Develop a Secure Distributed System in the Azure Cloud

This article is a part of the academic individual assignment that helps to learn about cloud services, discussed in SENG 41283 Distributed and Cloud Computing course offered by the University of Kelaniya Software Engineering Teaching Unit. 🎓

Sample System Architecture for the Assignment

You can find more requirements and guidelines for the assignment here. As suggested in the assignment and the Microsoft provides FREE Azure credits for students, I chose the Microsoft Azure Cloud Platform as the cloud service provider for this project. 😃

📁 The System

According to the assignment guidelines we have to use open-source systems that can be easily adapt to the above architecture or we could develop our own system. As always I choose the hard path to gain more experience and practical knowledge. 😉

So I decided to develop a simple yet highly useful system that will help our university to manage internship details of the students. 🏫

☁️ Cloud Architecture

I modified the given architecture a little bit while not changing key components. The proposed architecture for the basic Internship Management System can be found below.

Proposed Intern Management System for SETU — UoK

PS: There are some missing resources that don't include in Azure Student Subscription, So I had to find alternative solutions.

  • Azure CDN — ✅ Static Web App
  • Active Directory Roles — ❌ No alternative found

🚧 Development Guide

Basic Setup

Initial step to create a solution in Azure cloud is creating a resource group to bind the related resources to easily organize. I have created a resource group named setu and add all the solution related resources into this group.

Resource Group of setu — Overview

User Management & Security

Azure Active Directory is enterprise-level identity management and permission handling system that can be easily used to integrate with any application in the Azure cloud. There are several types of AD solutions available in the azure. In default azure AD solution admin of the AD is the person who can add new users or remove existing users. When the users need to create an account for themselves Active Directory B2C is the preferred solution. So I created an Azure AD B2C resource to allow the users to sign up and sign in to this sample application and perform tasks. Initial ideas were to access control the user permission with specific roles, but without a premium subscription plan, this feature wasn’t included.

Azure AD B2C — Overview

Active Directory Applications — To use the azure active directory for user authentication in a client application. After creating an application we can setup application type(web, single page application, mobile etc.), redirect URLs, authentication flow (implicit or explicit) and other authentication configurations.

AD B2C Application — Configurations

Databases and Storage

I have used three different storage resources MySQL database, Redis Cache and Azure Storage as suggested in the sample architecture.

Azure Database for MySQL Server — It’s an enterprise-level solution of MySQL databases. This will create a MySQL installed virtual machine. At the creation, we can define database user and password fields. After deployment finish, we can get the hostname, username and port for this MySQL database which we can use for connecting remotely. (Highlighted in the red square)

Azure Database for MySQL server — Overview

I used this MySQL instance with Database Access Service. Since it is a simple node.js application that uses Sequalize ORM, when I develop the application I have configured the MySQL instance-related data as environment variables. So after creating the web app I can set the environment variables from the dashboard.

Azure Cache for Redis — Redis is the most used database for caching. Azure provides this resource as a service to use Redis in the azure cloud.

Azure Cache for Redis — Overview

Azure Storage Account — File storage solution of the azure cloud is named as storage accounts and it is providing several file storage services such as containers, file shares, tables, queues.

Storage Account — Overview

App Service for Backend

Web App is an azure resource that provides scalable web application hosting service which can be used to most kind of web applications. It currently supports most of the popular programming language(Java, Python, node.js, .NET) based web applications. I have used two instances of this App service to host Service 01 and Service 03 implementations. Source code of these applications is based on nodejs-sql-boilerplate and nodejs-redis-boilerplate.

These applications were deployed directly from the GitHub to Azure using GitHub Actions. This setup allows us to add a CI/CD pipeline to our application.

Example of CI/CD with GitHub Actions + Azure

Database Access Service

In this service, we need to add environment variables that we have used in the source code. For that, we need to go to configuration screens, click on “New application string” and added specific key and value for the environment variables.

  • MYSQL_HOST / MYSQL_USER / MYSQL_PASSWORD — Details from the above mentioned Azure Database for MySQL server instance.
Service 02 Configurations

This API only have one endpoint named “/students” (except root endpoint) that will get list of students from the MySQL database.

API Service with Caches

API Service with Caches — Overview
  • REDIS_HOST / REDIS_PORT / REDIS_PASSWORD — Details from the Azure Cache for Redis instance
  • DB_ACCESS_API — URL of the service 03 API
  • FUNCTION_URL — URL of the function app HTTP trigger
Service 01 Configurations

Azure Function for Backend

An Azure Function is a serverless function that can be triggered on certain events and do a task. I use this as an HTTP Triggered event to save a file to Azure storage.

