3 Tier architecture and Zoning

Now that we know the concept of application and database servers, it’s time we look upon how these are architected logically in the datacenter environment

Before we proceed let me start with explaining the concept of a 3-tier application, sounds like something very advanced but let me make it very simple for you, 3-tier means that the application is divided into 3 layers:

• Web Layer

• Application / Middleware Layer

• Database Layer

Web Layer: This is the layer where you would be placing your front end Web servers, this is also called as the presentation layer where users actually connect and this is the place where you would find the front end landing webpage with all the logo, styles and branding of your organization. Since these are front end servers to which the users are allowed to connect from the internet, they are placed in a Secure zone called as a DMZ (De-Militarized Zone) behind your internet firewall.

These servers are responsible for accepting the connection requests from the users and forwarding / Proxying to the backend application servers which are again protected by a firewall

Middleware Layer / Application layer: In this layer, you would have all your application servers hosted, this is the place where all the business logic processing is done. All the requests coming from the Web Servers pass through a firewall and reach the Application servers and then the application servers process the request and accordingly connect to the database server "again via a firewall" and manipulate data as per the request. The servers in this zone are also called as Middleware servers as they sit in the middle accepting the requests from the web servers and processing them and interacting with the database layer and providing the response back to the Web servers. There cannot be an architecture where your web servers may connect directly to your database except if the users who are connecting to the application are internal and the application is not exposed on the internet

Database Layer or Core layer: This is the most protected layer where all your database servers resides so obviously it must be most protected, the application servers connect to the database servers passing via a firewall and manipulate (Read/insert/update/delete) data. Usually the application server would be using a connection string, a username and password to connect to the database. To reach this zone from the internet you have to pass through atleast 2 firewalls

I guess I have explained the zones over here but the important point to note is that all these zones are network security zones and are all created on the firewalls. The advantage of having zones is that when the connection passes through a firewall it only allows the particular source server (identifying by its IP address) to the particular destination server and for a particular service (identified by the IP and port number). This kind of architecture helps to keep your environment secure for e.g. we only allow user direct connections to a web server and if it gets compromised by a hacker, still it wont be able to do much as it has to pass through a firewall to reach the application servers and 2 firewalls to reach the database server

Please refer the diagram from left to right, if you are reading these topics in a sequence, then you may notice there are a lot of iterations which would actually cement your knowledge on technology. Ok coming back to the diagram, follow it from left to right, first firewall from the left is your Internet firewall which has interfaces which connect to the DMZ zone and interface which connects to the Core firewall which is our second firewall, the core firewall has atleast 2 interfaces; one connects to the Application Zone and the other connects to the Database zone but the core firewall would never allow traffic which is coming from the DMZ firewall to the database zone, it will only allow traffic from DMZ firewall to the application zone and traffic from the application Zone to the Database Zone