Today, we are going to solution ABC Technology network problems. ABC Technology is one of the world's manufacturing technology leaders. It is a global company with more than 250,000 employees, among which 150,000 remote employees access the company data centers via a Virtual Private Network (VPN).
- The company has a data center in Research Triangle Park, North Carolina, USA, privately connected to 50 offices within 100 miles. San Jose, California, USA, has a data center privately connected to 100 offices within 200 miles. A data center in London, UK, privately connected to 100 offices within 150 miles. And a data center in Bangalore, privately connected to 300 offices in South India.
- ABC runs its supply chain software on 100 AMD Apex 128 cores, 4TB of RAM servers in Raid 5 in Triangle Park at 80% capacity and does not want to refactor the software. It also runs its website, apps, and database on 1500 AMD Apex 128 cores, 4TB of RAM servers, running 24 hours at 80% capacity split among its 2 data centers of London and Triangle Park.
- The company cannot tolerate a breach of its system. ABC technology is a $50 billion business, with a 13% year growth, which can grow up to 18% with an optimized supply chain, improved website performance, and new customer intimacy initiatives. The company wants an architecture that will improve its business performance. They are considering a multi-cloud migration to avoid single cloud provider dependency in case of price rise or political affiliations conflicts.
Company Present Architecture
Each data center has a connection to the three other ones via a 10 gigabits direct connection. The routing protocol used between these data centers is the open shortest path first (OSPF) of Area type 0, which operates within a single autonomous system (AS).
ABC technology leverages the top ten internet providers on its internet-facing routers to better the performance of its website and lowers its latency. Border Gateway Protocol (BGP) is an external gateway protocol. It loads share traffic and could be considered the GPRS of IP routing because it dynamically scales the routing protocol. The Interior Border Gateway Protocol (IBGP) runs internally to allow internet service providers traffic through routers. The Exterior Border Gateway Protocol (EBGP) handles the external connection like connecting to a cloud provider or the internet.
Behind the routers, firewalls protect the company network. The VPN concentrator seats in a demilitarized zone to handle all IPsec connections from remote employees and put them behind the firewalls to access the company internal system.
In terms of security, the company uses a CISCO firewall as its first layer of defense to keep all the bad guys out. Behind it, there is an IDS/IPS CISCO for intrusion detection and intrusion prevention system. Cloudflare for DDoS protection, access control list on the routers, 802.1Q VLAN tagging for MAC address authentication, a host-based firewall on the servers, some anti-malware, and has disabled all the unnecessary services to reduce the area of possible attacks. Microsoft Active Directory to store information about objects on the network. And finally, encryption with AES-256 to ensure data security.
Regarding their 3-tier application architecture, the company uses network load balancers to distribute the traffic to its web servers. That allows high availability of the web since NLB has health checks. There is a second group of NLB to load share traffic to the app servers and the Apache Cassandra database behind them. All mounted in raid 5 to provide fast reads because of striping.
The supply chain software runs in the Research Triangle Park data center is fronted with network load balancers that can support millions of requests.
Let's now implement the new architecture to better ABC Technology network.
Company New Architecture
After evaluating the ABC Technology system, I've found that the best way to solve their network architecture is to implement a hybrid cloud, which refers to a mixed computing, storage, and services environment of on-premises infrastructure, private and public cloud services. I will use AWS cloud as the primary cloud to leverage the quality of the infrastructure, Microsoft Azure as the safety cloud with a "Warm Standby" disaster recovery model, which gives us a recovery time objective (RTO) of less than 45 minutes. I will also leverage Google Cloud Platform for machine learning, artificial intelligence, and data science.
The internet connectivity from the present architecture is perfect and doesn't need any modification.
I understand ABC Technology's problem with single cloud provider dependency. I will keep the data centers connectivity of the present architecture and connect three data centers to the cloud. I will connect them to Azure and create backup copies of their critical application to avoid that. If anything goes wrong with AWS, Microsoft Azure will become the central cloud within 45 minutes.
I will leverage GCP for machine learning, artificial intelligence, and data science to increase business growth. Since the data that will go to GCP are not latency-sensitive, I will set up two encrypted VPN connections mentioned by the company.
I will move the supply chain to the cloud because it is the most elegant and straightforward solution. By doing this, I will free 100 big severs and continue to host the website in both data centers (Research Triangle Park and London) without purchasing any additional servers. That will buy ABC Technology that 18% growth for at least three years. They won't have to worry about services for their website and will still benefit from all the infrastructure already in place at no additional charges. Migrating the supply chain to the cloud will allow it to scale as needed and eliminate that server capacity issues.
The security architecture in the cloud will be as follows: AWS Advanced Shield for DDoS protection. I will go to the marketplace to get a performant firewall and IDS/IPS system. Leverage the network access control list as a layer of security for my subnets. Add the HBF, anti-malware, and disabled any unnecessary services on top of AWS's security group to protect my virtual machines (EC2). AWS key management service (KMS) will manage data encryption, and IAM enables authentication, authorization, and keep track of users' activities. AWS Managed Microsoft AD will manage users both on the cloud and on-premises and give them that extra layer of protection on top of user name and password through Multi-Factor Authentication (MFA).
With the cloud 3-tier application architecture, I will switch to the elastic load balancers and use the network to handle millions of requests. To come close to the database read performance that ABC Technology has in their datacenters, I will set up four elastic block storage (EBS) volumes in Raid 0 backup by another four EBS volumes in Raid 0. That will give a relatively good performance and availability. I will use Dynamo DB because of the similarity to Apache Cassandra, which will ease the migration and auto-scaling feature.
The new architecture will allow ABC Technology to grow by 4% and reach its 18% forecast year-to-year growth.
NB: This architecture is a high-level representation as the full one will be more detailed and much more complex. The intended audience is the general public.
Thank you for your time, and I hope you enjoyed this architecture study case.
Yvan, the Architect.