Develop a Secure Distributed System in the Azure Cloud
SENG 41283 — Distributed and Cloud Computing
This article is a part of the academic individual assignment that helps to learn about cloud services, discussed in SENG 41283 — Distributed and Cloud Computing course offered by the University of Kelaniya Software Engineering Teaching Unit. 🎓
You can find more requirements and guidelines for the assignment here. As suggested in the assignment and the Microsoft provides FREE Azure credits for students, I chose the Microsoft Azure Cloud Platform as the cloud service provider for this project. 😃
📁 The System
According to the assignment guidelines we have to use open-source systems that can be easily adapted to the above architecture or we could develop our own system. As always I choose the hard path to gain more experience and practical knowledge. 😉
So I decided to develop a simple yet highly useful system that will help our university to manage the internship details of the students. 🏫
☁️ Cloud Architecture
I modified the given architecture a little bit while not changing key components. The proposed architecture for the basic Internship Management System can be found below.
PS: There are some missing resources that don't include in Azure Student Subscription, So I had to find alternative solutions.
- Azure CDN — ✅ Static Web App
- Active Directory Roles — ❌ No alternative found
🚧 Development Guide
Basic Setup
The initial step to creating a solution in Azure cloud is creating a resource group to bind the related resources to easily organize. I have created a resource group named setu and add all the solution-related resources to this group.
User Management & Security
Azure Active Directory is enterprise-level identity management and permission handling system that can be easily used to integrate with any application in the Azure cloud. There are several types of AD solutions available in Azure. In default Azure AD solution admin of the AD is the person who can add new users or remove existing users. When the users need to create an account for themselves Active Directory B2C is the preferred solution. So I created an Azure AD B2C resource to allow the users to sign up and sign in to this sample application and perform tasks. Initial ideas were to access control the user permission with specific roles, but without a premium subscription plan, this feature wasn’t included.
Active Directory Applications — To use the azure active directory for user authentication in a client application. After creating an application we can set up the application type(web, single page application, mobile, etc.), redirect URLs, authentication flow (implicit or explicit), and other authentication configurations.
Databases and Storage
I have used three different storage resources MySQL database, Redis Cache, and Azure Storage as suggested in the sample architecture.
Azure Database for MySQL Server — It’s an enterprise-level solution of MySQL databases. This will create a MySQL-installed virtual machine. At the creation, we can define database user and password fields. After deployment finish, we can get the hostname, username, and port for this MySQL database which we can use for connecting remotely. (Highlighted in the red square)
I used this MySQL instance with Database Access Service. Since it is a simple node.js application that uses Sequalize ORM when I develop the application I configured the MySQL instance-related data as environment variables. So after creating the web app I can set the environment variables from the dashboard.
Azure Cache for Redis — Redis is the most used database for caching. Azure provides this resource as a service to use Redis in the Azure cloud.
Azure Storage Account — The file storage solution of the azure cloud is named storage accounts and it is providing several file storage services such as containers, file shares, tables, and queues.
App Service for Backend
Web App is an azure resource that provides scalable web application hosting service which can be used for most kinds of web applications. It currently supports most of the popular programming languages (Java, Python, node.js, .NET) based web applications. I have used two instances of this App service to host Service 01 and Service 03 implementations. The source code of these applications is based on nodejs-sql-boilerplate and nodejs-redis-boilerplate.
These applications were deployed directly from GitHub to Azure using GitHub Actions. This setup allows us to add a CI/CD pipeline to our application.
Database Access Service
In this service, we need to add environment variables that we have used in the source code. For that, we need to go to the configuration screens, click on “New application string” and added specific keys and values for the environment variables.
- MYSQL_HOST / MYSQL_USER / MYSQL_PASSWORD — Details from the above-mentioned Azure Database for MySQL server instance.
This API only has one endpoint named “/students” (except the root endpoint) that will get a list of students from the MySQL database.
