RFP 17PSX0222 Page 1 of 15

State of Connecticut Department of Administrative Services

Bureau of Enterprise Systems and Technology Enterprise Architecture

Platform and Application Hosting Application Architecture Patterns

Pattern Name: Application Hosting Architectures

Version Date: 03/20/2015 Version: 1.00

RFP 17PSX0222 Page 2 of 15

ABOUT DAS/BEST SERVICES

The Enterprise Services offered by the Department of Administrative Services’ (DAS) Bureau of

Enterprise Systems and Technology (DAS/BEST) are designed to provide Executive Branch agencies with

access to high quality and cost-effective technology services.

CONFIDENTIALITY AND DISCLOSURE NOTICE

Information in this document is unrestricted.

AUDIENCE

The audience for this document includes agency Information Technology (IT) Managers, Supervisors and

Subject Matter Experts who may be responsible for IT planning and/or the design and development of

software applications intended to be deployed in the State Data Center. This document’s audience also

includes contractors or vendors doing business with the state that includes the design and development

of software applications on behalf of the state and which are intended for deployment at the state data

center.

PURPOSE OF THIS DOCUMENT

This document was designed and developed by the Department of Administrative Services’ Bureau of

Enterprise Systems and Technology (DAS/BEST) to provide state agencies with information on the

preferred application architecture patters used to host software applications at the state data center.

The information provided herein should be considered best practices with respect to the use of

information technology at that state.

Should you have any questions or comments regarding this planning template, or desire to check to see

if a more current version is available, please contact the DAS/BEST Enterprise Architecture by dialing

(860) 622-2300, option 9 or by electronic mail at DOIT-Enterprise.Architecture@ct.gov.

DOCUMENT TEMPLATE HISTORY

Version Date Published By Version Notes

1.00 03/20/2015 Enterprise Architecture Initial Publication

RFP 17PSX0222 Page 3 of 15

Table of Contents

I. Why Patterns Matter ............................................................................................................................. 2

II. Overview of the our Application Hosting Network Layers .................................................................... 3

III. Overview of Tiered Application Architectures................................................................................... 4

IV. DAS/BEST Basic Application Architecture Patterns ........................................................................... 5

V. Platform Instances ................................................................................................................................. 6

A. Virtual Platform Instances ................................................................................................................. 6

B. Physical Platform Instances ............................................................................................................... 6

C. Standard Operating System Options ................................................................................................. 6

D. Storage Solutions .............................................................................................................................. 7

E. Application Software Options ................................................................................................................. 7

F. Platform Monitoring, Recovery and Support Tools ........................................................................... 8

G. Application Security Options .................................................................................................................. 8

H. Application Delivery Services (F5) ..................................................................................................... 9

VI. DAS/BEST Enterprise Services ......................................................................................................... 10

VII. Conditions of Use ............................................................................................................................ 11

VIII. Enterprise Patterns – Two Tier Applications (Internal/External) ..................................................... 12

IX. Enterprise Patterns – Three Tier Applications (Internal/External) .................................................. 13

RFP 17PSX0222 Page 4 of 15

I. Why Patterns Matter

A pattern is any type of theme related to a recurring event or

object. We encounter and rely on patterns in everyday life. Patterns help

facilitate an ability to repeatedly create of goods or services that are cost-

effective and consistently high in quality. A few examples of patterns are:

A cookie cutter that’s used to create Gingerbread Men cookies,

A dressmaker’s pattern used to reproduce a certain style of dress,

A documented procedure that guarantees a consistent outcome,

A reusable approach used to solve a common software design challenge, and

An architectural blueprint that ensures consistency in complex systems.

The use of DAS/BEST patterns can offer your organization a number of benefits. Some key

benefits of the use of patterns are:

They are pre-approved by DAS/BEST technology staff,

They rely on mature and proven designs, which help your agency minimize the risk of a new

application implementation,

Use of our patterns will help your agency save time during application architecture design,

They can be used by your vendors to better understand the state’s hosting environments, and

They are environments that DAS/BEST can implement much more quickly than a custom or non-

standard architecture.

To help our customer agencies make a more informed decision about the types of application

hosting environments available in the State Data Center, DAS/BEST has created a series of

Application Hosting Patterns, designed to help guide agencies and/or vendors in the

development of application architecture designs. Your use of patterns will reduce both the cost,

risk and time it takes to implement a custom solution. Therefore, agencies should consider

these patterns as best practices and are encouraged to adopt the use of patterns during

application design.