Azure Function — Overview
Azure Function — Integrate with Blob Storage

This functions will have a HTTP trigger endpoint and when we send a post request with a file attached this will store that file inside the storage account container named reports.

Static Web App for Frontend

Single page application hosting made easy with Azure Static Web App resources where we can easily select the GitHub repository and the app will be automatically built and deploy using Github actions.

Static Web App — Overview

This app uses the react-azure-adb2c library to enable authentication. Once the user goes to the static-web-app URL user will be redirected to the login page. After signing in the app is getting data from service 01 through the front door and provide the functionality to upload reports to azure storage. The ribbon in the right will show whether data comes from cache or not. After deploying the frontend this is how it looks like.

A custom domain is a unique branded label that’s connected to the IP address of a website instead of azure generated random domain name. To set up a custom domain all we need to do is added a CNAME record that pointed to azure servers from the domain name providers dashboard.

Add DNS records in the NameCheap.com dashboard

This is the final view of the frontend which contains data that came from the front door endpoint. It shows the data and it’s source and support file upload to the azure storage.

Hosted Frontend

Front Door and WAF for Security

In Azure cloud platform, Front Door is the resource that provides proxy like behaviour to secure the internal APIs from the external networks and intercept the request coming from outside and detect the security threats.

Azure Front Door — Overview

Using the front door designer tool available we can add backends that need to expose via Front Door URL and set the routes to the relevant backend. Since this also works as a Load Balancer we can configure the backend pool size and other load balancing related settings as well.

Front Door Designer

Usually, Front Door is associated with a WAF (Web Application Firewall) that provides a highly recommended set of rules to prevent or detect attacks like cross-site scripting (XSS), SQL injections(SQLI) etc. Also, we can provide custom rules to block the users based on our own rules.

Web Application Firewall (WAF) — Overview

The custom rule I have created to test this resource is a rate limit based blocking. This rule will deny users from Sri Lanka to request the front door more than 1 per minute.

Monitoring and Insights

After configuring all the resources finally we need to monitor these resources. Azure has a resource called Application Insights that allows connecting with resources that can be monitored and create customizable dashboards.

Application Insights — Overview

As you can see the basic overall insights can be viewed in this overview page. If we need to see the live insights in Live Metrics we can see the live charts of analysis.

Application Insights : Live Metrics

This also provides telemetry with live updating log stream which helps a lo to track the requests coming to our web services.

As you can see above we can also get a map like structure to identify the behaviours of the monitored application over time.

Dashboard created with Application Insights data

🔮 Future Development

  • As initially planned the role-based access control need to implement to show different views to students and lecturers.
  • Extend the database to added periodic reports based on the start date of internships.
  • Develop frontend to show more statistics about the reports and submissions.

☝️ Conclusion

Azure cloud is a user friendly, fast, reliable and secure cloud services that can be used to easily set up any kind of infrastructure in the cloud. They have several resources that can be used to do the same task in different ways. So as our preference we can select the resource that best suitable for our product and use it. In monetary wise subscriptions, plans are very flexible and billing for the resources can be managed and audited easily as we need.

As Software Engineering students we must have the experience of cloud computing and its use cases. This assignment gave us a chance to get a deep hands-on experience in cloud environments. 😇

--

--

--

Coder | Freelancer | BSc. (Hons.) in Software Engineering | University of Kelaniya, Sri Lanka ::: https://nuwan.dev

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Experiences with getting started to the Software Development Life Cycle

What Is The Best Cheaper Alternative To Kitco?

Metals-API: an Alternative to Xignite to Get Real-Time Metal Prices

Increasing Front-end and Back-end Developer Productivity using CodeZero

How to Run a Sprint Retrospective for a Bigger Team?

Automating Kubernetes Multi-Node Cluster and Deploying WordPress Application with MySQL Database on…

Python Web Scraping Part: 7 Facebook SDK

When New Love And Old Love Meet Each Other

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nuwan Alawatta

Nuwan Alawatta

Coder | Freelancer | BSc. (Hons.) in Software Engineering | University of Kelaniya, Sri Lanka ::: https://nuwan.dev

More from Medium

Azure Function — Generating MailMerged Word Document

The Right Way of Implementing E2E in Azure

Partitioning in Azure CosmosDB

Azure SQL Elastic Pool AutoScaling implementation