state of connecticut - biznet.ct.gov · includes contractors or vendors doing business with the...
TRANSCRIPT
RFP 17PSX0222 Page 1 of 15
State of Connecticut Department of Administrative Services
Bureau of Enterprise Systems and Technology Enterprise Architecture
Platform and Application Hosting Application Architecture Patterns
Pattern Name: Application Hosting Architectures
Version Date: 03/20/2015 Version: 1.00
RFP 17PSX0222 Page 2 of 15
ABOUT DAS/BEST SERVICES
The Enterprise Services offered by the Department of Administrative Services’ (DAS) Bureau of
Enterprise Systems and Technology (DAS/BEST) are designed to provide Executive Branch agencies with
access to high quality and cost-effective technology services.
CONFIDENTIALITY AND DISCLOSURE NOTICE
Information in this document is unrestricted.
AUDIENCE
The audience for this document includes agency Information Technology (IT) Managers, Supervisors and
Subject Matter Experts who may be responsible for IT planning and/or the design and development of
software applications intended to be deployed in the State Data Center. This document’s audience also
includes contractors or vendors doing business with the state that includes the design and development
of software applications on behalf of the state and which are intended for deployment at the state data
center.
PURPOSE OF THIS DOCUMENT
This document was designed and developed by the Department of Administrative Services’ Bureau of
Enterprise Systems and Technology (DAS/BEST) to provide state agencies with information on the
preferred application architecture patters used to host software applications at the state data center.
The information provided herein should be considered best practices with respect to the use of
information technology at that state.
Should you have any questions or comments regarding this planning template, or desire to check to see
if a more current version is available, please contact the DAS/BEST Enterprise Architecture by dialing
(860) 622-2300, option 9 or by electronic mail at [email protected].
DOCUMENT TEMPLATE HISTORY
Version Date Published By Version Notes
1.00 03/20/2015 Enterprise Architecture Initial Publication
RFP 17PSX0222 Page 3 of 15
Table of Contents
I. Why Patterns Matter ............................................................................................................................. 2
II. Overview of the our Application Hosting Network Layers .................................................................... 3
III. Overview of Tiered Application Architectures................................................................................... 4
IV. DAS/BEST Basic Application Architecture Patterns ........................................................................... 5
V. Platform Instances ................................................................................................................................. 6
A. Virtual Platform Instances ................................................................................................................. 6
B. Physical Platform Instances ............................................................................................................... 6
C. Standard Operating System Options ................................................................................................. 6
D. Storage Solutions .............................................................................................................................. 7
E. Application Software Options ................................................................................................................. 7
F. Platform Monitoring, Recovery and Support Tools ........................................................................... 8
G. Application Security Options .................................................................................................................. 8
H. Application Delivery Services (F5) ..................................................................................................... 9
VI. DAS/BEST Enterprise Services ......................................................................................................... 10
VII. Conditions of Use ............................................................................................................................ 11
VIII. Enterprise Patterns – Two Tier Applications (Internal/External) ..................................................... 12
IX. Enterprise Patterns – Three Tier Applications (Internal/External) .................................................. 13
RFP 17PSX0222 Page 4 of 15
I. Why Patterns Matter
A pattern is any type of theme related to a recurring event or
object. We encounter and rely on patterns in everyday life. Patterns help
facilitate an ability to repeatedly create of goods or services that are cost-
effective and consistently high in quality. A few examples of patterns are:
A cookie cutter that’s used to create Gingerbread Men cookies,
A dressmaker’s pattern used to reproduce a certain style of dress,
A documented procedure that guarantees a consistent outcome,
A reusable approach used to solve a common software design challenge, and
An architectural blueprint that ensures consistency in complex systems.
The use of DAS/BEST patterns can offer your organization a number of benefits. Some key
benefits of the use of patterns are:
They are pre-approved by DAS/BEST technology staff,
They rely on mature and proven designs, which help your agency minimize the risk of a new
application implementation,
Use of our patterns will help your agency save time during application architecture design,
They can be used by your vendors to better understand the state’s hosting environments, and
They are environments that DAS/BEST can implement much more quickly than a custom or non-
standard architecture.
