← Back to Dashboard

Design 4: Modern PaaS Web App (The Standard)

Summary

This design uses Azure App Service (PaaS).

Topology: The App Service uses VNet Integration to connect to the Spoke VNet, allowing it to reach private resources in the Hub or other Spokes.

1. Key Design Decisions (ADR)

ADR-01: Compute

  • Decision: Azure App Service (Premium V3).
  • Rationale: Fully managed. Auto-patching. Built-in scaling.

ADR-02: Network

  • Decision: VNet Integration.
  • Rationale: Allows PaaS app to access private IPs in the VNet (e.g., SQL, Redis).

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  User        |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Internet)  |           |      (Firewall)          |           |  (App Svc)   |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  App Service |           +------------+-------------+           +------+-------+
|  (Public)    |---------->| Azure Firewall           |<--------->|  VNet        |
+--------------+           | (Egress Control)         |           |  Integration |
                           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Azure Firewall        |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-paas-spoke (10.1.0.0/16)                             |
|   +-----------------------+                                           |
|   | Subnet: Integration   |                                           |
|   | (Delegated)           |                                           |
|   | [App Service Plan]    |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR STRATEGY                                                           |
|   +-----------------------+                                           |
|   | App Service (DR)      |                                           |
|   | (Stopped/Cold)        |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • App Service Plan: The underlying compute (Server Farm).

5. Strategy: High Availability (HA)

  • SLA: 99.95%.
  • Scaling: Autoscale based on CPU.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Backup & Restore or Active-Passive.
  • Process: Restore App to West US.

7. Strategy: Backup

  • Implementation: App Service Backup.
  • Policy: Daily backup to Storage Account.

8. Strategy: Security

  • Identity: Managed Identity.
  • Network: Access Restrictions (Allow only Front Door).

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High.
  • Cost Optimization: High.
  • Operational Excellence: High. Slots for Blue/Green deployment.
  • Performance Efficiency: High.

10. Detailed Traffic Flow

1. User: Hits app.azurewebsites.net.

2. App: Processes request.

3. Outbound: App needs to call SQL.

4. Route: Traffic flows through VNet Integration subnet -> Spoke -> Hub (if SQL is there).

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Resource Group

1. Search: "Resource groups" -> + Create.

2. Resource group: rg-design04-paas.

3. Region: East US.

4. Create.

Phase 2: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource group: rg-design04-paas.

3. Name: vnet-paas-spoke.

4. Region: East US.

5. IP Addresses:

* Space: 10.1.0.0/16.

* Subnet: snet-integration (10.1.1.0/24).

* *Note: This subnet will be delegated to App Service later.*

6. Create.

7. Peering:

* Go to vnet-paas-spoke -> Peerings -> + Add.

* Remote VNet: vnet-hub.

* Name: Spoke-to-Hub.

* Add.

Phase 3: Create App Service Plan & Web App

1. Search: "App Services" -> + Create -> Web App.

2. Resource Group: rg-design04-paas.

3. Name: app-corp-web-[uniqueid].

4. Publish: Code.

5. Runtime stack: .NET 6 (LTS) or Node 18 LTS.

6. Region: East US.

7. App Service Plan:

* Click Create new. Name: asp-corp.

* Pricing Plan: Premium V3 P1v3 (Required for VNet Integration).

8. Create.

Phase 4: Configure VNet Integration

1. Go to the new Web App.

2. Networking (left menu) -> VNet integration.

3. Add VNet.

4. Virtual Network: Select vnet-paas-spoke.

5. Subnet: Select snet-integration.

6. Connect.

7. *Note: The subnet will now show as "Delegated to Microsoft.Web/serverFarms".*

Phase 5: Verify Connectivity

1. Go to Development Tools -> SSH (or Console).

2. Type tcpping 10.0.0.4:3389 (assuming 10.0.0.4 is a VM in the Hub or Spoke).

3. If connected, it shows "Connected". This proves the App Service is routing traffic into the VNet.

Phase 6: Configure DR (Backup)

1. Go to Backups.

2. Configure custom backups.

3. Storage account: Select a storage account (create one if needed in rg-design04-paas).

4. Container: backups.

5. Schedule: Daily.

6. Save.