RFP 17PSX0222 Page 5 of 15

II. Overview of the our Application Hosting Network Layers

Application architectures are implemented in the context of, and under the protection provided

by the layering of networks that help insulate the state from harmful or unauthorized traffic. The State

Data Center has different Network Layers depending on the security needs of your application.

As illustrated in Figure II.1 below, there are four basic network layers that provide “defense in

depth” for your agency’s application. Traffic cannot get to your application unless it’s authorized to do

so. This networking infrastructure is provided by DAS/BEST Network Services as part of the state data

center’s platform and application hosting service delivery infrastructure.

FIGURE II.1 – Application Hosting Network Layers

Traffic coming from the Internet is considered untrusted and “dirty,” and is screened before it’s

allowed to continue. This “clean traffic” then passes through a layer of security that protects the

enterprise where it’s then considered “authorized traffic.” Your agency’s intra-state network traffic lives

in this network segment. Finally, there several “application network segments” that provide an

additional layer of security for your application.

The Internet

Application Network Segment (Internet)

Application Network Segment (Intranet) D

irty

Tra

ffic

Cle

an

Tra

ffic

Au

tho

rized

Tra

ffic

Ag

en

cy

Tra

ffic

RFP 17PSX0222 Page 6 of 15

III. Overview of Tiered Application Architectures

The foundation of our Application Hosting Service is our tiered application architecture pattern.

All other application architecture patterns are derived from and extend these basic patterns.

Depending on your agency’s needs, these patterns can be augmented to include DAS/BEST Enterprise

Services, such as application authentication or load balancing to meet your application’s requirements.

Applications that utilize Presentation, Logic and Data Tiers are known as three-tier applications.

Those that rely on only Logic and Data Tiers, wherein the Logic Tier also provides presentation features

are known as two-tier application. While there are other variations in tiered architectures, these two

are those that agencies are most likely to encounter.

A. Presentation (Web) Tier

The Presentation Tier delivers and displays business information to the user, most often through

a web browser. The primary objective of this tier is to present data in a meaningful business context. In

addition, this tier may receive and validate business data input from the user for use by the

application. Business data can include text, images, video, audio, or other content such as documents.

The Presentation Tier communicates to the Logic Tier and may include certain security features.

B. Logic (Application) Tier

The Logic Tier is responsible for the execution of the application’s business rules, security

functions, integration with other application environments or components, and other application

functionality. This tier will typically include a data access component that allows the application to

communicate to one or more database(s). This tier communicates, typically asynchronously, between

the Data Tier and the Presentation Tier, as necessary, based on the application’s business logic. Finally,

this tier may also be responsible for communicating with other applications or services, as necessary,

using protocols, such as SMTP or SOAP.

In addition to supporting an application’s business logic, the Application Tier is also used to

support other types of application components, such as Report Servers, Messaging Servers, and/or Data

Integration Servers.

C. Data Tier

The Data Tier provides information storage and retrieval services for structured or unstructured

data. This tier keeps data independent from application servers or business logic. Giving data its own

tier improves application data security, scalability and performance. The pattern assumes the use of

existing DAS/BEST Enterprise Database Services, such as our Shared SQL Server Cluster. The data tier

can consist of one or more databases that support the application’s transactional (OLTP) and/or

analytical (OLAP) processing requirements..

RFP 17PSX0222 Page 7 of 15

IV. DAS/BEST Basic Application Architecture Patterns

The basic application architecture patterns described below are designed to support multi-tier

application architectures. Figures IV.1 and IV.2, below, depicts the architecture patterns supporting two

and three-tier applications. These patterns form the foundation of most application architectures.

A. Two-Tier Application Architecture Pattern

Two-tier applications are those where the Presentation Layer and the Logic Layer are combined

and are designed to coexist on the same physical server. The database server remains a physically

separate server and may be protected by a firewall or other access control mechanisms. The two-tier

application architecture style is common to many COTS applications and it’s a style often used by

agencies when developing custom software solutions.