To help our customer agencies make a more informed decision about the types of application
hosting environments available in the State Data Center, DAS/BEST has created a series of
Application Hosting Patterns, designed to help guide agencies and/or vendors in the
development of application architecture designs. Your use of patterns will reduce both the cost,
risk and time it takes to implement a custom solution. Therefore, agencies should consider
these patterns as best practices and are encouraged to adopt the use of patterns during
application design.
RFP 17PSX0222 Page 5 of 15
II. Overview of the our Application Hosting Network Layers
Application architectures are implemented in the context of, and under the protection provided
by the layering of networks that help insulate the state from harmful or unauthorized traffic. The State
Data Center has different Network Layers depending on the security needs of your application.
As illustrated in Figure II.1 below, there are four basic network layers that provide “defense in
depth” for your agency’s application. Traffic cannot get to your application unless it’s authorized to do
so. This networking infrastructure is provided by DAS/BEST Network Services as part of the state data
center’s platform and application hosting service delivery infrastructure.
FIGURE II.1 – Application Hosting Network Layers
Traffic coming from the Internet is considered untrusted and “dirty,” and is screened before it’s
allowed to continue. This “clean traffic” then passes through a layer of security that protects the
enterprise where it’s then considered “authorized traffic.” Your agency’s intra-state network traffic lives
in this network segment. Finally, there several “application network segments” that provide an
additional layer of security for your application.
The Internet
Application Network Segment (Internet)
Application Network Segment (Intranet) D
irty
Tra
ffic
Cle
an
Tra
ffic
Au
tho
rized
Tra
ffic
Ag
en
cy
Tra
ffic
RFP 17PSX0222 Page 6 of 15
III. Overview of Tiered Application Architectures
The foundation of our Application Hosting Service is our tiered application architecture pattern.
All other application architecture patterns are derived from and extend these basic patterns.
Depending on your agency’s needs, these patterns can be augmented to include DAS/BEST Enterprise
Services, such as application authentication or load balancing to meet your application’s requirements.
Applications that utilize Presentation, Logic and Data Tiers are known as three-tier applications.
Those that rely on only Logic and Data Tiers, wherein the Logic Tier also provides presentation features
are known as two-tier application. While there are other variations in tiered architectures, these two
are those that agencies are most likely to encounter.
A. Presentation (Web) Tier
The Presentation Tier delivers and displays business information to the user, most often through
a web browser. The primary objective of this tier is to present data in a meaningful business context. In
addition, this tier may receive and validate business data input from the user for use by the
application. Business data can include text, images, video, audio, or other content such as documents.
The Presentation Tier communicates to the Logic Tier and may include certain security features.
B. Logic (Application) Tier
The Logic Tier is responsible for the execution of the application’s business rules, security
functions, integration with other application environments or components, and other application
functionality. This tier will typically include a data access component that allows the application to
communicate to one or more database(s). This tier communicates, typically asynchronously, between
the Data Tier and the Presentation Tier, as necessary, based on the application’s business logic. Finally,
this tier may also be responsible for communicating with other applications or services, as necessary,
using protocols, such as SMTP or SOAP.
In addition to supporting an application’s business logic, the Application Tier is also used to
support other types of application components, such as Report Servers, Messaging Servers, and/or Data
Integration Servers.
C. Data Tier
The Data Tier provides information storage and retrieval services for structured or unstructured
data. This tier keeps data independent from application servers or business logic. Giving data its own
tier improves application data security, scalability and performance. The pattern assumes the use of
existing DAS/BEST Enterprise Database Services, such as our Shared SQL Server Cluster. The data tier
can consist of one or more databases that support the application’s transactional (OLTP) and/or
analytical (OLAP) processing requirements..
RFP 17PSX0222 Page 7 of 15
IV. DAS/BEST Basic Application Architecture Patterns
The basic application architecture patterns described below are designed to support multi-tier
application architectures. Figures IV.1 and IV.2, below, depicts the architecture patterns supporting two
and three-tier applications. These patterns form the foundation of most application architectures.
A. Two-Tier Application Architecture Pattern
Two-tier applications are those where the Presentation Layer and the Logic Layer are combined
and are designed to coexist on the same physical server. The database server remains a physically
separate server and may be protected by a firewall or other access control mechanisms. The two-tier
application architecture style is common to many COTS applications and it’s a style often used by
agencies when developing custom software solutions.
