- Business drivers for cloud adoption
- Use cases and requirements
- Non-functional requirements
- Web application architecture
- Public network components
- Cloud provider network components
- Enterprise network components
- Security components
- IBM component models
- IBM product and SoftLayer mapping to the capabilities
- Bluemix services mapping to the capabilities
- Component interaction diagrams: Flexibility and scale for an effective architecture
- General flow
- Deployment considerations
- Choosing SoftLayer (IaaS)
- Choosing Bluemix (PaaS)
- Downloadable resources
- Related topics
How IBM leads in building web application hosting cloud solutions
Implementing the CSCC Customer Cloud Architecture for Web Application Hosting
At a high level, web application hosting supports server applications, which deliver web pages containing static and dynamic content over HTTP or HTTPS. The static content is typically the "boilerplate text" of a web page and content held in files, such as images, videos, sound clips, and PDF documents. Dynamic content is typically built in response to a specific request from the user, and is based on content in the request or content derived from a database connected to the web application.
With years of experience working in enterprise data centers and helping customers build innovative solutions, IBM is ideally suited to help businesses transform their business for cloud adoption. IBM believes that all organizations will eventually implement some type of hybrid cloud architecture, and its cloud strategy is based on hybrid cloud adoption.
To create the premier hybrid cloud solution and to compliment its expertise in building private clouds and maintaining data centers, IBM acquired SoftLayer's off-premises Infrastructure as a Service (IaaS) platform, grew its geographic reach into dozens of countries, and created IBM Bluemix, the largest Platform as a Service (PaaS) in the world. In 2015 and 1Q 2016, IBM established a strong foundation for managing and delivering static and dynamic web content and video streaming through the acquisitions of CleverSafe, ClearLeap, Aspera, and Ustream, which offer cloud- and appliances-supporting hybrid infrastructures. Additionally, IBM has been rapidly transforming existing assets into Software as a Service (SaaS) and creating integration services to connect all these capabilities and extend the value of our client's existing software investment.
This article describes the best practices and architectural capabilities needed to develop web application hosting environments using a private, a public, or a hybrid cloud deployment model. Specifically, the paper shows how IBM supports the Customer Cloud Architecture for Web Application Hosting paper available on the Cloud Standards Customer Council. We'll show you how IBM products support the cloud web application hosting environment as it aligns to the industry standard, and review business drivers and requirements for web application hosting in the cloud.
Business drivers for cloud adoption
To stay competitive in the changing IT landscape, your company needs to consider moving to a cloud-based web application hosting environment. We've highlighted some of the business drivers and motivations for implementing a cloud strategy in your enterprise.
- Commoditized industries: Savvy users with greater access to the Internet, data, and crowdsourcing are more likely to switch vendors and view products and services as less complex. A cloud-based infrastructure helps you simplify and magnify your services.
- Scalability: Your company's web presence must be able to scale up and down without impacting your users' experience. Often, surges cannot be anticipated when they are driven by outside forces like weather conditions, social media, or competitor activities.
- Reduced barriers to entry: Businesses must constantly evolve to stay ahead of their competition. New web applications are often used to support innovation and the quick creation of new capabilities.
- Stronger partnerships: Successful partnerships demand flexibility and quick time-to-market. Being able to nimbly adjust to and support the standards of a new partner without disturbing their existing business processes strengthens your business and gives you access to more customers and opportunities. Cloud-based web application architectures that support multispeed IT development can enable such innovation without sacrificing dependability.
- Better performance : Performance is one of the most important factors for web applications running in the cloud. A quick response time allows a business' goods and services to be considered for evaluation.
- Skill development: Web applications are common and well understood, making them ideal candidates for experimentation with new technologies. However, to be cost effective, evaluations must occur quickly and without a steep learning curve.
- Strategic decision : Like a web presence 20 years ago, executives recognize cloud adoption as a strategic imperative.
- Increased security: Automated fixes and alerts allow for a faster response to external or internal threats. Web applications that use cloud technologies can benefit from this feature.
Use cases and requirements
Businesses are motivated to create web applications because they want to do one of three things:
- Create an innovative, disruptive product
- Respond to a crisis or event
- Experiment with product creation and crisis response in a low-risk environment
With IBM cloud, you can develop web applications without having to worry about the underlying technical requirements related to containers, security services, integration capabilities, and data services. Those services and capabilities are readily available in the IBM cloud.
The following use cases show common scenarios of how business capabilities are enabled on the cloud. In each example, sample requirements that demonstrate the value of a cloud are provided.
Business needs to be innovated
As the marketplace quickly evolves, your business needs to change and grow with the marketplace. Some examples of how a cloud-based web application hosting environment can help you do so include:
- A business may want to support a new market entrant as a channel without impacting current customers. For example, it may choose to sell through a market aggregator in addition to selling products and services through direct channels. This example is likely a hybrid scenario that requires secure access to on-premises data and services.
- A business may want to add a new product or a new sales and marketing program quickly. To achieve this, the on-premises systems must be interoperable with the off-premises cloud.
- A business may want to make their services accessible to new partners or may want to use the partner's services with minimal application impact. Easy-to-use APIs, as well as a governance and management systems, will promote use of their new services.
Response to a crisis or event
Sudden and unexpected events occur in every market. From competitor-driven events, to economic and weather-related factors, to politically and socially driven change, businesses that are prepared to respond quickly have the best long-term outcomes. The following examples show events that businesses prepare for:
- A business manager may need to quickly grow capacity to respond to a sudden influx of customer inquiries due to an unexpected marketing campaign by a competitor. A cloud-based web application needs to be quickly scalable, adding resources to whichever part of the environment is constrained.
- A business may need to move operations to a different region to comply with changing regulatory and locality laws. They need a cloud platform that is available in many countries and with verifiable compliance records.
- A security officer may want to quickly respond to a security event in one data center by moving workloads to another data center. An automated and standardized cloud enables flexibility.