Application Network Segment(s)

FIGURE IV.1 – Basic Two Tier (B2T) Architecture Pattern

B. Three-Tier Application Architecture Pattern

Three-tier applications are applications relay on the Presentation, Logic and Data Layers that

exist on physically separate servers and where each server is protected by a firewall or other access

control mechanism. The three-tier application architecture style is often used by applications where

application performance and reliability is important.

Application Network Segment(s)

FIGURE IV.2 – Basic Three Tier (B3T) Architecture Pattern

Logic Tier Data Tier

Web/Application Server Database Server

Presentation Tier Logic Tier Data Tier

Web Server Application Server Database Server

VM

IN

ST

AN

CE

VM

IN

ST

AN

CE

V

M I

NS

TA

NC

E

RFP 17PSX0222 Page 8 of 15

V. Platform Instances

DAS/BEST patterns are implemented in the context of “Platform Instances,” which provide the

infrastructure upon which your application will be deployed and operate. These instances provide

Platform as a Service (PaaS) to support Presentation, Logic and Data Tiers using DAS/BEST Virtualization

Services. When implemented at the state data center to support an agency application, our practice is

to implement two application environments, Production and Staging. Upon request, DAS/BEST can also

support lower environments.

A. Virtual Platform Instances

DAS/BEST Platform Instances provide customers with a

balanced set of resources that can easily meet the demands of most

agency business systems. DAS/BEST relies on multi-node VM host

clusters running VMware’s vSphere Hypervisor (ESXi) to create a

highly-resilient virtualization platform. The “Standard Instance (SI)”

identified below is the foundation upon which all VM servers are

built.

B. Physical Platform Instances

64 Bit Architecture

4 GB VCPU

4 GB VRAM

20 GB System (OS)

20 GB Data (Application)

7 GB Swap

If an agency requires the use of dedicated physical platform instances, we ask that your agency

schedule time with DAS/BEST Platform Services, prior to making plans to purchase any hardware,

software and related services. Hardware housed at the state data center must conform to certain

standards and cannot installed in the state data center without the prior approval of DAS/BEST.

C. Standard Operating System Options

Within these patterns, DAS/BEST supports several two standard operating systems. The use of

other operating systems will require the prior review and approval of DAS/BEST Platform Services, who

can help your agency make an informed decision when evaluating your OS options.

Windows Server Linux Server

Windows Enterprise Server Redhat Enterprise Server

IBM Enterprise zLinux

CentOS (RHEL Branch)

From time to time, agencies may encounter commercial solutions that may require the use of an

operating system that is not part of our standard portfolio. We ask that agencies schedule time with

DAS/BEST Platform Services, prior to making a commitment to a solution that uses a non-standard OS.

The use of a non-standard OS may limit DAS/BEST’s ability to provide your agency with the level of

support you desire.

Standard Instance (SI)

RFP 17PSX0222 Page 9 of 15

D. Storage Solutions

DAS/BEST Platform Services provides enterprise storage solutions, leveraging our IBM V7000

storage infrastructure. This storage solution provides storage services supporting the entire application

ecosystem, from servers to databases to specialty storage, such as network attached storage (NAS).

Agencies whose combined application storage requirements may or will exceed 4 Tb (4,000 Gb)

are asked to consult with our Platform Services team to discuss your options.

Windows Server Linux Server

Basic VM Storage (Included) Basic VM Storage (Included)

Dedicated SAN (Optional) 1 Dedicated SAN (Optional) 1

Dedicated NAS (Optional) 1 Dedicated NAS (Optional) 1

Applications can leverage Basic VM Storage for the application’s operational processing needs,

such as when temporary space is needed to accommodate a business process, such as the conversion of

a file to PDF, soring application log files and so on. Basic VM Storage should not be used as means to

store business data or information. Applications that handle regulated, restricted or otherwise

protected information are expected to ensure that any such data that may reside on a VM Instance is

encrypted at rest.

For security reasons, applications hosted within the state data center are not permitted to use

Windows File Shares as an application storage or integration end-point.

E. Application Software Options

Our tiered application patterns include a number of server-based software products, to support

your application’s requirements across each tier.

Web Servers Application Servers Database Servers

Microsoft Windows IIS Microsoft .NET Framework Microsoft SQL Server

IBM HTTP Server JBoss Enterprise Server IBM DB2 LUW

Apache HTTP Server IBM WebSphere Server IBM PureData2 for Transactions

Apache Tomcat Oracle Exadata

Microsoft SSRS and SSAS3

If your agency requires the use of other software products not listed in this document, we ask

that agencies schedule time with DAS/BEST Platform Services, prior to making a commitment to a

solution that uses a non-standard software.

