High-Performance Azure IaaS CRM Architecture

Mission: Deploy a high-performance, IaaS-only CRM for 10,000 concurrent users in the European market while adhering to strict data sovereignty. Technical Constraints:

• Strict IaaS: Full OS-level control is required; all PaaS services (Azure SQL/App Service) are forbidden.
• Availability: Target 99.99% SLA achieved via Zonal Redundancy across all tiers.
• Networking: Deployment within a Spoke VNet (10.1.0.0/16) peered to a central Hub providing firewalling and connectivity.

Detailed problem statement

1. CAF Strategy & Plan (Business Stakeholder Persona)
Business Motivation: “Our organization is launching a proprietary, high-performance CRM to support our expansion into the European market. Due to strict data sovereignty laws and legacy application dependencies, we cannot use PaaS; we require full control over the operating system and networking stack.”
Business Outcomes: The solution must support 10,000 concurrent users with a target Service Level Agreement (SLA) of 99.99% availability.
Workload Profile: A distributed, 3-tier monolithic application consisting of a Web Front-end, an Application Logic layer, and a heavy SQL-based Database backend.
2. CAF Ready & Adopt (Landing Zone)
Requirement: The infrastructure must be deployed into a Hub-and-Spoke landing zone. You are responsible for the “Spoke” design, assuming the “Hub” already provides centralized firewalling and ExpressRoute connectivity.
3. Discovery Report: Required Business Logic (Technical Architect Persona)
Because this is a new deployment, this report defines the High-Level Design (HLD) and Low-Level Design (LLD) requirements of the application software provided by the dev team:
Component Description:
Web Tier: 4x Windows Server 2022 instances (IIS).
App Tier: 4x Ubuntu 22.04 LTS instances running Java-based middleware.
Database Tier: A 2-node SQL Server 2022 Failover Cluster Instance (FCI) on Windows Server, requiring Shared Storage and high IOPS.
Application HLD: The app uses a synchronous communication model. The Web tier calls the App tier via a REST API, and the App tier communicates with the DB via a dedicated service account.
Application LLD (Requirements):
Web/App VMs require at least 8 vCPUs and 32GB RAM.
The Database requires 16 vCPUs, 128GB RAM, and sub-millisecond disk latency.
4. Source Workflow Diagram (Logic Flow)
User Access: External users hit a public-facing entry point via HTTPS (Port 443).
Web-to-App: The Web servers forward requests to the Application servers on Port 8080.
App-to-DB: The Application servers query the SQL Database cluster on Port 1433.
Admin Access: Developers require secure RDP/SSH access for monthly patching.
5. WAF Pillars (Constraints)
WAF Security:
Identity: All VM login access must be governed by Azure Entra ID.
Traffic: Implement a Zero-Trust model using Network Security Groups (NSGs) and Application Security Groups (ASGs). No direct internet access is allowed for App or DB tiers.
Secrets: Disk encryption keys and SQL credentials must be stored in Azure Key Vault.
WAF Reliability: The design must survive a Zone failure. You must use Availability Zones (AZs) for all tiers.
WAF Cost Optimization: The monthly budget for this spoke is $8,000 USD. You must use Azure Reserved Instances and Azure Hybrid Benefit calculations where applicable.
WAF Operational Excellence: The infrastructure must be monitored via Azure Monitor, with automated alerts for VM heartbeats and Disk space.
6. Technical Boundary
Strictly IaaS: You are forbidden from using Azure SQL Database (PaaS) or Azure App Service. Everything must run on Virtual Machines.
Networking: You must define the VNet CIDR, Subnetting (Web, App, DB, and Management), and Load Balancing (Internal vs. External).

1. Detailed Firewall & NSG Policies:

• Azure Firewall (Hub): Centralized egress control using Application Rules for *.microsoft.com and archive.ubuntu.com.
• NSG Inbound Rules: Strictly mapped to Application Security Groups (ASGs) to prevent lateral movement. No direct internet access is permitted for App or DB subnets.

2. Storage & Latency Specs:

• SQL FCI Performance: Premium SSD v2 is configured for all data and log LUNs to guarantee the sub-millisecond latency required for 10,000 concurrent users.
• Clustering: 2-node Failover Cluster Instance using Azure Shared Disks with ZRS to ensure the database can survive a complete Availability Zone failure.

3. Governance & “Small” Components:

• Azure Key Vault: Configured with Soft-Delete and Purge Protection. All SQL credentials and Disk Encryption Keys (CMK) are stored here.
• Monitoring: Custom Azure Monitor alerts are set for VM Heartbeat failure (>60s) and Disk utilization (>85%). VM Insights is enabled for all 10 nodes to track performance counters.

4. WAF Operational Excellence:

• Application Gateway: WAF v2 with OWASP 3.2 core rule sets. All diagnostic logs are streamed to the Log Analytics Workspace (LAW) for KQL-based threat hunting.