Azure Components for PaaS
All components required to run SmartIQ as PaaS in Azure are deployed in the Azure Resource Group that will basically group the different components logically. It is very important to consider the geographical location where your Application will be deployed to minimize latency. Also, it is recommended that both, App Service and SQL Database are deployed in the same Azure Datacentre.
Here an overview of all different components required to be deployed to host SmartIQ as PaaS in Azure.
App Service Plan
Represent the collection of physical resources used to host your apps where Region, Scale Count, Instance Size and SKU are defined.
SmartIQ has two main applications (Produce and Manage) that are deployed as Virtual Applications in Azure PaaS.
Web Job is used to deploy SmartIQ Scheduler that will run as a service, triggering tasks scheduled within Manage.
App Service
PaaS offering of Microsoft Azure that allows creating the web and mobile apps for any platform or device. Azure runs deployed apps on Microsoft managed virtual machines (VMs).
This is the Azure component used to deploy Produce and Manage, where SSL is configured to secure data in transit (https).
Azure SQL Server and Database
Relational database as a service using the Microsoft SQL Server Engine. SQL Database is a high-performance, reliable, and secure database, without needing to manage infrastructure.
Transparent Data Encryption is always enabled to secure data at rest.
Firewall is configured to only accept requests from Produce and Manage applications.
Azure Key Vault
Azure Key Vault can be used as the wrapper/unwrapper for SmartIQ's Data Encryption Key (DEK). The application will call into the vault any time a new DEK is created and stored in the database, as well as when a previous DEK is needed by the application.
Key Vault is not used to encrypt any data at this time. It is only used for DEK wrapping/unwrapping.
If Key Vault is not configured for the site SmartIQ will use it's static KEK as before. Once Key Vault has been configured and a DEK has been wrapped by it, then Key Vault will always be required to unwrap it. If it is later disabled then new DEKs will be wrapped by the SmartIQ static KEK. If SmartIQ is no longer able to contact Key Vault there will be no way to unwrap the DEK, therefore no way to decrypt the data that was encrypted by the DEK.
If the key ID is ever deleted from Azure then the data in SmartIQ can be considered lost.
There is one Key Vault configuration per site - Manage, Produce, and the Scheduler require the same settings.
Only one Key Vault key ID is supported at a time but it can be changed at any time. Each DEK records what key ID was used to wrap it and will always use that ID and version to unwrap it. The key ID in configuration is only used when wrapping newly created DEKs.
The web server requires access to call out to Azure APIs which it should be able to already if the site is running on Azure.
Updated over 2 years ago