Segmenting Your Application Tiers for Security and Scalability
When hosting an application, two of the most critical aspects to consider for any system administrator are the security and scalability of their application. By segmenting your logical application tiers into physical infrastructure tiers you are able to provide greater security through the use of ACLs. In addition, a multi-tiered environment will allow for ease of scalability when compared to vertical or single host architectures.
Securing your Environment
When segmenting your application tiers, one of the most critical components to take into consideration is what traffic you allow into each tier and from where. To determine this, you will need to think about how your application fundamentally works and what services rely on each other to provide the end user with their requested content. For example with a two tiered application that relies on a web front and database back end, you would need to ensure that port 80 and 443 (if using SSL) are open to the internet on your web servers. Other than those two ports, you would probably want to lock all ports down to the internet and manage your server over VPN utilizing the SoftLayer private network. In this scenario, you would probably want to unbind the public IP address on your database server, and pass all traffic to it across port 1433 (for MSSQL) or 3306 (for MySQL) from your web server. Your database server could be managed over the private network just like your web server, and you could setup a software firewall on the database server to lock down all traffic from the web server to the specific database ports.
By setting up your environment as described above, you will increase security by keeping people from accessing SSH or RDP from the internet and disabling all internet traffic to your database. Creating ACL’s between your web layer and database layer will make it more difficult to compromise your database in the event that your web server gets compromised.
Scaling your Environment
By setting up a multi-tiered environment, you also make scaling out your application easier by allowing scaling for the services that need additional resources. For instance, in the scenario above, if your web server is being over taxed, you can simply deploy another web server, replicate site or application data, and setup load balancing or round robin DNS to give you two web servers to split your web load. Round robin DNS or load balancing will introduce a level of high availability to your environment as well by enabling you to have multiple web servers to respond to incoming requests. In the event that a single server goes down, you will have another node available to handle end user requests.
The scaling out approach is something you can also look at from a database perspective if needed. For instance, with a MySQL database, one option is to setup another physical server and use it as a ‘slave’ in a MySQL Master/Slave replication setup. This would allow you to segment all your database writes to the ‘master’ and all reads to one or more ‘slaves’, and thus scale the database out to support more load. This type of setup will also add a level of high availability by enabling you change the status of a ‘slave’ to ‘master’ and route both read and write traffic to it in the event that your MySQL ‘master’ node goes down.
The ideas above are just a few of many ways to secure and scale your environment. If you have any questions or concerns related to the best way to architect your environment from a security or scalability perspective, SoftLayer has a Sales Engineering team that can certainly help.