1 A cost may be incurred for the use of these options. 2 Designed for applications with stringent requirements for online transaction processing (OLTP). 3 Enterprise Microsoft SQL Server Reporting and Analysis Services

RFP 15PSX0122 RFP Exhibit 7 Page 10 of 15

F. Platform Monitoring, Recovery and Support Tools

The data center also offers other software and services to support your applications. DAS/BEST

provides basic server monitoring “out of the box” using VM Center and Up.time Enterprise. Additional

monitoring solutions, such as IBM Security’s QRadar SEIM or Tripwire’s File Integrity Manager are also

available to meet your application’s requirements.

Agencies should be aware that DAS/BEST does not offer or provide health and activity

monitoring for your application’s internal functionality, nor is DAS/BEST responsible for monitoring

your application’s operational status. Examples of operational monitoring are transactional

performance and integrity, application event alerting and logging, application uptime status and so on.

DAS/BEST strongly recommends that agencies ensure that the design of the application provides the

necessary capabilities to support your agency’s operational monitoring requirements.

Server Monitoring Server Recovery Support Tools

VM Center1 Symantec LiveState KVM Integration

Up.time Server Monitoring Tivoli Storage Manager Virtual Private Network2

QRadar SEIM Events2 Smart PDU Devices1

Tripwire Integrity Manager2

McAfee Anti-Virus

G. Application Security Options

Our three-tier application patterns offer a number of security options, across the range of

application tiers. Some, such as our firewall-based tier security or any native RDBMS security features,

come standard. Other security services, such as our Single Sign-on environment, are optional.

Applications that require authentication (users) and authorization (permissions) are required to use the

state’s Enterprise Identity Access Management solution2. DAS/BEST also provides advanced application

security through our F5 BIG-IP solution. Please see Section V.H – Application Delivery Services for

additional information.

User Security Application Security Data Security

IBM WebSeal (SSO)3 Application Firewalls Application Firewalls

IBM Tivoli Directory Services4 Digital Certificates2

Native RDBMS Security

F5 (See Section V.H) See Section H.

IBM Data Power2

1 Access to these monitoring tools are limited to DAS/BEST staff only. 2 A cost is associated with the use of these service. 3 The application must be able to use the iNetOrgPerson schema. 4 Provides LDAP services to applications that are LDAP V3 compliant and cannot use or don’t require SSO.

RFP 15PSX0122 RFP Exhibit 7 Page 11 of 15

H. Application Delivery Services (F5)

DAS/BEST currently employs the use of F5 Network’s BIG-IP solutions to provide application

delivery services to support your agency’s requirements. The F5 BIG-IP solution(s) consist of purpose-

built hardware, modularized software, and virtualized solutions that run under a specialized operating

system. The table below provides a list of current and planned F5 features and capabilities available

through the F5.

The capabilities listed under Current F5 Services are available today. The capabilities listed

under Planned F5 Services are those that DAS/BEST believe will add value to our overall service portfolio,

but for which there is no definitive implementation date.

Current F5 Services Planned F5 Services

Reverse Proxy

Global Load Balancing (GTM)

Local Load Balancing (LTM)

Access Policy Management (APM)

Application Security Manager (ASM)

Web Accelerator

Link Controller (ISP Load Balancing)

Advanced Firewall Manager (AFM)

Edge Gateway (SSL VPN)

WAN Optimization Module

Secure Web Gateway (SWG)

IP Intelligence (IPI)

WebSafe

Because the features and capabilities of the F5 environment are so diverse, DAS/BEST strongly

recommends that agencies schedule a consultation with DAS/BEST Data Services to review your

application’s requirements and determine how best to make the most of our F5 services.

RFP 15PSX0122 RFP Exhibit 7 Page 12 of 15

VI. DAS/BEST Enterprise Services

The Basic Three Tier Patterns provided by DAS/BEST can be augmented by using one or more of DAS/BEST’s Enterprise Services. Your agency can leverage these services to help you achieve your business requirements. The matrix below provides a cross-walk of what services are available as optional or standard.

