WLPP Cloud
Architecture Overview
The AZURE Resource Group "KMG-WLPP-InBetween" supports the infrastructure for the White Label Puzzle Platform (WLPP) tailored for our B2B and B2C clients. Below you will find detailed descriptions and a comprehensive table of the various virtual machines, web servers, SQL databases, virtual networks, and other tools deployed within this AZURE resource group.
Currently Deployed at: WLPP-Cloud
Network Diagram
Components
Component List
| NAME | TYPE |
|---|---|
| RecommendedAlertRules-AG-1 | Action group |
| RecommendedAlertRules-AG-2 | Action group |
| KMG-WLPP-AGW01 | Application gateway |
| KMG-WLPP-VN01-bastion | Bastion |
| KMG-WLPP-BUILD01_OsDisk_1_586e44565e29471c9e712b9cdcea82f5 | Disk |
| KMG-WLPP-SQL01_DataDisk_0 | Disk |
| KMG-WLPP-SQL01_DataDisk_1 | Disk |
| KMG-WLPP-SQL01_DataDisk_2 | Disk |
| KMG-WLPP-SQL01_OsDisk_1_b88960241eaa427e887e76b4204ac5f6 | Disk |
| KMG-WLPP-WEB01-1_OsDisk_1_f1be2df96ba349b2b3d4fec433f35dbd | Disk |
| KMG-WLPP-WEB01-2_OsDisk_1_a10e807331194925ae706962dfa4c39d | Disk |
| KMG-WLPP-LB01 | Load balancer |
| AMSFW | Local network gateway |
| Available Memory Bytes - KMG-WLPP-SQL01 | Metric alert rule |
| Data Disk IOPS Consumed Percentage - KMG-WLPP-SQL01 | Metric alert rule |
| KMG-WLPP-WEB01-1 CPUAbove80 | Metric alert rule |
| KMG-WLPP-WEB01-1 Data Disk IOPS Consumed Percentage | Metric alert rule |
| KMG-WLPP-WEB01-1 Network In Total | Metric alert rule |
| KMG-WLPP-WEB01-1 Network Out Total | Metric alert rule |
| KMG-WLPP-WEB01-1 OS Disk IOPS Consumed Percentage | Metric alert rule |
| KMG-WLPP-WEB01-1 RAMBelow1 | Metric alert rule |
| KMG-WLPP-WEB01-1 VM Availability | Metric alert rule |
| Network In Total - KMG-WLPP-SQL01 | Metric alert rule |
| Network Out Total - KMG-WLPP-SQL01 | Metric alert rule |
| OS Disk IOPS Consumed Percentage - KMG-WLPP-SQL01 | Metric alert rule |
| Percentage CPU - KMG-WLPP-SQL01 | Metric alert rule |
| VM Availability - KMG-WLPP-SQL01 | Metric alert rule |
| KMG-WLPP-NATGW01 | NAT gateway |
| kmg-wlpp-build01913 | Network Interface |
| kmg-wlpp-sql01888_z1 | Network Interface |
| kmg-wlpp-web01-1106_z1 | Network Interface |
| kmg-wlpp-web01-1456_z2 | Network Interface |
| KMG-WLPP-BUILD01-nsg | Network security group |
| KMG-WLPP-SQL01-nsg | Network security group |
| KMG-WLPP-WEB01-1-NetworkSecurityGroup | Network security group |
| KMG-WLPP-AGWPUBIP01 | Public IP address |
| KMG-WLPP-NATGW01-PUBIP01 | Public IP address |
| kmg-wlpp-vn01-bastion | Public IP address |
| KMG-WLPP-VN01-ip | Public IP address |
| KMG-WLPP-BV01 | Recovery Services vault |
| 24-12-17BeforeAnything | Snapshot |
| 24-12-17BeforeAnything-WEB01 | Snapshot |
| 24-12-17BeforeAnythingWEB01-2 | Snapshot |
| 24-12-31_KMG-WLPP-WEB01-2_Before-PHP-Install | Snapshot |
| 24-12-31SQLVMBasicSetup | Snapshot |
| KMG-WLPP-SQL01 | SQL virtual machine |
| wlppstor01 | Storage account |
| KMG-WLPP-BUILD01 | Virtual machine |
| KMG-WLPP-SQL01 | Virtual machine |
| KMG-WLPP-WEB01-1 | Virtual machine |
| KMG-WLPP-WEB01-2 | Virtual machine |
| KMG-WLPP-VN01 | Virtual network |
Cloudflare
Domain Information
The domain used in this example is *braintainment.com*.
DNS
Currently only public DNS is used in Cloudflare to route and proxy requests to https://web.braintainment.com to the public IP of Azure Application Gateway.
SSL
Additionally, "Full Strict Opportunistic End-to-End SSL Encryption" is being enforced.
WAF
Automated DDoS and Bot Fight Mode which challenges "known bots" or patterns matching bot traffic and can block javascript injection techniques.
Load Balancing
There are 2x Load Balancers in place. More Details
Web Servers - Backend Pool
The below Frontend Servers are being load balanced and they both belong to separate Availability Zones(Datacenters) within the same region. They are part of a "Backend Pool" that allows adding and removing Web Servers without customers losing access to the Frontend.
- KMG-WLPP-WEB01: Zone redundant web server to handle user requests and ensure high availability(EU West - Availability Zone 1)
- KMG-WLPP-WEB02: Zone redundant web server to handle user requests and ensure high availability(EU West - Availability Zone 2)
SQL Database Servers
- KMG-WLPP-SQL01: Stores transactional data and is the main database for the application. (EU West - Availability Zone 1)
- KMG-WLPP-SQL02: Replicated instance of the primary SQL database to allow for manual failover in case of disaster. (EU West - Availability Zone 2). Also serves as the point of contact for the BI team.