Application Network Segment(s)
FIGURE IV.1 – Basic Two Tier (B2T) Architecture Pattern
B. Three-Tier Application Architecture Pattern
Three-tier applications are applications relay on the Presentation, Logic and Data Layers that
exist on physically separate servers and where each server is protected by a firewall or other access
control mechanism. The three-tier application architecture style is often used by applications where
application performance and reliability is important.
Application Network Segment(s)
FIGURE IV.2 – Basic Three Tier (B3T) Architecture Pattern
Logic Tier Data Tier
Web/Application Server Database Server
Presentation Tier Logic Tier Data Tier
Web Server Application Server Database Server
VM
IN
ST
AN
CE
VM
IN
ST
AN
CE
V
M I
NS
TA
NC
E
RFP 17PSX0222 Page 8 of 15
V. Platform Instances
DAS/BEST patterns are implemented in the context of “Platform Instances,” which provide the
infrastructure upon which your application will be deployed and operate. These instances provide
Platform as a Service (PaaS) to support Presentation, Logic and Data Tiers using DAS/BEST Virtualization
Services. When implemented at the state data center to support an agency application, our practice is
to implement two application environments, Production and Staging. Upon request, DAS/BEST can also
support lower environments.
A. Virtual Platform Instances
DAS/BEST Platform Instances provide customers with a
balanced set of resources that can easily meet the demands of most
agency business systems. DAS/BEST relies on multi-node VM host
clusters running VMware’s vSphere Hypervisor (ESXi) to create a
highly-resilient virtualization platform. The “Standard Instance (SI)”
identified below is the foundation upon which all VM servers are
built.
B. Physical Platform Instances
64 Bit Architecture
4 GB VCPU
4 GB VRAM
20 GB System (OS)
20 GB Data (Application)
7 GB Swap
If an agency requires the use of dedicated physical platform instances, we ask that your agency
schedule time with DAS/BEST Platform Services, prior to making plans to purchase any hardware,
software and related services. Hardware housed at the state data center must conform to certain
standards and cannot installed in the state data center without the prior approval of DAS/BEST.
C. Standard Operating System Options
Within these patterns, DAS/BEST supports several two standard operating systems. The use of
other operating systems will require the prior review and approval of DAS/BEST Platform Services, who
can help your agency make an informed decision when evaluating your OS options.
Windows Server Linux Server
Windows Enterprise Server Redhat Enterprise Server
IBM Enterprise zLinux
CentOS (RHEL Branch)
From time to time, agencies may encounter commercial solutions that may require the use of an
operating system that is not part of our standard portfolio. We ask that agencies schedule time with
DAS/BEST Platform Services, prior to making a commitment to a solution that uses a non-standard OS.
The use of a non-standard OS may limit DAS/BEST’s ability to provide your agency with the level of
support you desire.
Standard Instance (SI)
RFP 17PSX0222 Page 9 of 15
D. Storage Solutions
DAS/BEST Platform Services provides enterprise storage solutions, leveraging our IBM V7000
storage infrastructure. This storage solution provides storage services supporting the entire application
ecosystem, from servers to databases to specialty storage, such as network attached storage (NAS).
Agencies whose combined application storage requirements may or will exceed 4 Tb (4,000 Gb)
are asked to consult with our Platform Services team to discuss your options.
Windows Server Linux Server
Basic VM Storage (Included) Basic VM Storage (Included)
Dedicated SAN (Optional) 1 Dedicated SAN (Optional) 1
Dedicated NAS (Optional) 1 Dedicated NAS (Optional) 1
Applications can leverage Basic VM Storage for the application’s operational processing needs,
such as when temporary space is needed to accommodate a business process, such as the conversion of
a file to PDF, soring application log files and so on. Basic VM Storage should not be used as means to
store business data or information. Applications that handle regulated, restricted or otherwise
protected information are expected to ensure that any such data that may reside on a VM Instance is
encrypted at rest.
For security reasons, applications hosted within the state data center are not permitted to use
Windows File Shares as an application storage or integration end-point.
E. Application Software Options
Our tiered application patterns include a number of server-based software products, to support
your application’s requirements across each tier.
Web Servers Application Servers Database Servers
Microsoft Windows IIS Microsoft .NET Framework Microsoft SQL Server
IBM HTTP Server JBoss Enterprise Server IBM DB2 LUW
Apache HTTP Server IBM WebSphere Server IBM PureData2 for Transactions
Apache Tomcat Oracle Exadata
Microsoft SSRS and SSAS3
If your agency requires the use of other software products not listed in this document, we ask
that agencies schedule time with DAS/BEST Platform Services, prior to making a commitment to a
solution that uses a non-standard software.
