Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: i2-redcap-main-rg

Overview

The i2-redcap-main-rg resource group serves as a central hub for hosting various Azure resources to support the REDCap application development and production environments. This resource group encompasses networking, security, storage, and application services. Its structure facilitates separation of environments (development, production, QA) while allowing shared capabilities like logging and monitoring.

Resources

1. Application Gateways

  • Type: Microsoft.Network/applicationGateways
  • Names:
    • i2-redcap-prod-gateway
    • i2-redcap-dev-gateway
    • i2-redcap-qa-gateway

The application gateways serve as load balancers and web application firewalls for HTTP-based applications. They handle routing traffic, SSL termination, and application layer security, ensuring secure access to the REDCap services.

2. Network Security Groups (NSGs)

  • Type: Microsoft.Network/networkSecurityGroups
  • Names:
    • i2-redcap-main-nsg
    • i2-redcap-gateway-nsg

NSGs are utilized to control the inbound and outbound traffic to network interfaces (NIC), VMs, and subnets. Each NSG includes various security rules pertinent to the application and gateway functions.

Key Security Rules:

  • HTTP and HTTPS traffic are allowed from any source.
  • SSH access is restricted to specific IP ranges (10.0.0.0/8).

3. Storage Accounts

  • Type: Microsoft.Storage/storageAccounts
  • Name: i2redcapmainstorage

The storage account is configured to manage blobs, files, queues, and tables. Security measures include:

  • Public access enabled for blobs.
  • The ability to enforce two-layer encryption (with Microsoft-managed keys).
  • Access control through network ACLs allowing access only through the designated virtual networks.

4. Virtual Networks and Subnets

  • Type: Microsoft.Network/virtualNetworks
  • Name: i2-redcap-main-vnet
  • Address Space: 10.24.96.128/28, 10.24.96.144/28, 192.168.255.224/27, 192.168.255.192/27

Subnets:

  • Subnets Include:
    1. appgw
      • Address Prefix: 192.168.255.224/27
      • Connected to multiple application gateways.
    2. main
      • Address Prefix: 10.24.96.144/28
      • Utilizes network security groups for controlling traffic and route tables for directing traffic properly.
    3. mysql-flex
      • Address Prefix: 10.24.96.128/28
      • Delegated for Azure Database for MySQL (Flexible server), ensuring that it works seamlessly with access restrictions and optimized routing.
    4. appsvc
      • Address Prefix: 192.168.255.192/27
      • Delegated for App Service, facilitating connections and communications within Azure services.

This architecture enables efficient traffic management and unified communication between services.

5. Managed Identities

  • Type: Microsoft.ManagedIdentity/userAssignedIdentities
  • Names:
    • db-user-creds
    • i2-redcap-main-ident

These managed identities allow for simplified identity management and secure interactions between Azure resources without requiring credentials to be stored in code.

6. Monitoring Solutions

  • Type: Microsoft.OperationalInsights/workspaces
  • Name: i2-redcap-logs

This workspace enables collection and analysis of logs and performance metrics across connected resources. Notable setups include various custom dashboards and queries for monitoring performance and diagnostic capabilities.

Data Storage

Data is stored primarily in the Azure Storage Account (i2redcapmainstorage), which supports blob storage for unstructured data, files for shared content, queues for messaging, and tables for structured data. The storage account is linked to the monitoring workspace to track usage and performance. Additionally, a strong security posture is maintained by configuring appropriate access roles and policies.

Networking

The networking setup consists of a virtual network (i2-redcap-main-vnet) with multiple subnets (appgw, main, mysql-flex, appsvc) enabling logical separation of resources and efficient routing of traffic. Here are notable IP configurations and connections:

  • Public IP for Application Gateway: 172.170.117.91
  • Each subnet is secured with NSGs to manage and limit traffic flow appropriately.

Virtual Network Peering

  • Peerings with Other Networks:
    • Peering with wuit-erd-hub-prod and wuit-VNet-01
    • This allows seamless communication across different virtual networks while managing address spaces effectively.

Security Overview

The resources within the resource group are secured using Azure's built-in features, including:

  • Network Security Groups: Prevent unwanted access by controlling ingress and egress traffic.
  • Key Vault: Sensitive data and access keys are stored securely, enabling role-based access.
  • Storage Account Security: Implemented via network ACLs, allowing only access from defined virtual networks.

Recommendations:

  • Restrict NSG rules to limit access from broader address ranges to specific known IPs wherever possible.
  • Regularly audit the permissions within the key vault and storage accounts to ensure minimal access is granted.
  • Utilize Azure Security Center Alerts to monitor and notify any anomalous activities.

Other Information

This resource group architecture is aimed at providing scalability and flexibility for application deployments. As loads increase, additional instances can be added without significant reconfiguration. It's also advisable to budget for cost, as multiple resources can lead to substantial charges, especially with extensive logging and storage.

To enhance the environment, consider utilizing Azure Cost Management tools to track usage patterns and optimize spending across all resources within this group.

Table of Contents

Updated on October 23, 2024