Develop a Secure Distributed System in the Azure Cloud
SENG 41283 — Distributed and Cloud Computing
This article is a part of the academic individual assignment that helps to learn about cloud services, discussed in SENG 41283 — Distributed and Cloud Computing course offered by the University of Kelaniya Software Engineering Teaching Unit. 🎓
You can find more requirements and guidelines for the assignment here. As suggested in the assignment and the Microsoft provides FREE Azure credits for students, I chose the Microsoft Azure Cloud Platform as the cloud service provider for this project. 😃
📁 The System
According to the assignment guidelines we have to use open-source systems that can be easily adapt to the above architecture or we could develop our own system. As always I choose the hard path to gain more experience and practical knowledge. 😉
So I decided to develop a simple yet highly useful system that will help our university to manage internship details of the students. 🏫
☁️ Cloud Architecture
I modified the given architecture a little bit while not changing key components. The proposed architecture for the basic Internship Management System can be found below.
PS: There are some missing resources that don't include in Azure Student Subscription, So I had to find alternative solutions.
- Azure CDN — ✅ Static Web App
- Active Directory Roles — ❌ No alternative found
🚧 Development Guide
Initial step to create a solution in Azure cloud is creating a resource group to bind the related resources to easily organize. I have created a resource group named
setu and add all the solution related resources into this group.
User Management & Security
Azure Active Directory is enterprise-level identity management and permission handling system that can be easily used to integrate with any application in the Azure cloud. There are several types of AD solutions available in the azure. In default azure AD solution admin of the AD is the person who can add new users or remove existing users. When the users need to create an account for themselves Active Directory B2C is the preferred solution. So I created an Azure AD B2C resource to allow the users to sign up and sign in to this sample application and perform tasks. Initial ideas were to access control the user permission with specific roles, but without a premium subscription plan, this feature wasn’t included.
Active Directory Applications — To use the azure active directory for user authentication in a client application. After creating an application we can setup application type(web, single page application, mobile etc.), redirect URLs, authentication flow (implicit or explicit) and other authentication configurations.
Databases and Storage
I have used three different storage resources MySQL database, Redis Cache and Azure Storage as suggested in the sample architecture.
Azure Database for MySQL Server — It’s an enterprise-level solution of MySQL databases. This will create a MySQL installed virtual machine. At the creation, we can define database user and password fields. After deployment finish, we can get the hostname, username and port for this MySQL database which we can use for connecting remotely. (Highlighted in the red square)
I used this MySQL instance with Database Access Service. Since it is a simple node.js application that uses Sequalize ORM, when I develop the application I have configured the MySQL instance-related data as environment variables. So after creating the web app I can set the environment variables from the dashboard.
Azure Cache for Redis — Redis is the most used database for caching. Azure provides this resource as a service to use Redis in the azure cloud.
Azure Storage Account — File storage solution of the azure cloud is named as storage accounts and it is providing several file storage services such as containers, file shares, tables, queues.
App Service for Backend
Web App is an azure resource that provides scalable web application hosting service which can be used to most kind of web applications. It currently supports most of the popular programming language(Java, Python, node.js, .NET) based web applications. I have used two instances of this App service to host Service 01 and Service 03 implementations. Source code of these applications is based on nodejs-sql-boilerplate and nodejs-redis-boilerplate.
These applications were deployed directly from the GitHub to Azure using GitHub Actions. This setup allows us to add a CI/CD pipeline to our application.
Database Access Service
In this service, we need to add environment variables that we have used in the source code. For that, we need to go to configuration screens, click on “New application string” and added specific key and value for the environment variables.
- MYSQL_HOST / MYSQL_USER / MYSQL_PASSWORD — Details from the above mentioned Azure Database for MySQL server instance.
This API only have one endpoint named “/students” (except root endpoint) that will get list of students from the MySQL database.
API Service with Caches
- REDIS_HOST / REDIS_PORT / REDIS_PASSWORD — Details from the Azure Cache for Redis instance
- DB_ACCESS_API — URL of the service 03 API
- FUNCTION_URL — URL of the function app HTTP trigger
Azure Function for Backend
An Azure Function is a serverless function that can be triggered on certain events and do a task. I use this as an HTTP Triggered event to save a file to Azure storage.
This functions will have a HTTP trigger endpoint and when we send a post request with a file attached this will store that file inside the storage account container named
Static Web App for Frontend
Single page application hosting made easy with Azure Static Web App resources where we can easily select the GitHub repository and the app will be automatically built and deploy using Github actions.
This app uses the react-azure-adb2c library to enable authentication. Once the user goes to the static-web-app URL user will be redirected to the login page. After signing in the app is getting data from service 01 through the front door and provide the functionality to upload reports to azure storage. The ribbon in the right will show whether data comes from cache or not. After deploying the frontend this is how it looks like.
A custom domain is a unique branded label that’s connected to the IP address of a website instead of azure generated random domain name. To set up a custom domain all we need to do is added a CNAME record that pointed to azure servers from the domain name providers dashboard.
This is the final view of the frontend which contains data that came from the front door endpoint. It shows the data and it’s source and support file upload to the azure storage.
Front Door and WAF for Security
In Azure cloud platform, Front Door is the resource that provides proxy like behaviour to secure the internal APIs from the external networks and intercept the request coming from outside and detect the security threats.
Using the front door designer tool available we can add backends that need to expose via Front Door URL and set the routes to the relevant backend. Since this also works as a Load Balancer we can configure the backend pool size and other load balancing related settings as well.
Usually, Front Door is associated with a WAF (Web Application Firewall) that provides a highly recommended set of rules to prevent or detect attacks like cross-site scripting (XSS), SQL injections(SQLI) etc. Also, we can provide custom rules to block the users based on our own rules.
The custom rule I have created to test this resource is a rate limit based blocking. This rule will deny users from Sri Lanka to request the front door more than 1 per minute.
Monitoring and Insights
After configuring all the resources finally we need to monitor these resources. Azure has a resource called Application Insights that allows connecting with resources that can be monitored and create customizable dashboards.
As you can see the basic overall insights can be viewed in this overview page. If we need to see the live insights in Live Metrics we can see the live charts of analysis.
This also provides telemetry with live updating log stream which helps a lo to track the requests coming to our web services.
As you can see above we can also get a map like structure to identify the behaviours of the monitored application over time.
🔮 Future Development
- As initially planned the role-based access control need to implement to show different views to students and lecturers.
- Extend the database to added periodic reports based on the start date of internships.
- Develop frontend to show more statistics about the reports and submissions.
Azure cloud is a user friendly, fast, reliable and secure cloud services that can be used to easily set up any kind of infrastructure in the cloud. They have several resources that can be used to do the same task in different ways. So as our preference we can select the resource that best suitable for our product and use it. In monetary wise subscriptions, plans are very flexible and billing for the resources can be managed and audited easily as we need.
As Software Engineering students we must have the experience of cloud computing and its use cases. This assignment gave us a chance to get a deep hands-on experience in cloud environments. 😇
- API Service with Cache — https://github.com/nuwan94/setu-api
- Database Access Service — https://github.com/nuwan94/setu-db-api
- Storage Access Service — https://github.com/nuwan94/setu-func
- Frontend — https://github.com/nuwan94/setu-frontend
- HOW TO — Secure your ReactJS frontend with Azure AD B2C
- Azure Samples Github Repos
- Microsoft Learn (Azure)
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build…
See you again with a new cloud architecture guide in the near future. Stay safe! 🏠❤️