With this project we will deploy with 3-tier web application composed of a Frond-end, Backend and Database infrastructure.
The enduser will access the Frontend of the application via an application gateway with WAF. For application availability the frontend servers are configured in an auto-scaling group accross 2 Availabilty zone. WAF policies will be configured to inspect all incoming traffic to the application to detect and block any malicious traffic toward the application.
The Backend servers will be in a dedicated subnet with Network security group configured to allow only the Front end to interact with the backend server on specific ports. For application high-availabily the backend servers are hosted behind a Azure load balancer with auto-scaling configured accross 2 Availability zones.
The application data will be stored on a Posgrel database configured accross 2 availability zone in a primary-standby design with synchronous replication. For security purposes we use VNET integration feature to host the PAAS postgrel database on the application VNET avoiding the need to traverse internet for database connectivity.
Azure storage container will be used to host multimedia files used by the application. The azure storage container will only be available from the Frontend subnet and prvate link will be used to interconnect the storage account and the Frontend subnet.
Private DNS zone will be used to connect to PAAS services privately without going through the internet. A private DNS zone will be configured for accessing the Postgrel database through it's private IP and another zone will be configured for accessing Azure storage container blob.
A managed identity will be used to allow the Front-end VM to be able to connect to Azure storage account.
Azure Bastion will be used to allow administrators to be able to connect securely to Azure VM without the need to exposed VM ports on the Internet.
Azure Firewall will be deployed in each Availability zone to filter outbound traffic towards the internet.