Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: i2-redcap-qa-rg

Overview

The resource group i2-redcap-qa-rg is designed to support the deployment of a quality assurance environment for the REDCap application. It consists of various Azure services, including databases, storage accounts, web applications, and network configurations, collectively forming a robust, scalable, and secure cloud-based infrastructure capable of handling testing and development workloads.

Resources

1. Application Gateway

  • Type: Microsoft.Network/applicationGateways
  • Name: i2-redcap-qa-gateway
  • Purpose: Acts as a centralized access point for web traffic. It routes requests based on configured rules, enhancing scalability and security.
  • Backend Address Pools: Configured with address pools pointing to the Virtual Machine Scale Set (VMSS) containing the application.
  • Frontend IP Configuration: Allocated a public IP (52.154.250.247) allowing external access.

2. Virtual Machine

  • Type: Microsoft.Compute/virtualMachines
  • Name: i2-redcap-qa-web-vm-01
  • Purpose: Serves as a compute resource to host the web application.
  • Network Interface: Connects to the main subnet of the Virtual Network (10.0.0.0/16) and uses the internal IP address 10.24.96.148.
  • OS: Runs on AlmaLinux and is configured for SSH access (public key authentication).

3. Virtual Machine Scale Set (VMSS)

  • Name: Not explicitly stated but referenced as i2-redcap-qa-vmss.
  • Purpose: Automates scaling based on demand for application workloads.
  • Auto Scaling Settings: Configured to increase/decrease instances based on CPU usage thresholds.

4. MySQL Flexible Servers

  • Type: Microsoft.DBforMySQL/flexibleServers
  • Names: i2-redcap-qa-v8-flex, redcap-qa-mysql-flex, and redcap-qa-replication.
  • Purpose: Serves as the relational database engine for the application. Each server is in a separate availability zone and has different configurations.
  • Network: Private access only, ensuring database security and isolating it from the public internet.

5. Storage Accounts

  • Type: Microsoft.Storage/storageAccounts
  • Names: i2redcapqargperfdiag750, i2redcapqastorage
  • Purpose: Used for storing blobs, files, and queues. Contains several containers for storing logs and other application data.
  • Location: Located in Central US, with both supporting Public Access but having restrictive CORS settings to improve security.

6. Action Groups

  • Type: microsoft.insights/actionGroups
  • Name: Application Insights Smart Detection
  • Purpose: Collection of notifications for monitoring and alerting metrics from application insights. It enhances visibility over application health and detects performance anomalies.

7. Key Vaults

  • Type: Microsoft.KeyVault/vaults
  • Name: i2-redcap-keys
  • Purpose: Securely stores sensitive information such as certificates and connection strings.
  • Integration: Used by the Application Gateway for SSL termination and by other Azure resources for secure communication.

Data Storage

The resource group incorporates several types of data storage:

  • MySQL Flexible Servers: Three instances serve different databases for the application. They have structured data schemas, ensuring data availability and integrity.
  • Storage Accounts: Two primary storage accounts hold blobs and files. Specific containers are set up to store various types of logs, enhancing data management and retrieval.
  • Backup and Recovery: Recovery Services Vault is set up for automated backups to ensure data durability and compliance.

Networking

The network configuration includes:

  • Virtual Network:

    • Name: i2-redcap-main-vnet
    • Address Space: 10.0.0.0/16
    • Subnets: main (address prefix 10.0.0.0/24) for application endpoints and mysql-flex for MySQL server access.

  • Public IP Address: Static IP 52.154.250.247 assigned to the Application Gateway for external access.

  • Network Interface: Each VM and Azure service uses network interfaces connected to the relevant subnets, ensuring proper routing and isolation.

Security Overview

Potential Security Risks

  • Public Access to Storage: Although both storage accounts allow public access, it’s configured to deny CORS requests from unauthorized domains. Ensure only necessary data is exposed.
  • Firewall and NSG: The Network Security Group (NSG) is defined but currently lacks explicit security rules. It's recommended to configure inbound and outbound traffic rules to restrict access to trusted networks.
  • Sensitive Data: Key Vaults protect sensitive information. Ensure access policies are strictly governed by managed identities or roles.

Recommendations

  • Configure strict NSG rules based on the least privilege principle and avoid public access wherever possible.
  • Utilize Azure Security Center recommendations for continuous monitoring and improvement of security posture.
  • Regularly review and rotate secrets stored in Key Vault.

Other Information

  • Cost Management: Pay attention to resource scaling. Utilize auto-scaling to prevent costs from spiraling due to under-optimized resource usage.
  • Scalability: Resources such as the application gateway and VMSS are designed to scale seamlessly with demand ensuring the application remains performant during peaks.
  • Monitoring: Incorporate Application Insights alongside Action Groups to facilitate deep application monitoring and immediate notification on health issues or outages.

This documentation serves not only as a summary of the ARM template configuration but also highlights the structure for seamless integration, scalability, and security within the i2-redcap-qa-rg resource group.

Table of Contents

Updated on October 23, 2024