In the past, failure within IT was often costly and highly visible, which deterred experimentation and learning. Cloud environments enable your business and IT groups to try to new ideas early and often before a significant investment is made. Use cases for experimentation include:
- A web development team wants to conduct A/B testing of a new application with minimal effort and risk. They need to be able to create the new site quickly and redirect a small amount of the workload to determine the impact. They require a web application platform in the cloud that provides examples of code and automation to supports the easy creation of new environments.
- An IT manager may want to experiment with a new technology to quickly create a new website and test its performance. A cloud platform with templates and starter packs makes it easy to try out new technologies.
Non-functional requirements often drive a business' technology selections. For web applications, non-functional requirements include performance, capacity, security, legal standards, and compliance. Service-level agreements (SLAs) for availability and reliability are critical and will impact cloud technology selections.
Table 1. Non-functional requirements and examples
|1||Performance||Superior user interface and response time. As a guideline, performance should be as good or better than the competition. At a minimum, it should not negatively impact consumer perceptions.|
|2||Capacity and elasticity||Elasticity must be supported in order to scale to the highest level of demand to maintain customer satisfaction and to scale back to the lowest level of demand to reduce costs.|
|3||User identity and access management||Support for single sign-on such that transactions may transverse hybrid cloud solutions.|
|4||Security||Determining the industry-relevant compliance standard and how to apply those standards to the management system. This includes, but is not limited to, support for vulnerability testing, firewalls, applications scanning, and data encryption.|
|5||Standards and legal compliance||Must support all relevant industry standards and security compliance guidelines including data privacy, PCI, HIPAA, and ISO 27001.|
|6||SLA for reliability and availability||Consumers expect continuous availability (24x7) of web applications. This is typically measured by KPIs such as: 99.99 % availability of management environment and 99.99 % availability of the workload.|
|7||Disaster recovery||Disaster recovery of the cloud management infrastructure and environments must be provided. For example, services must be restored in less than four hours. At a minimum, most enterprises expect data replication or a more robust disaster-recovery solution.|
|8||Multitenancy||Each application must have its own secure, unencumbered environment.|
|9||Connectivity||Connectivity between on-premises and off-premises environments must be robust, secure, and highly performing to support placement of data and processing as needed.|
|10||Availability||Enterprises require unfettered workload mobility. To reduce costs, respond to change, and maximize innovation, workloads should be able to move between platforms with minimal or no application impact.|
The following examples highlight the web application hosting architecture from the perspective of a new, born-on-the-cloud business or application, as well as from an enterprise that wants to be as innovative and nimble as a start-up while preserving their existing investments.
Greenfield web application deployment
A company's existing technology investments significantly impact what cloud technologies and adoption models the business selects. Greenfield projects have the ability to quickly move to and adopt born-on-the-cloud techniques. Figure 1 shows a common adoption maturity model for cloud-based solutions. It applies equally to web application hosting.
Figure 1. Greenfield web application maturity
Cloud-enabled enterprise web application deployment
Many enterprises do not have the luxury of creating every new application from scratch. With existing investments in technology and applications, these organizations require new and old technologies to coexist.
Going from simple, disconnected services that leverage the cloud to creating a fully integrated, hybrid cloud-enabled web application takes time. Organizations must carefully consider the needs for integration between their two speeds of development. The following figure shows a maturity model that can be used with cloud and web application hosting.
Figure 2. Cloud-enabling existing applications
Web application architecture
The web application architecture discussed in this article defines the core components that must be present in any web application solution—from off-premises cloud solutions to on-premises and hybrid environments.
The following figure shows the high-level architecture of a web application hosting solution.
Figure 3. High-level web application diagram
The architecture has three tiers, each containing a subset of the components. Security is applied to all layers of the architecture.
- Public network tier contains the web browser or user interface and edge services that connect external-facing devices with cloud services.
- Cloud network tier contains the application, data, user services, and connectivity and transformations services which link the application to the system of record.
- Enterprise network tier contains enterprise data and applications. This data is often maintained on premises in hybrid scenarios.
Public network components
Users can interact with the web application from a variety of devices and systems.
Edge services include network services that deliver content to web applications and their users through the Internet. These services include DNS servers, CDNs, firewalls, and load balancers.
Domain Name System (DNS) Server
The DNS Server maps the text URL (domain name) for a particular web resource to the TCP-IP address of the system or service that can deliver that resource to the user.
IBM SoftLayer DNS provides a central location to view and manage domains through its basic DNS management interface and also gives users the option to manage reverse and secondary DNS in the same location, free of charge. Reverse DNS, which maps IP addresses to domain names, is typically used to track the origin of website visitors and email messages. It is not as critical as forward DNS, except when running email servers. Because most email servers reject incoming emails from IP addresses that do not have a reverse DNS record, it is critical to set up reverse DNS records for the IP addresses that send outgoing email.
SoftLayer also provides secondary DNS to cache primary DNS zones. This prevents downtime and data loss. While maintaining a secondary DNS is not mandatory, it is strongly encouraged for users with multiple domains.
Bluemix works with any DNS hosting service to allow developers to host applications with custom domain names.
Content Delivery Network (CDN)
CDNs are geographically distributed systems of servers that are deployed to minimize the response time for serving resources to geographically distributed users. This wide distribution ensures that content is highly available to all users, regardless of their location.
Bluemix supports the use of third-party CDN services, such as Fastly and CloudFlare, letting developers deliver content faster to website users who are outside of Bluemix's server locations in Dallas and London. To set up a CDN service with Bluemix, developers must use a custom domain name and map the domain's DNS to the CDN's DNS service.
A firewall is a system (hardware or software) that controls communication access to or from a system.
