Resource Group: wusm-prod-rg-gic

Overview

The wusm-prod-rg-gic resource group is designed to host a collection of Azure resources that are primarily focused on managing and handling web traffic, monitoring database performance, and maintaining a robust application infrastructure. It includes multiple Azure components such as Virtual Machines (VMs), Application Gateways, Azure Database for MySQL flexible servers, monitoring alerts, and storage accounts. This resource group supports the operational needs of applications deployed for the Washington University in St. Louis (WUSTL) and ensures high availability, secure access, and efficient traffic management.

Resources

Azure Database for MySQL Flexible Server
- Type: Microsoft.DBforMySQL/flexibleServers
- Name: wusm-prod-mysql-gic01 and wusm-prod-mysql-gic02
- Purpose: These databases serve as back-end data stores for applications, configured for high security and automatic backups every 24 hours.
- Dependencies: They depend on private DNS zones for internal DNS resolution and are connected to the subnet mysql-flex-subnet of the virtual network.
Public IP Address
- Type: Microsoft.Network/publicIPAddresses
- Name: wusm-gic-public-ip
- IPAddress: 4.249.200.118
- Purpose: This static IP address is assigned to the application gateway to enable external traffic routing.
Application Gateway
- Type: Microsoft.Network/applicationGateways
- Name: wusm-prod-gic-appgw
- Purpose: Acts as the front door to applications. It utilizes web traffic routing rules, probes, and allows for SSL connections for secure traffic handling.
- Dependencies: Connects to the public IP address and sets up backend address pools consisting of the VMs wusm-prod-gic01 and wusm-prod-gic02.
Network Interfaces
- Type: Microsoft.Network/networkInterfaces
- Names: wusm-prod-gic01 and wusm-prod-gic02
- Purpose: Facilitate networking for both VMs, allowing them to communicate within the internal network.
- Private IPs:
  - wusm-prod-gic01: 10.25.47.138
  - wusm-prod-gic02: 10.25.47.136
Virtual Machines
- Type: Microsoft.Compute/virtualMachines
- Names: wusm-prod-gic01 and wusm-prod-gic02
- Purpose: Both VMs are configured with a Linux operating system (AlmaLinux) to run applications. They are equipped with secure SSH access via public keys.
- Dependencies: Each VM is tied to its respective network interface and relies on action group alerts for monitoring.
Action Groups
- Type: microsoft.insights/actionGroups
- Name: gic-monitor-action-group
- Purpose: Configures notification settings when alerts are triggered, ensuring the relevant stakeholders are updated.
Monitoring and Alerts
- Type: microsoft.insights/metricAlerts and microsoft.insights/activitylogalerts
- Names: Various metrics and activity log alerts monitor the performance of the application gateway and MySQL servers.
Storage Account
- Type: Microsoft.Storage/storageAccounts
- Name: wusmprodgic
- Purpose: Used for general storage, with public access allowed and configured to support blob, file, and queue services.
Private Endpoints
- Type: Microsoft.Network/privateEndpoints
- Name: wusmprodgicfile
- Purpose: Provides private access to the storage account, enhancing security by restricting access to internal network only.

Data Storage

The primary data storage is managed through Azure Database for MySQL flexible servers, which maintain multiple databases (auth, information_schema, mysql, performance_schema, picsure, sys) with varying character sets and collations for application needs. Data stored in MySQL is backed up regularly, ensuring recovery in case of data loss.

The storage account wusmprodgic provides blob storage services that are useful for unstructured data, and it allows public access while maintaining strict network ACLs. Dedicated backups and data retention policies further enhance data protection.

Networking

The networking setup includes:

Virtual Network: wusm-prod-vnet-main connects resources through subnets.
Subnets:
- AuxSubnet: Connected with the Network Interfaces for VMs.
- mysql-flex-subnet: Assigned for the MySQL flexible servers.
Private and Public IPs:
- Public IP 4.249.200.118 is routed to the Application Gateway to handle incoming traffic securely.
- Private IPs for VMs facilitate internal communication: 10.25.47.138 (GIC-01) and 10.25.47.136 (GIC-02).

The majority of the services have been configured to deny public network access, ensuring that only the Application Gateway can interact with external traffic, keeping other elements private.

Security Overview

Several security best practices have been implemented:

Access Management:
- SSH access is enforced using secure keys while disabling password authentication on VMs.
- Action groups are configured to notify stakeholders about important alerts.
- Advanced Threat Protection (ATP) is disabled for databases but can be enabled.
Network Security:
- The storage account allows access only to specified IP ranges (128.252.0.0/16 and 65.254.115.0/24).
- The application gateway manages SSL termination, protecting data in transit between clients and the application.
Recommendations:
- Consider enabling Advanced Threat Protection for databases to monitor and potentially flag anomalies.
- Regularly review the Security Center's recommendations on network security.

Other Information

For cost management, leveraging Standard_LRS for storage provides a balance between performance and expense. The architecture allows for autoscaling through the Application Gateway, providing flexibility in handling varying loads.

Ensure to document the policies for handling sensitive data, especially with regards to any stored access keys or personal information in databases or application logs.

All components are housed within the Central US region for optimal performance in serving the needs of users in that geographic location, promoting lower latency interactions and dependable availability.

Note: This document was generated using the Azure Assistants script and an LLM

Data Sources

Platforms

Teams