Multitier Environment

AppAgiles PaaS comes in two different flavours: a Singletier- and a Multitier-environment. In contrast to a Singletier environment where all applications reside in the same subnet, in a Multitier environment applications can be deployed into different tiers, i.e. into different subnets. This architecture achieves increased security by separating systems into tiers:

  • a web-tier,
  • an app-tier,
  • and a db-tier.

There are some design rules that have to be kept in mind when using such an environment.

  • Communication from pod to pod within the same tier can be done as in a single tier environment, i.e. services are
    accessible as long as the pods behind this service are located in the same tier.
  • Communcation from a pod to a pod in a different tier is not possible via services directly. It is only possible via routes for HTTP and HTTPS. That’s why there is a router installed in every tier. Services that can not be exposed via routes due to used protocol (only HTTP and HTTPS can be routed) should be exposed via so called Node Ports.
    Only the services that group pods in Web-Tier are accessible from internet.
  • Communication is only possible in direction from left to right,i.e.
    • services that group pods located in Web-Tier are accessible from external, e.g. from internet,
    • services that group pods located in App-Tier are only accessible from Pods located in Web-Tier
    • and services that group pods located in DB-Tier are only accessbile from App-Tier.

MultiTier

Deployment

To deploy a pod to a specific tier, use the nodeSelector section in deployment configuration.

Example: deploy to web-tier.

.....
template:
  metadata:
    .....
  spec:
    containers:
    ...
    nodeSelector:
      region: web
    restartPolicy: Always
    securityContext: {}
    terminationGracePeriodSeconds: 30
    .....

Routes

Due to the separation of a system into tiers, applications are not allowed to connect to services in another tier directly. This is technically done by blocking the SDN between tiers. To access services via HTTP and HTTPS in another tier, these services have to be exposed via routes.

Use the following pattern to expose services that group pods.

Pod in Tier Pattern Example route (domain is appa12.tsi-af.de)
web *.ext.appa<N>.tsi-af.de myWebApp.ext.appa12.tsi-af.de
app *.app.int.appa<N>.tsi-af.de myBuisnessApp.app.int.appa12.tsi-af.de
db *.db.int.appa<N>.tsi-af.de myDb.db.int.appa12.tsi-af.de

Node Port

Sometimes it is necessary to access services based on other protocols than HTTP or HTTPS, e.g. binary protocols to access database services. Within one tier even those services are accessible directly. Since services based on other protocols than HTTP and HTTPS cannot be exposed as routes, those services have to attach to a host port directly – so called Node Port. Such a Node Port will be available on every machine in the cluster. Such services then can be addressed with <hostname>:<node-port>.

Note: Since the multitier environment blocks all ports other than 80 and 443 between tiers those Node Ports have to be enabled explicitely by the operations team. Not only rules in firewall have to be modified, iptable rules on the hostmachine have to be modified as well. Please contact our operations team to enble those functionality if needed.