Disaster Recovery, Replication and LogShipping
The SQL database is replicated to KMG-WLPP-SQL02 instance to allow for manual failover in case of a disaster. This transactional replication setup ensures that data is always available and the application can continue to function without significant downtime. Regular backups and automated failover testing are conducted to ensure the reliability of the disaster recovery plan. The Replicated database is already accessible and can be used immediately as soon as the issues arise with SQL01. Failover procedures are still TBD, but there could be potential to switch SQL traffic with DNS re-writes or redirects.
Storage Accounts
There are three SMB storage spaces created for ICT and DD respectively, that can be mounted to any Windows based PC for necessary tools and files to be uploaded and used at the AZURE VMs. Below Powershell snippets.
$connectTestResult = Test-NetConnection -ComputerName wlppstor01.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
# Save the password so the drive will persist on reboot
cmd.exe /C "cmdkey /add:`"wlppstor01.file.core.windows.net`" /user:`"localhost\wlppstor01`" /pass:`"V7IVxmH8jA22dTi0cvh4y0dtF5ARRq+SUkygtVAO305EY67k44u6oBu9WLb+EKYx3Dq0rusBjyDc+AStO5Ylrw==`""
# Mount the drive
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\wlppstor01.file.core.windows.net\ictsetup" -Persist
} else {
Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}
$connectTestResult = Test-NetConnection -ComputerName wlppstor01.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
# Save the password so the drive will persist on reboot
cmd.exe /C "cmdkey /add:`"wlppstor01.file.core.windows.net`" /user:`"localhost\wlppstor01`" /pass:`"V7IVxmH8jA22dTi0cvh4y0dtF5ARRq+SUkygtVAO305EY67k44u6oBu9WLb+EKYx3Dq0rusBjyDc+AStO5Ylrw==`""
# Mount the drive
New-PSDrive -Name W -PSProvider FileSystem -Root "\\wlppstor01.file.core.windows.net\dd-files" -Persist
} else {
Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}
$connectTestResult = Test-NetConnection -ComputerName wlppstor01.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
# Save the password so the drive will persist on reboot
cmd.exe /C "cmdkey /add:`"wlppstor01.file.core.windows.net`" /user:`"localhost\wlppstor01`" /pass:`"V7IVxmH8jA22dTi0cvh4y0dtF5ARRq+SUkygtVAO305EY67k44u6oBu9WLb+EKYx3Dq0rusBjyDc+AStO5Ylrw==`""
# Mount the drive
New-PSDrive -Name I -PSProvider FileSystem -Root "\\wlppstor01.file.core.windows.net\ips-data" -Persist
} else {
Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}
Backup Process and Policies
Explanation
The backup process is designed to ensure that data is consistently and reliably backed up, providing multiple recovery points in case of data loss or corruption. The web servers are backed up daily, with additional weekly backups to provide longer-term recovery options. The SQL databases have an enhanced backup policy with more frequent backups every 4 hours, ensuring that data changes are captured more frequently and reducing the potential data loss window.
Instant restore capabilities allow for quick recovery from recent snapshots, minimizing downtime in case of an issue. The retention policies ensure that there are sufficient backup points available for both short-term and long-term recovery needs.
By maintaining application or file-system consistent backups, we ensure that the data is in a stable state, reducing the risk of data corruption during the backup process.
Web Servers
Policy Details
- Full Backup: A complete backup of the web servers is performed.
- Backup Frequency: The backup is taken daily at 4:00 AM W. Europe Standard Time.
- Instant Restore: Instant recovery snapshots are retained for 2 days, allowing for quick restoration if needed.
- Retention of Daily Backup Point: The daily backup taken at 4:00 AM is retained for 14 days.
- Retention of Weekly Backup Point: The backup taken every week on Sunday at 4:00 AM is retained for 4 weeks.
- Consistency Type: The backups are either application-consistent or file-system consistent, ensuring that the data is in a consistent state during the backup process.
SQL Databases (Enhanced Policy)
Policy Details
- Full Backup: A complete backup of the SQL databases is performed.
- Backup Frequency: The backup is taken every 4 hours, starting at 8:00 AM UTC, for a duration of 12 hours.
- Instant Restore: Instant recovery snapshots are retained for 2 days, allowing for quick restoration if needed.
- Retention of Daily Backup Point: The daily backup is retained for 30 days.
- Consistency Type: The backups are either application-consistent or file-system consistent, ensuring that the data is in a consistent state during the backup process.
Useful Links - AZURE
- Application Gateway - Settings ⚙️
- KMG-WLPP-WEB01-1 - Settings ⚙️
- KMG-WLPP-WEB01-2 - Settings ⚙️
- KMG-WLPP-SQL01 - VM Settings ⚙️
- KMG-WLPP-BUILD01 - Settings ⚙️
Active Subscriptions and Costs
| Name | Cost |
|---|---|
| Pro Plan | 25 USD p.m. |
| Load Balancing | 30 USD p.m. |
Conclusion
The Azure Resource Group "KMG-WLPP-InBetween" is meticulously designed to provide a robust and scalable infrastructure for the White Label Puzzle Platform. It ensures high availability, efficient traffic management, and comprehensive disaster recovery capabilities, making it a reliable foundation for our clients' needs.