API Service with Caches
- REDIS_HOST / REDIS_PORT / REDIS_PASSWORD — Details from the Azure Cache for the Redis instance
- DB_ACCESS_API — URL of the service 03 API
- FUNCTION_URL — URL of the function app HTTP trigger
Azure Function for Backend
An Azure Function is a serverless function that can be triggered on certain events and do a task. I use this as an HTTP Triggered event to save a file to Azure storage.
This function will have an HTTP trigger endpoint and when we send a post request with a file attached this will store that file inside the storage account container named reports.
Static Web App for Frontend
Single-page application hosting is made easy with Azure Static Web App resources where we can easily select the GitHub repository and the app will be automatically built and deployed using Github actions.
This app uses the react-azure-adb2c library to enable authentication. Once the user goes to the static-web-app URL user will be redirected to the login page. After signing in the app is getting data from service 01 through the front door and provides the functionality to upload reports to azure storage. The ribbon on the right will show whether data comes from the cache or not. After deploying the front end this is what it looks like.
A custom domain is a unique branded label that’s connected to the IP address of a website instead of an Azure-generated random domain name. To set up a custom domain all we need to do is added a CNAME record that pointed to azure servers from the domain name providers dashboard.
This is the final view of the front end which contains data that came from the front door endpoint. It shows the data and its source and supports file upload to azure storage.
Front Door and WAF for Security
In the Azure cloud platform, Front Door is the resource that provides proxy-like behavior to secure the internal APIs from the external networks and intercept the request coming from outside and detect security threats.
Using the front door designer tool available we can add backends that need to expose via the Front Door URL and set the routes to the relevant backend. Since this also works as a Load Balancer we can configure the backend pool size and other load balancing-related settings as well.
Usually, Front Door is associated with a WAF (Web Application Firewall) that provides a highly recommended set of rules to prevent or detect attacks like cross-site scripting (XSS), SQL injections(SQLI), etc. Also, we can provide custom rules to block the users based on our own rules.
The custom rule I have created to test this resource is a rate limit-based blocking. This rule will deny users from Sri Lanka to request the front door more than 1 per minute.
Monitoring and Insights
After configuring all the resources finally we need to monitor these resources. Azure has a resource called Application Insights that allows connecting with resources that can be monitored and create customizable dashboards.
As you can see the basic overall insights can be viewed on this overview page. If we need to see the live insights in Live Metrics we can see the live charts of analysis.
This also provides telemetry with a live updating log stream which helps a lot to track the requests coming to our web services.
As you can see above we can also get a map-like structure to identify the behaviors of the monitored application over time.
🔮 Future Development
- As initially planned the role-based access control needs to implement to show different views to students and lecturers.
- Extend the database to add periodic reports based on the start date of internships.
- Develop frontend to show more statistics about the reports and submissions.
☝️ Conclusion
Azure cloud is a user-friendly, fast, reliable, and secure cloud service that can be used to easily set up any kind of infrastructure in the cloud. They have several resources that can be used to do the same task in different ways. So as our preference we can select the resource that is best suitable for our product and use it. In monetary-wise subscriptions, plans are very flexible and billing for the resources can be managed and audited easily as we need.
As Software Engineering students we must have experience with cloud computing and its use cases. This assignment gave us a chance to get a deep hands-on experience in cloud environments. 😇
📎 References
Source Codes
- API Service with Cache — https://github.com/nuwan94/setu-api
- Database Access Service — https://github.com/nuwan94/setu-db-api
- Storage Access Service — https://github.com/nuwan94/setu-func
- Frontend — https://github.com/nuwan94/setu-frontend
Guides
- HOW TO — Secure your ReactJS frontend with Azure AD B2C
- Azure Samples GitHub Repos
- Microsoft Learn (Azure)
All the Azure Resource Manager(ARM) templates related to this article can be found in the following repository.
See you again with a new cloud architecture guide in the near future. Stay safe! 🏠❤️