In addition to providing firewall services at the hardware level, SoftLayer offers software-defined firewalls through the Vyatta Network OS Gateway Appliance, which is a SoftLayer bare metal server with Vyatta Network OS. Users are able to customize and manage virtual firewalls, virtual routers, and virtual VPN devices through user-defined parameters.
SoftLayer also offers FortiGate Platform security appliance for enterprise-class firewall protection and intrusion prevention system (IPS). This offering protects the cloud infrastructure that the web applications run on, optimizes network performance, and prevents malicious activity from reaching users.
Through the Secure Gateway Service on Bluemix, developers are able to go behind a company firewall and connect to applications and data sources running on-premises or in other clouds. A remote client is provided to enable secure connectivity from any application running on Bluemix. By using the Secure Gateway Service to access on-premises data, developers are able to convert their systems of record to systems of engagement in a secure environment.
Load balancers distribute network or application traffic across many resources (such as computers, processors, storage, or network links) locally and globally to maximize throughput, minimize response time, increase capacity, and increase the reliability of applications.
Load balancing is essential in situations where it is difficult to predict the number of requests issued to a server. With load balancing, these requests are distributed to other servers to ease the load and minimize latency and other issues. Load balancers and firewalls are often used together to scale and protect growing websites and applications.
In addition to its firewall offerings, SoftLayer provides local, global, and high-availability load balancing solutions with a variety of balancing methods. These industry-standard techniques include round robin, lowest latency, least connections, shortest response, and IP persistence to balance traffic among two or more servers. Users can also use network appliances to distribute traffic between servers in one or more SoftLayer data centers across the globe.
Bluemix provides built-in load balancing capabilities so developers can easily build and deploy highly scalable applications. The Auto-Scaling for Bluemix service automatically and dynamically adjusts the compute capacity of an application based on user-defined policies that dictate scaling behavior. Depending on what runtime an application uses, developers are able to build scaling rules based on CPU utilization, memory usage, throughput, and Java™ Virtual Machine (JVM) heap usage. Once additional instances of the application are automatically created, the built-in load balancer distributes traffic between the instances.
Cloud provider network components
The cloud provider networks components is made up of the web service tier, API management, and transformation and connectivity services.
Web service tier
The web service tier hosts the program logic used to generate dynamic web content. Components include web application servers, caches, file repositories, and user directories.
Web application server
Web application servers offer web server functionality and integrated application server functionality if it's needed. Web servers are systems that return resources (web content and images, for example) in response to an HTTP request. They may be configured to handle requests for multiple IP addresses and/or domains.
IBM Websphere® Application Server offers server runtime environments, from small to large configurations, for Java-based web applications. Websphere Application Server can be run directly on SoftLayer, through PureApplication® Service on SoftLayer, and through the Application Server Service on Bluemix.
The Websphere on SoftLayer offering allows users to extend their web applications to the cloud and bring their own Websphere license to managed, off-premises infrastructure. The PureApplication Service uses patterns of expertise to quickly deploy applications to dedicated, hybrid-enabled environments. With this service, the operating system (OS), middleware, and runtimes are pre-formulated by portable, reusable patterns, which make moving applications between on-premises and off-premises seamless and easy.
The WebSphere Application Server service in Bluemix allows users to use their own licenses or choose between preconfigured Full and Liberty profiles of WebSphere Application Server. Existing Websphere users benefit from a familiar administration experience with the ability to move Websphere Application Server applications to the cloud and use existing scripts, administration skills, and tooling.
For non-Java™ applications, SoftLayer offers virtual servers that can be configured to run as web application servers.
To reduce the time it takes to respond to a request from a user, caches are used to store information that is temporarily needed to fulfill a request by the web application server.
On SoftLayer bare metal, any web server capable of producing the cache-control header will work with the CDN.
Bluemix provides caching services that allow developers to build and run responsive and resilient applications with less concern about infrastructure, nodes, clusters, and agents. For application resiliency, the Session Cache service stores and persists HTTP session objects to a remote, in-memory data grid and provides seamless session recovery in the event of an application failure. This service offers linear scalability, predictable performance, and fault tolerance of a web application's session data.
To improve application responsiveness and performance, the Data Cache service also remotely leverages an in-memory data grid where users can quickly store and retrieve key-value data. This distributed caching service, powered by WebSphere eXtreme Scale technology, can minimize redundant transactions, improve response time, and increase efficiency in existing application infrastructure. Used together, the Data Cache service and Session Cache service allow developers to build applications in Bluemix that store large amounts of data that can be retrieved in milliseconds.
File repositories are devices or applications that find, store, retrieve, and delete information or data in the form of files.
Cloud-centric web applications use object storage to store and manage applications' data. Object storage offers superior scalability, durability, and cost compared with block-and-file storage. Object storage is accessed via APIs at the application level, whereas block-and-file storage is accessed by the operating system at the file-system level.
In addition to block-and-file storage, SoftLayer offers a highly scalable object storage solution based on OpenStack Swift that allows users to store, retrieve, and use large amounts of unstructured data. Object storage is offered with pay-as-you-go pricing and is fully integrated with SoftLayer's global content delivery network (see Edge Services).
Bluemix also offers the Object Storage service, where users can drag and drop to quickly manage object store content or use Swift API and software development kits (SDKs) to access object storage programmatically.
User directories contain user IDs and credentials (such as passwords and certificates) that validate which users are allowed to access the information or applications being requested in the web servers and application servers. The directory can store common attributes across applications and can be accessed by web servers, applications servers, databases, or any other elements used in the web application.
User directory can be implemented in SoftLayer using IBM Security Directory Server (ISDS), which uses LDAP v3 protocol specification. In Bluemix environments, the cloud directory provided by the Bluemix SSO service can be used as a user registry for the cloud environment.
API management capabilities advertise the available services endpoints that the mobile gateway can access. API management provides API discovery, catalogs, connection of offered APIs to service implementations and management capabilities, such as API versioning. API management includes:
- API discovery and documentation provides the ability for mobile developers to find and use APIs securely.
