Cloud is middle tier in 3-tier Infrastructure

In my previous blog take-incharge-of-your-public-cloud, I have compared the analogy of building a house in the wild with building an application in the cloud.

You might ask, why we put all those efforts into building a house in the middle of the jungle unless you wanted to manage wild animals, enjoy the wild nature and enjoy managing abundant wild land. Yes, you are right, we don’t have to move into Wild for the sake of moving into Wild, hang on, am I saying you don’t have to move into Cloud for the sake of moving in Cloud?

Based on your lifestyle, you may invite wild visitors or visitors from the city, based on who you invite most, you may choose to be in the wild or city. If Cloud is like Wild and if the internet is like wild visitors, are we saying unless we have internet visitors we should choose to deploy our applications in on-premise?

Let’s get the real facts into the Cloud journey and be upfront about the challenges. If you have so many visitors to your application from the internet, then Cloud could be a better place as it’s close to the internet and you don’t have to deal with all internet security yourself in your on-premise data centre. But if you have so many visitors from your internal network and if you still chose to deploy your internal applications to the cloud then you have to protect your cloud environment from wild internet as I mentioned in take-incharge-of-your-public-cloud.

Public Cloud providers have improved internet security so much in fact these days large scale DDoS attack is a business as usual for them. But other companies protecting their own internal network from the internet have a long way to go in order to get protection from modern sophisticated cyberattacks and most of the companies never able to catch up with modern-day cyberattacks. So it’s worth asking yourself, do you really want to expose your internet network to the public internet and then put all your effort into building protection for it?

These days, building private circuits from on-premise to cloud or another on-premise environment become a standard pattern even for small businesses, so if you have a private network in Cloud you don’t have to traverse the wild internet to connect from your on-premise network.

We have spoken about 3-tier applications for more than two decades now, it helped us to scale from hundreds to thousands, but not much further, which requires modern decoupled architecture.

But have you ever heard of 3-tier infrastructure, unless someone else introduced it before you read this blog! If you have all of your users on the internet and if they have to access valuable assets in your on-premise infrastructure, your cloud infrastructure become your middle-tier infrastructure!

In this architecture, you will have wild internet traffic coming into your public cloud environment, you apply for all cloud-native edge protection as it arrives, route the traffic to your internal cloud network in the same public cloud provider and finally via private circuits connect to your on-premise network without traversing to wild internet.

Yes, I hear you, this sounds like a solution, what’s the actual problem that we are trying to solve? I’ll ask the other way around, what’s the problem we cannot solve in this way?

• Do we really want to protect our on-premise network from the internet?
• Do we really need to find a solution for staff to access applications anywhere they want, if they can all of them via the internet using story identity protection?
• Do we really want to manage complex network connectivity and network controls to allow applications across on-premise and cloud internal network, just because we wanted to allow internet via on-premise and part of the applications are getting migrated to the cloud?
• Do we really want to slow down cloud migration, just because we are busy protecting the on-premise network from the internet?

In other words, it will change your entire cloud migration strategy and create a single focus across your IT department. When you have internal facing applications and external-facing applications in a mix and all need to be accessed by a single user your IT landscape become so large and in fact, most of your IT department will be busy supporting your on-premise internal applications and have no time to focus on cloud migration.

All public cloud providers have SaaS and PaaS offering that will be using cloud providers own internet and backbone without any traversal to on-premise or internal cloud network. If that’s not possible, you can still have a public network in the cloud, use cloud providers native internet edge protection capabilities and finally route to your internal cloud network, without managing any infrastructure for edge protection.

In the modern world, the network boundary of the user cannot be defined, so the entire world moving towards strong identity and multi-factor authentication instead of relying on network controls. This is a key criterion for your application to be exposed to the internet in your preferred cloud environment.

If you are using Active Directory, with Windows 10 (latest release), you can directly domain join your devices to Azure AD without choosing to hybrid domain join that comes with it’s own complexity!

This is easily said than done, but it needs binding from your leadership team, especially opening up all your applications to the internet so all of you can focus on moving the applications to the cloud and only provide access to your applications via the internet and use the cloud as middle-tier infrastructure should you apply any edge protection or other network controls or inspections.

We had and some still having lockdown, so whether we like or not we are accessing all of the applications remotely and some via the internet, this trend is going to continue to grow as we embrace working from home become the new norm!

In summary, let the public cloud providers deal with the threats from the internet, that reduces your network boundary significantly, so you can focus on your own applications and it’s cloud migration journey, which is more aligned to your and worlds strategical position. Yes, more than anything you focus on what you can do best and let others do their best in the area they are already experts at! If you are ever successful in fully migrating everything to the cloud, then you can say, now I got 2-tier Infrastructure! In other words, we are still aligned and no accumulating technical debt in investing in on-premise infrastructure that’s later supposed to disappear! 

Disclaimer

This article was produced in my own capacity and experience so it could be beneficial for others; no association could be assumed with the organisation that I am working for now or the organisations that worked in past.