DMZ Web Service Based on Virtual Server Using VPC
DMZ Web Service Based on Virtual Server Using VPC
Overview
In the existing legacy environment, complex solution installations were required to build a web hosting infrastructure that provides high availability and scalability. Additionally, to ensure reliability, estimating capacity for peak times was also unavoidable, and this increased lead time and operating costs, negatively affecting the service and expenses.
Samsung Cloud Platform quickly provides the required web service infrastructure based on a computing product web service with excellent scalability and reliability, together with a customer-dedicated network configuration that enables internet communication immediately upon setup.
This document provides a detailed explanation of the DMZ web service architecture based on Virtual Server using VPC on the Samsung Cloud Platform.
Architecture Diagram
- In the DNS service, set the domain name to be opened externally and link it to the Load Balancer’s service IP.
- Load Balancer service IP is assigned from a VPC that can be accessed via the Internet.
- Load Balancer can distribute web request traffic to multiple VM Auto Scaling groups, increasing service reliability.
- Relational databases can increase availability by implementing redundancy configurations or by using DBaaS to enable redundancy options.
- In DBaaS, you can choose from various relational database engines.
- You can use a NoSQL database service together as a cache for the relational database to reduce response time for frequent requests.
- You can protect the web server from attack traffic such as XSS or SQL injection by using a WAF service.
- Also, using the DDoS Protection service automatically responds to external DDoS attacks.
- You can use Object Storage to store static content such as images or videos, or for database backup purposes.
Use Cases
Providing public web services via VPC
You can set up a public web service that can connect to the Internet by using the Public IP feature provided by the VPC.
- Public IPs can be easily registered as domain names in DNS services for use.
Securing Web Security through Service-based Security Solutions and Security Group Implementation
To ensure the security of web servers exposed to the Internet, you can configure service-based security solutions such as WAF and DDoS Protection.
- In a WAF service, website traffic is monitored to detect and block attacks.
- The DDoS Protection service detects and blocks DDoS attacks that generate concentrated traffic to a web server, disabling the service.
Along with this, you can protect the infrastructure from external attacks by configuring security groups through minimal allow policy management.
Prerequisites
None
Constraints
DDoS Protection - A separate service request is required when applying for the service and requesting a policy.
Considerations
Security
When configuring security policies, you can distinguish between a Load Balancer that requires direct external access and internal infrastructure security groups that do not require direct access, and apply separate security policies.
Configure allow rules per subnet in the Firewall service, or per virtual server in the Security Group service, to control network access from unnecessary hosts.
Serverless
In the future, you can consider transitioning to a serverless web application by using services such as Cloud Functions and API Gateway.
Related services
This is a list of Samsung Cloud Platform services that are related to the features or configurations described in this guide. Refer to it when selecting and designing services.
| service group | service | Detailed description |
|---|---|---|
| Compute | Virtual Server | Virtual server optimized for cloud computing |
| Compute | VM Auto-Scaling | A service that automatically scales resources up or down based on demand |
| Database | MySQL | A small yet powerful open-source relational database MySQL service that simplifies creation and management. |
| Database | CacheStore | Key-value in-memory data store with fast data processing capability |
| Networking | Load Balancer | A service that automatically distributes server traffic load. |
| Networking | DNS | A service for easily configuring and managing domains |
| Networking | VPC | A service that provides an isolated virtual network in a cloud environment |
| Networking | Security Group | Virtual firewall that controls VM traffic |
| Networking | Firewall | A service that provides a firewall for traffic between the VPC, the Internet, and the customer’s network. |
| Storage | Object Storage | Object storage that simplifies data storage and retrieval |