N-tier deployment

Now we know all the basics and it is time to make a complex architecture (N-tier architecture) out of this.

Let's take a look at the following diagram:

What is different here? The architecture is again based on the pattern for multiple VMs, but this time, the design is repeated several times because the architecture is divided into at least the following three levels:

• Web tier or frontend application
• Business tier or business logic
• Data tier

Not required, but nevertheless often present, are the following levels:

• Management tier
• Active Directory

All actually existing levels within this architecture are also single subnets of the VNet.

The entry point for this architecture is again the Azure Load Balancer, which is only used to distribute incoming internet traffic to the web tier, the Azure Internal Load Balancer (ILB) is then used for all other levels.

Let's go back to distribution from incoming internet traffic. Not visible, but still present, are the numerous network security groups (NSGs) that are respectively associated with the subnet. An NSG is used to regulate network traffic by allowing or denying network traffic. For our architecture, this means, for example, that you can use the help of an NSG to decide that the data from the web tier can only be passed on to the business tier.

Now, I have some additional information about the optional architectural layers:

• Management tier (also known as jumpbox or bastion host): The Management tier includes a secure VM on the network that administrators (or DevOps) use to connect to the other VMs. Note that the most of the time the management tier has an NSG that allows remote traffic only from public IP addresses on a safe list. The NSG should also permit the use of the RDP. The management tier is also a good place to install a monitoring solution such as Nagios or Zabbix that can give you an insight into response time, VM uptime, and the overall health of your system.
• Active Directory Tier: The Active Directory tier includes a VM with installed Active Directory Domain Service (AD DS). An Active Directory tier is only required if you use an SQL Server Always-On Availability Group as Data tier. Prior to Windows Server 2016, SQL Server Always-On Availability Groups must be joined to a domain. This is because availability groups depend on the Windows Server Failover Cluster (WSFC) technology. Windows Server 2016 provides the ability to create a failover cluster without Active Directory. If your architecture is based on Windows Server 2016, the AD DS server is not required.