Part 1: The Problem
1. CAF Strategy & Plan (Business Stakeholder Persona)
Business Motivation: “Our organization is launching a proprietary, high-performance CRM to support our expansion into the European market. Due to strict data sovereignty laws and legacy application dependencies, we cannot use PaaS; we require full control over the operating system and networking stack.”
Business Outcomes: The solution must support 10,000 concurrent users with a target Service Level Agreement (SLA) of 99.99% availability.
Workload Profile: A distributed, 3-tier monolithic application consisting of a Web Front-end, an Application Logic layer, and a heavy SQL-based Database backend.
2. CAF Ready & Adopt (Landing Zone)
Requirement: The infrastructure must be deployed into a Hub-and-Spoke landing zone. You are responsible for the “Spoke” design, assuming the “Hub” already provides centralized firewalling and ExpressRoute connectivity.
3. Discovery Report: Required Business Logic (Technical Architect Persona)
Because this is a new deployment, this report defines the High-Level Design (HLD) and Low-Level Design (LLD) requirements of the application software provided by the dev team:
Component Description:
Web Tier: 4x Windows Server 2022 instances (IIS).
App Tier: 4x Ubuntu 22.04 LTS instances running Java-based middleware.
Database Tier: A 2-node SQL Server 2022 Failover Cluster Instance (FCI) on Windows Server, requiring Shared Storage and high IOPS.
Application HLD: The app uses a synchronous communication model. The Web tier calls the App tier via a REST API, and the App tier communicates with the DB via a dedicated service account.
Application LLD (Requirements):
Web/App VMs require at least 8 vCPUs and 32GB RAM.
The Database requires 16 vCPUs, 128GB RAM, and sub-millisecond disk latency.
4. Source Workflow Diagram (Logic Flow)
User Access: External users hit a public-facing entry point via HTTPS (Port 443).
Web-to-App: The Web servers forward requests to the Application servers on Port 8080.
App-to-DB: The Application servers query the SQL Database cluster on Port 1433.
Admin Access: Developers require secure RDP/SSH access for monthly patching.
5. WAF Pillars (Constraints)
WAF Security:
Identity: All VM login access must be governed by Azure Entra ID.
Traffic: Implement a Zero-Trust model using Network Security Groups (NSGs) and Application Security Groups (ASGs). No direct internet access is allowed for App or DB tiers.
Secrets: Disk encryption keys and SQL credentials must be stored in Azure Key Vault.
WAF Reliability: The design must survive a Zone failure. You must use Availability Zones (AZs) for all tiers.
WAF Cost Optimization: The monthly budget for this spoke is $8,000 USD. You must use Azure Reserved Instances and Azure Hybrid Benefit calculations where applicable.
WAF Operational Excellence: The infrastructure must be monitored via Azure Monitor, with automated alerts for VM heartbeats and Disk space.
6. Technical Boundary
Strictly IaaS: You are forbidden from using Azure SQL Database (PaaS) or Azure App Service. Everything must run on Virtual Machines.
Networking: You must define the VNet CIDR, Subnetting (Web, App, DB, and Management), and Load Balancing (Internal vs. External).
Part 2: Components
ss
ddd
Part 3: Architecture
Part 4: Implementation
| sdddfd | 112 |
| ddff | 334 |
1. CAF Strategy & Plan (Business Stakeholder Persona)
Business Motivation: “Our organization is launching a proprietary, high-performance CRM to support our expansion into the European market. Due to strict data sovereignty laws and legacy application dependencies, we cannot use PaaS; we require full control over the operating system and networking stack.”
Business Outcomes: The solution must support 10,000 concurrent users with a target Service Level Agreement (SLA) of 99.99% availability.
Workload Profile: A distributed, 3-tier monolithic application consisting of a Web Front-end, an Application Logic layer, and a heavy SQL-based Database backend.
2. CAF Ready & Adopt (Landing Zone)
Requirement: The infrastructure must be deployed into a Hub-and-Spoke landing zone. You are responsible for the “Spoke” design, assuming the “Hub” already provides centralized firewalling and ExpressRoute connectivity.
3. Discovery Report: Required Business Logic (Technical Architect Persona)
Because this is a new deployment, this report defines the High-Level Design (HLD) and Low-Level Design (LLD) requirements of the application software provided by the dev team:
Component Description:
Web Tier: 4x Windows Server 2022 instances (IIS).
App Tier: 4x Ubuntu 22.04 LTS instances running Java-based middleware.
Database Tier: A 2-node SQL Server 2022 Failover Cluster Instance (FCI) on Windows Server, requiring Shared Storage and high IOPS.
Application HLD: The app uses a synchronous communication model. The Web tier calls the App tier via a REST API, and the App tier communicates with the DB via a dedicated service account.
Application LLD (Requirements):
Web/App VMs require at least 8 vCPUs and 32GB RAM.
The Database requires 16 vCPUs, 128GB RAM, and sub-millisecond disk latency.
4. Source Workflow Diagram (Logic Flow)
User Access: External users hit a public-facing entry point via HTTPS (Port 443).
Web-to-App: The Web servers forward requests to the Application servers on Port 8080.
App-to-DB: The Application servers query the SQL Database cluster on Port 1433.
Admin Access: Developers require secure RDP/SSH access for monthly patching.
5. WAF Pillars (Constraints)
WAF Security:
Identity: All VM login access must be governed by Azure Entra ID.
Traffic: Implement a Zero-Trust model using Network Security Groups (NSGs) and Application Security Groups (ASGs). No direct internet access is allowed for App or DB tiers.
Secrets: Disk encryption keys and SQL credentials must be stored in Azure Key Vault.
WAF Reliability: The design must survive a Zone failure. You must use Availability Zones (AZs) for all tiers.
WAF Cost Optimization: The monthly budget for this spoke is $8,000 USD. You must use Azure Reserved Instances and Azure Hybrid Benefit calculations where applicable.
WAF Operational Excellence: The infrastructure must be monitored via Azure Monitor, with automated alerts for VM heartbeats and Disk space.
6. Technical Boundary
Strictly IaaS: You are forbidden from using Azure SQL Database (PaaS) or Azure App Service. Everything must run on Virtual Machines.
Networking: You must define the VNet CIDR, Subnetting (Web, App, DB, and Management), and Load Balancing (Internal vs. External).
Leave a Reply