- Management provides a management view into API usage, including use by mobile apps and systems using information from the application server, mobile gateway, back end, etc.
To ensure a solid foundation for a reliable transformation and connectivity strategy, the design and operation of these APIs and services should account for composition, security, deployment, access, governance, analytics, management, and scalability.
IBM's transformation and connectivity suites offer a range of tools, services, software, industry solutions, and guidance to help organizations navigate the complexities of cloud computing, including hybrid cloud computing and the emerging API economy.
Using IBM's connectivity tools, businesses can develop new routes to market and innovation to differentiate themselves in the contemporary API economy and emerging cognitive era. Enterprises can now use open standards to discover APIs, manage and monetize them, and securely transact in an open ecosystem. The API economy is also a key enabler for cognitive business, which will drive the growth of one million public APIs in the next three years. As with any emerging economy, the combination of open access, transparency, and the infrastructure to operate at scale is necessary for success.
Organizations that already use on-premises IBM middleware products—for APIs, messaging, data connectivity, and the like—will find it is straightforward to integrate systems, migrate to more robust solutions, and to adapt their internal governance to a hybrid model.
IBM API Management software is available both on premises and in the cloud. This software enables organizations to create, assemble, manage, secure, and socialize APIs by providing a portal to attract and engage application developers, as well as foster the use of published APIs. API Management software can be implemented on SoftLayer.
API management is also available as a service on Bluemix. Additionally, Bluemix offers IBM API Harmony and IBM API Economy. The IBM middleware team used advanced cognitive technologies to develop API Harmony, a cloud that acts as a matchmaker of APIs for developers and IT managers to facilitate the process of building new applications. IBM API Economy Foundation includes end-to-end enterprise capabilities to create, manage, and secure APIs, including IBM StrongLoop® for creating APIs, IBM API Management for governance, and IBM DataPower Gateway® for securing access.
Transformation and connectivity services
Transformation and connectivity services enable secure connection to enterprise systems and the ability to filter, aggregate, or modify data as it moves between web components (systems of engagement) and enterprise systems (typically, systems of record).
These services are comprised of:
- Enterprise security connectivity: Leverages security services to integrate with enterprise data security to authenticate and authorize access to enterprise systems
- Transformation: Transforms data between cloud-hosted and enterprise systems
- Enterprise data connectivity: Enables mobile components to connect securely to enterprise data. Examples include VPN and gateway tunnels
Security connectivity must be safe, reliable and easy to use. IBM SoftLayer supports the breadth of the IBM Integration suite, providing an expedient path to a hybrid cloud-computing environment.
IBM DataPower® Gateway is a purpose-built security and integration platform for web applications and other workloads. It is available in a virtual form on SoftLayer, allowing a single entry point that is enforced consistently through security policies. DataPower integrates with IBM Integration Bus and IBM InfoSphere® Information Integration.
The IBM Integration Bus provides a robust and flexible secured integration foundation based on enterprise service bus (ESB) technology. IBM Integration Bus connects requests from the web application to the systems of record and transforms data from the format provided by the web application requests and the format that is required by the systems of record.
IBM InfoSphere for Information Server transforms and delivers data between systems while also allowing you to cleanse and better understand the data. It supports XML schema definition, multiple languages, and extended lineage context, which are necessary to support distributed cloud computing.
These tools can be run directly on SoftLayer or through the PureApplication Service on SoftLayer. The PureApplication Service uses patterns of expertise to quickly deploy applications to dedicated off-premises or on-premises environments. With this service, the OS, middleware, and runtimes are preformulated by reusable patterns, which make moving applications between on-premises and off-premises environments seamless and easy.
IBM WebSphere Cast Iron® Live and Cast Iron Hypervisor Virtual Appliance use a graphical interface to provide near real-time integration. These products can be used to integrate cloud and on-premises applications in days, reduce integration costs, and optimize resources and productivity. The graphical configuration simplifies adoption across all skill levels and pre-configured templates based on common integration scenarios. CastIron Live can be consumed as a Software as a Service in a multitenant, cloud-based platform or can be deployed to SoftLayer.
Enterprise connectivity and transformations capabilities are also available in Bluemix as consumable services. The Secure Gateway service provides connectivity from Bluemix to other applications and data sources running on premises. Set up is simple, taking about five steps to provision the service and connect it to your application. This service works with other partner and IBM services such as IBM DataWorks and IBM MQ Light. IBM DataWorks is a data transformation tool that finds, visualizes, and prepares data for use. Coupled with MQ Light, which supports asynchronous data delivery, the services create a straightforward, nimble solution for connectivity and transformation.
Enterprise network components
Enterprise network components include the user directory, data, and enterprise applications.
Enterprise user directory
Provides storage for and access to user information to support authentication, authorization, or profile data. Security services and edge services use this to manage access to the enterprise network, enterprise services, or enterprise-specific cloud provider services.
IBM Directory Server for IBM (also referred to as Directory Services) provides Lightweight Directory Access Protocol (LDAP). LDAP runs over Transmission Control Protocol/Internet Protocol (TCP/IP), and is popular as a directory service for both Internet and non-Internet applications. IBM Directory Server proves and stores users' identification, password, and security policies.
Enterprise data encompasses the data itself, metadata, and systems of record for enterprise applications. Data can flow directly to data integration systems or to the data repositories, providing a feedback loop in the analytical system. IBM offers a range of enterprise data management products that support private, public, and hybrid cloud adoption models. Because of compliance requirements for localized data storage, the use of distributed database management tools that accommodate hybrid cloud architectures is essential to handling global user bases.
Many types of enterprise data play a role in a web application hosting design.
- Reference data defines the standards to be used by
other data fields. In some instances, reference data and master data
are one in the same.