1 A cost may be incurred for the use of these options. 2 Designed for applications with stringent requirements for online transaction processing (OLTP). 3 Enterprise Microsoft SQL Server Reporting and Analysis Services
RFP 15PSX0122 RFP Exhibit 7 Page 10 of 15
F. Platform Monitoring, Recovery and Support Tools
The data center also offers other software and services to support your applications. DAS/BEST
provides basic server monitoring “out of the box” using VM Center and Up.time Enterprise. Additional
monitoring solutions, such as IBM Security’s QRadar SEIM or Tripwire’s File Integrity Manager are also
available to meet your application’s requirements.
Agencies should be aware that DAS/BEST does not offer or provide health and activity
monitoring for your application’s internal functionality, nor is DAS/BEST responsible for monitoring
your application’s operational status. Examples of operational monitoring are transactional
performance and integrity, application event alerting and logging, application uptime status and so on.
DAS/BEST strongly recommends that agencies ensure that the design of the application provides the
necessary capabilities to support your agency’s operational monitoring requirements.
Server Monitoring Server Recovery Support Tools
VM Center1 Symantec LiveState KVM Integration
Up.time Server Monitoring Tivoli Storage Manager Virtual Private Network2
QRadar SEIM Events2 Smart PDU Devices1
Tripwire Integrity Manager2
McAfee Anti-Virus
G. Application Security Options
Our three-tier application patterns offer a number of security options, across the range of
application tiers. Some, such as our firewall-based tier security or any native RDBMS security features,
come standard. Other security services, such as our Single Sign-on environment, are optional.
Applications that require authentication (users) and authorization (permissions) are required to use the
state’s Enterprise Identity Access Management solution2. DAS/BEST also provides advanced application
security through our F5 BIG-IP solution. Please see Section V.H – Application Delivery Services for
additional information.
User Security Application Security Data Security
IBM WebSeal (SSO)3 Application Firewalls Application Firewalls
IBM Tivoli Directory Services4 Digital Certificates2
Native RDBMS Security
F5 (See Section V.H) See Section H.
IBM Data Power2
1 Access to these monitoring tools are limited to DAS/BEST staff only. 2 A cost is associated with the use of these service. 3 The application must be able to use the iNetOrgPerson schema. 4 Provides LDAP services to applications that are LDAP V3 compliant and cannot use or don’t require SSO.
RFP 15PSX0122 RFP Exhibit 7 Page 11 of 15
H. Application Delivery Services (F5)
DAS/BEST currently employs the use of F5 Network’s BIG-IP solutions to provide application
delivery services to support your agency’s requirements. The F5 BIG-IP solution(s) consist of purpose-
built hardware, modularized software, and virtualized solutions that run under a specialized operating
system. The table below provides a list of current and planned F5 features and capabilities available
through the F5.
The capabilities listed under Current F5 Services are available today. The capabilities listed
under Planned F5 Services are those that DAS/BEST believe will add value to our overall service portfolio,
but for which there is no definitive implementation date.
Current F5 Services Planned F5 Services
Reverse Proxy
Global Load Balancing (GTM)
Local Load Balancing (LTM)
Access Policy Management (APM)
Application Security Manager (ASM)
Web Accelerator
Link Controller (ISP Load Balancing)
Advanced Firewall Manager (AFM)
Edge Gateway (SSL VPN)
WAN Optimization Module
Secure Web Gateway (SWG)
IP Intelligence (IPI)
WebSafe
Because the features and capabilities of the F5 environment are so diverse, DAS/BEST strongly
recommends that agencies schedule a consultation with DAS/BEST Data Services to review your
application’s requirements and determine how best to make the most of our F5 services.
RFP 15PSX0122 RFP Exhibit 7 Page 12 of 15
VI. DAS/BEST Enterprise Services
The Basic Three Tier Patterns provided by DAS/BEST can be augmented by using one or more of DAS/BEST’s Enterprise Services. Your agency can leverage these services to help you achieve your business requirements. The matrix below provides a cross-walk of what services are available as optional or standard.