DAS/BEST Service Features Availability

Application Access Model Extranet/Intranet

Network Services

Server Virtualization

Server Image Recovery

Basic Server Failover1 -

Performance Monitoring

Basic Enterprise Storage

High Volume Storage2

Backup / Recovery – Basic

Application Mail Services (SMTP, ListServ)

Application Delivery Services (F5)

Web Tier Load Balancing

Application Tier Load Balancing

Enterprise Single Sign-on (SSO)2

Enterprise Application Security2

Enterprise Content Management

Enterprise Data Integration (PilotFish, SFT)

Enterprise ePayment Services

Enterprise SQL Server Reporting Services

Enterprise SQL Server Analysis Services

COOP & Disaster Recovery Services

= Standard, = Optional

1 Basic server failover capabilities as a standard service offering will become available in the Spring of 2016 2 There is or may be a cost associated with this service

RFP 15PSX0122 RFP Exhibit 7 Page 13 of 15

VII. Conditions of Use

DAS/BEST provides a variety of agency services with the context of the state data center. These

services are provided within available resources and funding. Agencies seeking application hosting

support from DAS/BEST are asked to be aware of the following conditions of use.

Agencies are expected to leverage the state’s existing enterprise solutions before

committing to the implementation of stand-alone services.

Agencies are asked to use the Work Intake process when requesting hosting services for a

new applications at the state data center. This facilitated process will help your agency

ensure that you are prepared for the activities involved in hosting your application.

DAS/BEST is not able to provide direct support to an agency or vendor for activities related

to testing or debugging of applications, beyond that which is associated with the data

center. Applications deemed ready for deployment are those that have already passed the

necessary quality assurance reviews.

DAS/BEST reserves the right to decline to host any application at the data center that poses

a risk to the safety and security of other applications or the data center ecosystem.

DAS/BEST will work with agencies to help them understand any such risks and to explore

options.

RFP 15PSX0122 RFP Exhibit 7 Page 14 of 15

VIII. Enterprise Patterns – Two Tier Applications (Internal/External)

Below is a logical view of the two-tier application architecture pattern. This pattern includes

access paths from internal and external end-points as well as the use of the DAS/BEST Single Sign-on or

LDAP environments (as needed) service for application authentication.

DATABASE FIREWALL

Database

Tier

ST ATE FIREWALL(S)

F5

FOR SSO

FOR LDAP

APPLICATION FIREWALL

Application

Tier

Internet Anonmous

Users

External Applications

Authenticated

Users STATE DMZ

External Data Center Service Stack

SecureTransport

SecureMail (MailGate)

IBM WebSeal

Internal

Applications

Internal

Users IBM LDAP

IBM SIM

ePayment (PayPal)

Novell eDirectory

SMTP Gateway

Internal Data Center

Service Stack

EXEC Active Directory

SYS Active Directory

Enterprise QRadar

Enterprise Tripwire

Enterprise FileNet

Tivoli Storage Manager

Application Service Stack

(External Network Layer) Enterprise SAN

ST

AT

E D

AT

A C

EN

TE

R –

NE

TW

OR

K B

AC

KB

ON

E

RFP 15PSX0122 RFP Exhibit 7 Page 15 of 15

IX. Enterprise Patterns – Three Tier Applications (Internal/External)

Below is a logical view of the three-tier application architecture pattern. This pattern includes

access paths from internal and external end-points as well as the use of the DAS/BEST Single Sign-on or

LDAP environments (as needed) service for application authentication.

DATABASE FIREWALL

Database

Tier

ST ATE FIREWALL(S)

F5

FOR SSO

FOR LDAP

APPLICATION FIREWALL

Application

Tier

Internet Anonmous

Users

External Applications

Authenticated

Users STATE DMZ

External Data Center Service Stack

SecureTransport

SecureMail (MailGate)

IBM WebSeal

Internal

Applications

Internal

Users IBM LDAP

IBM SIM

Presentation Tier

ePayment (PayPal)

Novell eDirectory

SMTP Gateway

Internal Data Center

Service Stack

EXEC Active Directory

SYS Active Directory

Enterprise QRadar

Enterprise Tripwire

Enterprise FileNet

Tivoli Storage Manager

Application Service Stack

(External Network Layer) Enterprise SAN

ST

AT

E D

AT

A C

EN

TE

R –

NE

TW

OR

K B

AC

KB

ON

E