In hybrid IT environments, defining an overarching reference data standard is necessary and will inform overall automation, compliance, and governance strategies. Data architects are typically responsible for defining reference data.
Reference data tools are included in the InfoSphere Master Data Management suite. This suite can be run on-premises, on SoftlLayer bare metal, or as an IBM Cloud Analytic Service running on SoftLayer. Cloudant provides reference and master data management for NoSQL to support private-, public-, and hybrid-use scenarios.
- Master data repositories can be updated with the
analytics output to assist with subsequent data transformation,
enrichment, and correlation. They can host analytics and feed other
analytics models when they execute.
The InfoSphere platform includes tools to simplify management and governance of master data. InfoSphere is available on SoftLayer or on-premises, depending on the workload type. Cloudant, the NoSQL Database as a Service (DBaaS), runs on SoftLayer and is available as a Bluemix or local service. Cloudant is well suited to mobile and cloud-native applications as it is highly scalable and can also support offline use cases. What makes Cloudant unique is its ability to spread data out across data centers and devices, thus pushing data to the network's edge for faster access and greater fault tolerance.
- Transactional data is about business interactions or
from business interactions that adhere to a sequence or to related
processes (such as financial, logistical, or other process).
Transactional data can come from reference data, master data
repositories, and distributed data storage.
IBM offers a range of traditional and DBaaS products to support a customer's unique needs and cloud strategy. These products include IBM DB2®, DB2 BLU Acceleration® for Cloud, Informix®, dashDB™, EHaaS, ClearDB, elephant SQL, and PostreSQL.
- Application data is data that is either used by or
produced by business solutions. Frequently, the data has been improved
or augmented to add value and drive insight. This data can come from
applications that are running in an enterprise data center. In
application-centric databases, DBaaS present a consistent
configuration, automated scaling, and fault tolerance that supports
good DevOps practices and reduce the effort placed on the developer.
IBM offers application data support across private, public, and hybrid cloud scenarios and through PaaS and DBaaS. Object storage, in-memory databases, and embedded and time series databases are typical application-centric database types.
Informix has management tools to handle the mass of time series sensor data generated by the burgeoning Internet of Things (IoT) and to replicate it efficiently for consumption by other systems or data aggregation suites. Compose IO provides a suite of scalable DBaaA to deliver relational and non-relational cloud database services for web and mobile app developers. These include: Mongo DB, Elastic Search, Rethinkdb, Redis in-memory database, and POSTGRESQL. Data Cache for Bluemix supports distributed caching scenarios for web and mobile applications.
- Log data is data that is aggregated from log files
from enterprise applications, sensors, infrastructure, security,
governance, and service providers.
The data management tool used to aggregate and manage log data depends on the purpose. Frequently, a tool like InfoSphere Big Insights based on Apache Hadoop is available as a cloud service running on SoftLayer or as a foundation for implementation in a private cloud. Big Insights comes pre-tuned and configured to reduce implementation time.
- Enterprise content data is data, frequently object
files, that supports any enterprise applications or
business-to-business (B2B) or business-to-consumer (B2C) content
delivery on a large scale.
IBM Content Manager Enterprise Edition and IBM Filenet® P8 manage all content object types for distributed environments. Filenet management suite is particularly well suited for highly regulated environments with strict compliance and audit needs. FileCloud, offered through the IBM Cloud Marketplace, running on SoftLayer is designed for businesses that would like to create a self-branded storage solution at a reasonable price. Object Storage for Bluemix is a file repository service for storing static files, such as PDFs and content.
- Historical data is data from past analytics and
enterprise applications and systems. Use of cloud-based storage for
archived data reduces storage costs. Migrating data from on-premises
storage to a secure cloud also expedites the use of analytics as a
service, allowing organizations to mine data for new insights.
IBM PureData® patterns, IBM BigInsights®, and Spark running on SoftLayer—as well as cognitive and analytic services on Bluemix—open possibilities to access and consume historic data.
Enterprise applications run business processes and logic within existing enterprise systems and interact with or consume information from web applications. These applications can be updated from enterprise data or web applications, or they can provide input and content for enterprise data or web applications.
Enterprise applications are affected by the cloud in these areas:
- Customer experience: Customer-facing cloud systems can be a primary system of engagement that drives new business and helps service existing users with lower initial cost.
- New business models: Alternative business models that focus on low cost, fast response, and great interactions are all examples of opportunities driven by cloud solutions.
- Financial performance: Applications should become more efficient as data is consolidated and reported faster and easier than in the past.
- Risk: Having more data available across a wider domain means that risk analytics are more effective. Elastic resource management means more processing power is available in times of heightened threat.
- IT economics: IT operations are streamlined as capital expenditures are reduced while performance and features are improved by cloud deployments.
- Operations and fraud: Cloud solutions can provide faster access to more data, allowing for more accurate analytics that flag suspicious activity and offer remediation in a timely manner.
Enterprise applications that IBM supports include applications running on IBM mainframe, IBM commerce, ERP applications (like those from SAP and Oracle), and Java EE business applications built using WebSphere.
Security for web application hosting addresses fundamental business needs of security, such as:
- Confidentiality: The right people having access to the cloud web applications and the apps' data
- Integrity: The data of business users are intact and not tampered with
- Availability: Cloud web applications must always be available, despite many security threats
- Compliance: Applications and systems must address industry and regulatory compliance needs
Security components and their capabilities to address business needs include identity and access management, data and application protection, and security intelligence.
Identity and access management
These features identify and authorize the user, providing role-based access to cloud web applications. Identity and access management capabilities enable single sign-on, user lifecycle management, access control, and audit logging. Cloud applications typically have several user types that need varying levels of access. These user types include business users (customer, vendor, third party, staff users) and IT users (administrators, privileged users, application users). Identity and access management leverages the user directory from the service tier to grant access. Identity and access controls can be implemented in SoftLayer and Bluemix using multiple products and technologies to meet business requirements.