DAS/BEST Service Features Availability
Application Access Model Extranet/Intranet
Network Services
Server Virtualization
Server Image Recovery
Basic Server Failover1 -
Performance Monitoring
Basic Enterprise Storage
High Volume Storage2
Backup / Recovery – Basic
Application Mail Services (SMTP, ListServ)
Application Delivery Services (F5)
Web Tier Load Balancing
Application Tier Load Balancing
Enterprise Single Sign-on (SSO)2
Enterprise Application Security2
Enterprise Content Management
Enterprise Data Integration (PilotFish, SFT)
Enterprise ePayment Services
Enterprise SQL Server Reporting Services
Enterprise SQL Server Analysis Services
COOP & Disaster Recovery Services
= Standard, = Optional
1 Basic server failover capabilities as a standard service offering will become available in the Spring of 2016 2 There is or may be a cost associated with this service
RFP 15PSX0122 RFP Exhibit 7 Page 13 of 15
VII. Conditions of Use
DAS/BEST provides a variety of agency services with the context of the state data center. These
services are provided within available resources and funding. Agencies seeking application hosting
support from DAS/BEST are asked to be aware of the following conditions of use.
Agencies are expected to leverage the state’s existing enterprise solutions before
committing to the implementation of stand-alone services.
Agencies are asked to use the Work Intake process when requesting hosting services for a
new applications at the state data center. This facilitated process will help your agency
ensure that you are prepared for the activities involved in hosting your application.
DAS/BEST is not able to provide direct support to an agency or vendor for activities related
to testing or debugging of applications, beyond that which is associated with the data
center. Applications deemed ready for deployment are those that have already passed the
necessary quality assurance reviews.
DAS/BEST reserves the right to decline to host any application at the data center that poses
a risk to the safety and security of other applications or the data center ecosystem.
DAS/BEST will work with agencies to help them understand any such risks and to explore
options.
RFP 15PSX0122 RFP Exhibit 7 Page 14 of 15
VIII. Enterprise Patterns – Two Tier Applications (Internal/External)
Below is a logical view of the two-tier application architecture pattern. This pattern includes
access paths from internal and external end-points as well as the use of the DAS/BEST Single Sign-on or
LDAP environments (as needed) service for application authentication.
DATABASE FIREWALL
Database
Tier
ST ATE FIREWALL(S)
F5
FOR SSO
FOR LDAP
APPLICATION FIREWALL
Application
Tier
Internet Anonmous
Users
External Applications
Authenticated
Users STATE DMZ
External Data Center Service Stack
SecureTransport
SecureMail (MailGate)
IBM WebSeal
Internal
Applications
Internal
Users IBM LDAP
IBM SIM
ePayment (PayPal)
Novell eDirectory
SMTP Gateway
Internal Data Center
Service Stack
EXEC Active Directory
SYS Active Directory
Enterprise QRadar
Enterprise Tripwire
Enterprise FileNet
Tivoli Storage Manager
Application Service Stack
(External Network Layer) Enterprise SAN
ST
AT
E D
AT
A C
EN
TE
R –
NE
TW
OR
K B
AC
KB
ON
E
RFP 15PSX0122 RFP Exhibit 7 Page 15 of 15
IX. Enterprise Patterns – Three Tier Applications (Internal/External)
Below is a logical view of the three-tier application architecture pattern. This pattern includes
access paths from internal and external end-points as well as the use of the DAS/BEST Single Sign-on or
LDAP environments (as needed) service for application authentication.
DATABASE FIREWALL
Database
Tier
ST ATE FIREWALL(S)
F5
FOR SSO
FOR LDAP
APPLICATION FIREWALL
Application
Tier
Internet Anonmous
Users
External Applications
Authenticated
Users STATE DMZ
External Data Center Service Stack
SecureTransport
SecureMail (MailGate)
IBM WebSeal
Internal
Applications
Internal
Users IBM LDAP
IBM SIM
Presentation Tier
ePayment (PayPal)
Novell eDirectory
SMTP Gateway
Internal Data Center
Service Stack
EXEC Active Directory
SYS Active Directory
Enterprise QRadar
Enterprise Tripwire
Enterprise FileNet
Tivoli Storage Manager
Application Service Stack
(External Network Layer) Enterprise SAN
ST
AT
E D
AT
A C
EN
TE
R –
NE
TW
OR
K B
AC
KB
ON
E