This section summarizes the main requirements and principles for the configuration of networks within your Azure cloud infrastructure, to which you will deploy CloudBlue Commerce.
To follow security standards, your Azure infrastructure must have several isolated network zones:
- Frontnet zone
- Backnet-IAAS zone
- Backnet-AKS-nodes zone
- DBnet zone
- Adminnet zone
Basic communications matrix
| To | ||||||
| Frontnet | Backnet-IAAS | Backnet-AKS-nodes | DBnet | Adminnet | ||
| From | Frontnet | Yes | Yes | No | No | No |
| Backnet-IAAS | Yes | Yes | Yes | Yes | No | |
| Backnet-AKS-nodes | No | Yes | Yes | Yes | No | |
| DBnet | No* | Yes | No | Yes | No | |
| Adminnet | Yes | Yes | Yes | Yes | Yes | |
*However, DBnet can connect to the PrivacyProxy in the Frontnet.
The Frontnet zone is accessible from the Internet and should contain all nodes for which it is necessary to have direct (proxy-less) communication with the Internet to send and receive requests. The Frontnet zone contains two HTTP(S) proxies: the PrivacyProxy, to handle outgoing connections, and the Federation proxy, to handle all incoming requests. Azure uses the Network Address Translation (NAT) mechanism to allow Azure virtual machines to communicate with the Internet through a public IP address. For more information see IP Address Requirements.
The Backnet-IAAS zone contains those services which are not database and have no requirements to have direct access to the Internet. The Backnet-IAAS zone can communicate with the Internet only via the PrivacyProxy in the Frontnet zone. Optionally, the Backnet-IAAS zone can have communication with an on-premise network via a site-to-site VPN using a dedicated Azure VPN Gateway.
The Backnet-AKS-nodes zone is for nodes of the AKS cluster. Certain services from the AKS cluster are reachable from the Internet, but only via the Azure Load Balancer (Layer 4). AKS cluster has its own VNet (AKS VNet). To reach AKS nodes from the IAAS VNet, VNet peering must be configured. Then, to reach Kubernetes services and pods, a VPN connection must be configured between the Operations Management Node and the OpenVPN service in the AKS cluster. Since an internal AKS load balancer is used, the IP address of the OpenVPN service is taken from the address range of the AKS nodes.
The DBnet zone contains nodes with databases. It is the most isolated zone. The DBnet zone can communicate with the Internet only via the PrivacyProxy in the Frontnet zone.
The Adminnet zone contains jump boxes and, possibly, some monitoring services. The main purpose of virtual machines in this zone is to perform monitoring and management. All the other zones, Frontnet, Backnet, and DBnet, are accessible from the jump boxes in the Adminnet zone. Virtual machines in the Adminnet zone are accessible only via a point-to-site VPN using a dedicated Azure VPN Gateway.
Related Topics