For SoftLayer, identity and access management capabilities can be easily deployed into virtual, SoftLayer cloud or traditional environments.
In particular, the following IBM security products integrate with other security products (IBM and non-IBM products) to provide intelligent identity and access assurance.
- IBM Security Directory Server (for user directory / LDAP) is the user repository that holds credential information (user IDs, passwords, certificates) and other shared user attributes across applications. The edge service and web service tier uses this component.
- IBM Security Identity Manager enables organizations to enact effective identity management and governance across the enterprise for improved security and compliance. Also available as a virtual appliance, IBM Security Identity Manager automates the creation, modification, recertification, and termination of identities throughout the user lifecycle.
- Access control is implemented as a two-layer defense. The first layer is IBM Security Access Manager (ISAM) for Web and Mobile, which serves as a reverse proxy. The second layer is Websphere Application Server container authorization using Java as a Service (JaaS) or Trust Association Interception (TAI) hosted behind ISAM. Federated ID management is enabled through IBM Security Federated Identity Manager (ISFIM), which supports SAML, OAuth, OpenID, and WS-Federation standards, among others. In addition, SoftLayer portal enables two-factor authentication to increase the security of the administrator login to the Portal.
Bluemix provides various functional security capabilities, including user authentication, access authorization, auditing of critical operations, and data protection. Bluemix uses the IBM web identity to authenticate application developers. Authentication through LDAP is supported by default in Bluemix Dedicated and Bluemix Local.
Bluemix uses Cloud Foundry mechanisms to provide role-based access to the applications on the Bluemix platform. The Single Sign On service provides federated authentication and single sign-on for applications in Bluemix. Managed IBM Cloud Identity Services and the Single Sign On service on Bluemix also give customers the identity and access capabilities. Identity sources such as SAML, Cloud Directory, or social identity services can be added to the Bluemix Single Sign On service.
Data and application protection
Data and application protection uses a multilevel defense across infrastructure, application, and data layers to protect enterprise data. Security is included as part of the development, delivery, and execution of mobile apps, including libraries and tools to secure and scan mobile apps as part of the application development lifecycle.
Data security capabilities secure and monitor access to data in mobile devices, enterprise databases, file shares, document-sharing solutions, and big data environments that may be accessed through the mobile platform. These security capabilities include encrypting data that is integrated with enterprise key management, creating secure connectivity architectures that protect data in motion, and activity monitoring that provides both real-time data monitoring as well as vulnerability assessment. Firewalls in the public network component tier protect the network-level flows to applications and data.
You can implement data and application protection controls in SoftLayer and Bluemix by using any of the products or technologies that are appropriate for the solution.
Web applications deployed in SoftLayer can be tested with extensive security scans (both black box and white box) by using IBM Security Appscan® Enterprise before being deployed onto production. IBM Security Guardium Data Activity Monitor tracks privileged user access to sensitive data in the cloud, including real-time protection of administrative access to databases (database activity monitoring). IBM Security Guardium Data Activity Monitor ensures the security and integrity of sensitive data in these web applications in SoftLayer (be it in databases, data warehouses, files, or cloud and big data platforms) and detects unauthorized access to sensitive data. Using SoftLayer Networking through VLANs and firewalls provides further isolation between the tiers of web application and traffic to and from the Internet. Commercial SSL certificates can be purchased through the SoftLayer portal for the web applications hosted in it.
Appscan Dynamic Analyzer, Static Analyzer, and Mobile Analyzer services in Bluemix scan web applications on Bluemix. Bluemix also provides the SQL Database service that includes database activity monitoring. As a complete SaaS solution, IBM Cloud Security Enforcer combines cloud discovery, user analytics, identity and access management, and threat prevention.
Security intelligence capabilities monitor the cloud web applications for security breaches. Event and log analysis that's taken from the corporate incident management systems provide actionable intelligence to detect and defend against threats. Security reports ensure the cloud web application complies to regulatory standards.
The SoftLayer Nessus Scanning Service does vulnerability analysis and penetration testing of web applications hosted on SoftLayer. IBM QRadar SIEM filters, correlates, and analyzes huge volumes of log and network data across various runtimes and extracts real security threats—called "offenses"—from, from the data. IBM X-Force Threat Analysis service (XFTAS) sends security advisory notifications of the components in the environment for actionable intelligence through software patching.
In Bluemix, CloudFoundry Device Support Module (DSM) integrates security events of the applications hosted in the Bluemix platform across software, devices, and appliances.
Security management applies across the cloud lifecycle—design, development, deployment, and ongoing maintenance and security governance is an integral part of security management.
IBM component models
The figure below shows the web application component model with its detailed capabilities.
Figure 4. Web application component-level diagram
IBM product and SoftLayer mapping to the capabilities
It is not necessary to choose a single platform to host your entire solution. In fact, IBM anticipates that most enterprises will ultimately implement hybrid cloud architectures. However, the following component mappings are provided to demonstrate the robustness of the IBM platforms and to help enterprise choose the best of breed for them. Please note that these mapping are as of January 2016, so other products may be suitable at the time of your reading.
Figure 5. SoftLayer services mapping
Bluemix services mapping to the capabilities
The following figure maps the services provided by Bluemix for enabling the Cloud Standards Customer Council (CSCC) Web Application Hosting reference architecture that was discussed in this article.
Figure 6. Bluemix services mapping
Component interaction diagrams: Flexibility and scale for an effective architecture
This section shows how to use IBM products to implement common scenarios using the web application hosting architecture. Since this is a general-purpose scenario, there are only two variations depending on data access demands.
- Restricted-access web applications
- Open-access web applications
The following figure demonstrates a typical flow of interactions for a web application. The steps that are referenced in the image are described in detail below.
Figure 7. Flow of interactions
The following steps demonstrate a general web application flow.
- A user sends a request to a specified URL.
