Table of contents
No headings in the article.
Today, we are going to address a manufacturing company’s network problems. This organization is one of the world's largest computer hardware manufacturers in the world. It is a global company with more than 275,000 employees, among which 75,000 remote employees access the company data centers via a Virtual Private Network (VPN).
The organization has a data center in Houston, Texas, USA, privately connected to 200 offices within 100 miles. San Francisco, California, USA, also has a data center privately connected to 500 offices within 250 miles. A data center in Manchester, UK, privately connected to 150 offices within 200 miles. And a data center in Beijing, China, is privately connected to 250 offices within 150 miles.
This organization runs its supply chain software on 100 AMD Apex 128 cores, 4TB of RAM servers in Raid 5 in Manchester at 80% capacity and does not want to refactor the software. It also runs its website, apps, and database on 5000 AMD Apex 128 cores, 4TB of RAM servers, running 24 hours at 85% capacity split among its 2 data centers of Houston and San Francisco.
The company cannot tolerate a breach of its system. This organization is a $250 billion business, with a 11% year growth, which can grow up to 17% with an optimized supply chain, improved website performance, and new customer intimacy initiatives. The company wants an architecture that will improve its business performance. They are considering a multi-cloud migration to avoid depending on a single cloud provider in case of price changed or political affiliation conflicts.
Company Present Architecture
Each data center has a connection to the other data center via a 10 gigabits private link connection. The routing protocol used between these data centers is the open shortest path first (OSPF) of Area type 0, which operates within a single autonomous system (AS).
This organization currently utilizes the top ten internet providers on its internet-facing routers to better the performance of its website and lowers its latency. Border Gateway Protocol (BGP) is an exterior gateway protocol. It loads share traffic and is the GPS of IP routing because it dynamically scales the routing protocol by learning new routes. The Interior Border Gateway Protocol (IBGP) runs internally to allow internet service providers traffic through internal routers. The Exterior Border Gateway Protocol (EBGP) handles connections to external entities such as a cloud provider or the internet.
Behind the routers, firewalls protect the company network. The VPN concentrator sits in a demilitarized zone to handle all IPSec connections from remote employees and put them behind the firewalls to access the company's internal system.
In terms of security, the company uses a CISCO firewall as its first layer of defense to keep all the bad guys out. Behind it, there is a CISCO IDS/IPS for intrusion detection and intrusion prevention system. Cloudflare for DDoS protection, access control list on the routers, and 802.1Q VLAN tagging for MAC address authentication. They also have a host-based firewall on their servers, anti-virus and anti-malware, and have disabled all the unnecessary services to reduce the surface area of possible attacks or vulnerabilities. Finally, Microsoft Active Directory is used to store information about objects on the network. Finally, encryption is done with AES-256 to ensure data security.
Regarding their 3-tier application architecture, the company uses network load balancers to distribute the traffic to its web servers. This allows high availability for the web servers since network load balancers conduct health checks. There is a second group of network load balancers to load share traffic to the app servers and the Apache Cassandra database behind them. All mounted in RAID 5 to provide fast reads and parity data.
The supply chain software that runs in the Manchester, UK data center is fronted with network load balancers that can support millions of requests.
Now, let's implement the new architecture to better the organization's network!
Company New Architecture
After evaluating the organization's system, I've found that the best way to solve their network architecture is to implement a multi-cloud solution, which refers to using multiple public or private cloud providers for cloud computing, storage, analytics, and other cloud based services. I will use the Amazon Web Services cloud as the primary cloud to leverage the quality of the infrastructure, and Microsoft Azure as the safer alternative cloud provider. I will also leverage Google Cloud Platform for machine learning, artificial intelligence, and data science.
The internet connectivity from the present architecture is perfect and doesn't need any modification.
I understand the organization's problem with single cloud provider dependency. For this, I will keep the data centers connectivity of the present architecture and connect three data centers to three different cloud providers. I will also connect them to Azure and create backup copies of their critical application to mitigate that risk. If anything goes wrong with AWS, Azure will become the central cloud within 15 minutes.
I will leverage Google Cloud Platform for machine learning, artificial intelligence, and data science to increase business growth. Since the data that will go to Google Cloud Platform are not latency-sensitive, I will set up two encrypted VPN connections mentioned by the company.
I will move the supply chain application to the cloud because it is the most elegant and straightforward solution. By doing this, I will free 100 big servers and continue to host the website in both data centers (Houston and San Francisco) without purchasing any additional servers. That will buy the organization the 17% growth for at least three years. They no longer need to worry about their website being unavailable and will still benefit from the infrastructure already in place at no additional charges. Migrating the supply chain to the cloud will allow it to scale via auto-scaling and eliminate the server capacity issues.
The security architecture in the cloud will be as follows: Amazon Web Services Advanced Shield cloud level DDoS protection. I will go to the marketplace to get the industry performance firewalls and IDS/IPS systems. I will leverage the network access control list as a layer of security for my subnets. Then I'll enable my cloud level security groups, followed by adding the host-based-firewall, anti-virus/anti-malware software, and disabling any unnecessary services on any system to protect my virtual machines (EC2). I will leverage each cloud provider's level of AWS key management service (KMS) to manage data encryption, and IAM to provision authentication, authorization, and keep track of users' activities. Finally, I will use the Amazon Web Services Managed Microsoft Active Directory to manage users both on the cloud and on-premises and give them that extra layer of protection on top of user name and password through Multi-Factor Authentication (MFA).
With the cloud 3-tier application architecture, I will leverage each cloud provider's level of elastic load balancers and use the network to handle millions of requests. I will also provision four elastic block storage (EBS) volumes in Raid 1+0 backup for critical applications and another four EBS volumes in Raid 0 for all other applications. That will give the highest performance and availability. I will use Dynamo DB because of the similarity to Apache Cassandra, which will ease the migration and auto-scaling features.
NB: Note that this architecture pertains to multi-cloud, so any services used with Amazon Web Services will be used respectively with Microsoft Azure and the Google Cloud Platform.
This architecture is a high-level representation as the full one will be much more detailed and much more complex. The intended audience is the general public.
Thank you for your time, and I hope you enjoyed this architecture study case!
Dan, the Architect.
- May the cloud be with you