental to designing robust and secure distributed systems.