- Edge services receive the request. Edge services consist of a group of
services that handle the request and get it to the right destination.
These services include the domain name server, the content delivery
network (CDN) server, the firewall, and the load balancers. Often, an
API manager is added to find the right application once the request is
inside the network. Every request going to or from the network goes
through the firewall. Both SoftLayer and Bluemix provide edge services
appropriate to their usage within the web application flow.
- The domain portion of the URL is resolved into an IP address via the domain name services (DNS). This IP address may actually be the IP address of a CDN server, load balancer, firewall, or proxy service in front of the actual web application server that will satisfy the request.
- The CDN server determines if any of the requested content is in the CDN storage network. If the CDN server cannot satisfy the request, the request is sent to the firewall.
- If the CDN server is able to satisfy the request, then the CDN responds to the request by returning that content. The user's browser retrieves and displays the returned content.
- If the CDN cannot satisfy the request, the message is passed to the firewall and then the load balancers. Both of these will use security services.
- The firewall evaluates the packets that form the request and allows only those packets that meet the rules of the firewall to continue forward to the load balancer. Typical rules might only pass incoming HTTP and HTTPS packets destined for ports 80 and 443. Firewalls often have two sets of rules—one for filtering inbound traffic into the firewall and one for filtering outbound traffic going from the firewall. Generally, DNS resolution for internal requests is done using a private DNS server rather than a public DNS server.
- The load balancer sends the request to a specific web application server in a pool of web application servers. The decision for where the request goes is made using a random (round robin) algorithm or by some other method. For example, the load balancer might pick the server currently doing the least amount of work (least load). If the packet is associated with a web session, the load balancer may direct the message to the server that most recently handled a request in the same session (stickiness). Load balancers can direct requests by processing sophisticated rules, using systems and business policies, current and historic performance, as well as resource usage and availability in the underlying VMs or systems.
- Security is enabled across multiple layers. Cloud web applications have their access provided to the right users and roles through identity and access management such as IBM Security Director running inside the enterprise. The web applications are protected from threats (such as cross-site scripting, SQL injection attacks, and more) starting at the beginning of the development cycle. The application stack is further isolated at the network level into multiple network segments or VLANs. The sensitive data is protected from end users and privileged users. Continuous monitoring of threats and log analysis in the solution provide visibility and actionable intelligence. Logs are used for audit and compliance reports.
- The API manager receives the request and determines which services or applications in the applications server should be invoked and determines if that user has the appropriate authority.
- The web application server returns a resource (normally some form of web content) based on the user's request. Based on the request, the web server retrieves the static content by accessing the file system or invokes a program or service to dynamically generate the requested content. WebSphere Full or Liberty Profile are frequently used on SoftLayer directly or as a service. Bluemix also offers WebSphere as a service.
- Before any processing is done, the web application server may invoke the user directory to authenticate the user and validate permissions to perform the request. Typically, this is done as a part of a log-in process. The user directory may use security services and the enterprise user directory.
- The web application server determines if a local cache can satisfy the request. If so, the appropriate content and associated data is returned to the user.
- File repositories store and manage data that can be requested by the application server. Caches and file repositories return data through the firewall (Step 2). If application logic must be invoked (by the application server), it may require the retrieval of data from files, databases (Step 10), web services, sensors, and other sources of data or it may require the programmatic generation of new data or information. IBM Content Manager Enterprise Edition and IBM Filenet P8 are frequently used in distributed or hybrid environments. For SoftLayer, File Cloud services are available. Bluemix includes a file repository for static content.
- In the transformation and connectivity phase, data that will be stored in the enterprise's database is transformed from web formats to database formats. This phase ensures that secure, reliable messaging is used appropriately. At this tier of the architecture, DataPower, CastIron, InfoSphere, IIB, and MQQT are options depending on the placement and number of integration points in play.
- To generate the requested response, the web application server may need to access a database to query data. That data may be accessed directly or may require transformation in order to be used by the application. Logs and databases enable analytics on enterprise data. DBaaS, NoSQL and traditional, on-premises RDMS are all possible repositories for enterprise data. Cloud-native applications might be built around Cloudant or MongoDB. B2C apps, wrapped around systems of record, might access IBM DB2 or DB2 BLU Acceleration.
- Enterprise applications use data from the web application as well as logs and context data for analytics. If the web application updates the data, then enterprise applications may process those changes.
- When the web application server completes its tasks, the resulting content is delivered back through the firewall (Step 2), which passes the content to the user's browser.
Web application flows may change depending on the openness of the application. For example, some applications require no identity management – meaning that the application is available to any user. In that case, portions of Step 3 can be eliminated.
Table 2. Flow variations
|1. Restricted-access web application||Uses components 1 – 6 (for security) and 9-11|
Selectively uses 7, 8 for caching
|2. Open-access web application||
Uses components 1-5 and 9-11|
Eliminates 6 (App is open) for security
Selectively uses 7, 8 for caching
Deployment of the components for web application hosting depends on the capabilities of the cloud service(s) that are chosen. These architectural decisions are rarely cut and dry, and you need to consider many factors before drawing a conclusion.
Table 3 shows you what to consider when making a selection. Use this as a starting point for your decision, but know that each situation will vary.
|Cloud service level: Determine ideal service level (PaaS, SaaS, IaaS)||Skill level, technical debt, culture, ability, and willingness to adopt changes|| Consider PaaS if you have a new
workload with little existing technical investments and an
Consider IaaS if you have many existing workloads that are unlikely to change and a conservative, risk-adverse culture.
SaaS can be an ideal option for both conservative and innovative cultures if the SaaS solution satisfies most requirements.
|Deployment model: Determine ideal model (on premises, off premises, hybrid)|| Data sovereignty and data
location, cost, capacity estimates, security, performance, and
legal and local regulations|| Consider an on-premises model if
you have large, diversified workloads that can be supported in
a small number of data centers. |
Consider an off-premises model if you do not own or want to own your own data center, need multiple data centers spread around the world, or do not have enough workload volume to drive efficiencies.
Consider hybrid deployments if you have unpredictable capacity and elasticity requirements.
Keep in mind the legal, regulatory, and performance requirements that will have a significant impact on workload placement.
|Connectivity and network: Identify optimal network configuration||Performance, IP, security, and cost.||Consider a software-defined network if the enterprise has the skill level to support it.|
|Data: Determine ideal data placement|| Data
sovereignty, security, industry standards, and
performance||The first consideration in data placement is regulatory requirements that may impact data residency or sovereignty. After determining data-residency limitations, decide whether co-locating the data with the application is necessary for performance reasons. Then decide if it's best to push the data to the application or the application to the data based on the amount of data and the application characteristics.|
|Development: Select development tools and automation solutions|| Integration with outer services,
performance, ease-of-use, and developer productivity|
Development methodology and runtime support
| Consider a PaaS set of tools if
your organizational culture values innovation and time to
Consider a more traditional development toolset for organizations that are conservative or have a desire to simplify and reduce the total number of tools supported.
Automation will help either type of organization and should be encouraged.
Determine if the application can and should be moved to the cloud, refactored, or redesigned
|Skills, performance, cost, time to market, and integration requirements|| Consider a
"lift-and-shift" approach if the application is stable, non
critical, and not in need of a revision. |
Consider a redesign if the application is likely to evolve in the near future.
|Integration: Determine the best model for integration in hybrid deployments||Security, performance, cost, flexibility, and acceptance of an API economy||Consider an API-based integration
approach if the organization wants to coexist with partners as
part of a larger ecosystem or make services more assessable
internally or externally.|
Consider enterprise integration when there are complex transformations in the data or the service is not easily simplified into an API.
Regardless of whether components are deployed in public, private, or hybrid environments, you need to consider and address lifecycle, operations, and governance requirements. Where components are deployed will strongly affect management and governance implementations. Private deployments may be able to use existing internal management and governance tools if they have access to the cloud infrastructure. For public, hybrid, and externally hosted private deployments, lifecycle operations – instantiate, initiate, terminate – for components outside the firewall need to be negotiated with the hosting parties.
Similarly, operational monitoring and management capabilities – for gathering metrics, checking SLAs, status, notifications, and negotiating changes in capacity – require that access to the related cloud service administrative interfaces is obtained. Support for these interfaces should be added appropriately to existing management tools. This may include integrating data, information, tools, and processes from multiple sources into common interfaces, reports, and automation tools for efficient and scalable operations.
Governance and compliance processes will need to accommodate the change in control and risk over any externally hosted components, especially where changes are controlled by the cloud service provider. Optimally, lifecycle management solutions should integrate across deployment models and provide a common, integrated context that enables management of release, change, security, SLAs, and problem diagnosis.
Choosing SoftLayer (IaaS)
SoftLayer provides the highest-performing cloud infrastructure available with data centers located around the world. These data centers offer the widest range of cloud computing options, allow customers to choose what services work for them, and then integrates and automates everything.
SoftLayer gives you:
- A complete IaaS solution: SoftLayer offers servers, storage, networking, security, and management.
- Choice: SoftLayer can run on bare metal servers or virtual servers.
- Bare metal servers provide the raw horsepower required for processor-intensive and disk I/O-intensive workloads. A bare metal server is a single-tenant physical server that is completely dedicated to a single customer.
- Virtual servers allow you to prioritize flexibility and
scalability in your environment.
- Virtual servers run on a public node, and resources are shared in the multi-tenant environment.
- Virtual servers can run on a private role in a dedicated environment. A customer can run multiple virtual servers for their environment.
- Two types of virtual servers
- Standard images: VMs that can be deployed on virtual servers.
- Flex images: VMs that can be deployed on virtual servers or bare metal.
Choosing Bluemix (PaaS)
Bluemix is the open cloud platform that gives developers access to IBM software for integration, security, transaction, and other key functions. Customers also have access to software from IBM's business partners. Bluemix consists of applications, services, buildpacks, and other components.
Bluemix is underlined by three key open-compute technologies: Cloud Foundry, Docker, and OpenStack. It extends each of these with a growing number of services, robust DevOps tooling, integration capabilities, and a seamless developer experience. There are currently three different Bluemix offerings:
- Bluemix Public is a multitenant cloud, running in a limited set of IBM-owned data centers.
- Bluemix Dedicated is a single-tenant cloud, running in IBM-owned data centers. Bluemix Dedicated can run in any SoftLayer location and gives users access to Bluemix Public Services through the syndicated catalog.
- Blumix Local is a single-tenant cloud that can run in a non-IBM location such as a customer's data center. Bluemix Local needs an underlying OpenStack or VMWare infrastructure to support it.
IBM cloud is an enterprise-class solution intended to help organizations of all sizes to grow and innovate. The web application architecture is one of many workloads that can run on the IBM cloud. This paper shows how IBM supports the Customer Cloud Architecture for Web Application Hosting paper available on the Cloud Standards Customer Council. Given the pervasiveness of this general architecture, we expect to see many implementations take advantage of web application clouds in IaaS, PaaS, and hybrid deployments. Cloud computing solutions are well suited for a variety of web application hosting environments due to their support for elasticity and flexibility. IBM's unique value proposition is our ability to support the diverse set of web application workloads regardless of geography, technology drivers, or industry.
- Explore IBM Bluemix
- Customer Cloud Architecture for Web Application Hosting, Version 2.0 describes how IBM supports the architectural components needed to instantiate a web application hosting environment using private, public, or hybrid cloud deployment models.
- Learn more about IBM SoftLayer.
- Learn how to develop and deploy your first app on Bluemix.
- Get more information about IBM's cloud based API Management solution.