Physical Architecture Layers

For the production environment, in order to ensure high availability, redundancy, and security of the solution, Quidgest recommends the creation of several servers distributed across the respective internal networks of the Datacenter, with the respective load balancing, according to the security policy, capacity management, and customer needs.

Recommended DBMS: Microsoft SQL Server 2019 Enterprise or Standard (depending on the load balancing needs)

The recommendation for data storage should be reviewed, based on the volume of data to be hosted, as well as the expected growth rate for the number of years defined in the Datacenter's capacity management policy.

Here are represented 5 layers to better ensure the segregation of information and security for users, which can be adapted according to the client's reality and project requirements.

External connection recommendations (optional)

If the system in question needs to be accessed by people outside the network where the project is integrated, then the client must ensure the Reverse Proxy/Load Balancer (e.g. Nginx - open-source tool) to block attacks and direct traffic to the respective application servers based on the source IP and the URL used, to maintain user sessions. Session persistence must be guaranteed according to the source address of the request.

Internal DMZ

We should always consider that when we have external access by third-party applications, these will be guaranteed based on the use of web services provided and placed in the client's infrastructure. This communication system between third parties and the data component will respond with the necessary security to limit the data they will have access to and guarantee the rules and flows implemented to ensure the final data quality.

This layer serves to show that the service to be provided can also be scaled horizontally to meet various needs. The service provided here will take advantage of the resources of the Internet Information Service (IIS), as well as the other components that will be presented and that make up the final solution.

Web and Integration Servers

In the second layer, we have the representation of servers with Microsoft Windows Server Operating System and the Internet Information Service (IIS), to provide the presentation layer on the data for users. These servers will be in active/active mode for load balancing and to ensure continuous operation in case of failure of any of them.

In terms of communication security, we recommend the use of SSL certificates to ensure the encryption of communication tunnels between clients and application servers for both web services and system portals, as well as communication with the database. It is advisable to use these same certificates to ensure total security and encryption in communication between servers and in the various services used by the application (for example, in the reporting service).

Integration Servers

We will also have Integration servers that can work in active/passive mode, also with the Windows Server Operating System, and will ensure all asynchronous operations and processing of routines that are somehow heavier and/or to run in parallel with other crucial operations within the scope of data coherence between the various modules. For this requirement, it is necessary to install a tool provided by Quidgest called QuidServer, which will function as a service of the operating system.

It is worth remembering that there will be portals designated as WebAdmin, which will serve to perform configuration, modification, and system version maintenance operations and audit data consultation. This should be guaranteed physical and/or virtual isolation in the network so that only system administrators have access to it and some type of authentication, at least, by ad-hoc configuration with a fixed user and password, or even with a domain user group. These WebAdmin portals will be hosted on Integration servers, for maintenance operations, and can be configured, for example, using one of these technologies: Vlan, with VPN/IPSEC, IP filtering.

Report availability

It will also be possible to have servers to support report generation based on Microsoft Reporting Services technology and which will also use the Microsoft Windows Server resource. These servers should work in high availability mode, distributing and balancing the load across the available nodes.

Data and virtual machine hosting

The fifth and last layer will contain the servers that will host the data in the database. The system to be considered here will be the one already indicated earlier. In the Database Network, a cluster should be implemented to support the data, which can take advantage of read-only replicas, to ensure a higher response capacity.

In this way, a scalable solution is guaranteed, also horizontally, and with high availability, according to best practices.

If virtualization of the machines to be provided is necessary, these can be implemented on the technology that exists in the organization as long as the previously identified assumptions are guaranteed (for example, active/passive redundancy on integration machines).

Hosting of audit data and logs (optional)

Audit data, such as Windows and IIS Logs, can be exported to an NFS (Network File System). This need is since the registration of this type of data is required for a period longer than these technologies store.

Licensing for the architecture

Based on the presented architecture and the servers required to host the solution, software acquisition will be necessary for the production and quality environment to be hosted in the contracting party's infrastructure. This type of solution is based on the software provided by Microsoft, corresponding to the following elements:

Software	Description
Windows Server 2019 Standard (or higher)	All identified machines need this software
SQL Server 2019 Standard/Enterprise (or higher)	To be used on machines corresponding to the hosting of database information

For the Quality environment, the quotation and quantity will be lower, because this environment, although representing the same server characteristics and similar hardware capacity, will be for testing, demonstration, and training purposes.

Software	Descrição
Windows Server 2019 Standard (or higher)	All identified machines need this software
SQL Server 2019 Developer (or higher)	To be used on machines corresponding to the hosting of database information

In case it is proposed and/or the client wishes to create a development environment in the infrastructure where the other components are located, then the necessary software to respond to this need will be:

Software	Descrição
Windows Server 2019 Standard (or higher)	All identified machines need this software
SQL Server 2019 Developer (or higher)	To be used on machines corresponding to the hosting of database information
Microsoft Visual Studio 2019 Community (or higher) or higher	(Option) Tool used for the process of tracking potential problems - Choose this option if the server has only the functionality of testing the development and quality environment
Microsoft Visual Studio 2019 Professional (or higher)	(Option) Tool used for the process of tracking potential problems - Choose this option if the server has the functionality of testing in the development, quality, and deployment environment for production solutions

Suggestion for architecture implementation

Information hosting

We suggest the use of the Microsoft SQL Server DBMS because, based on our experience, we can achieve a better response capacity to the needs with demanding software and many concurrent/simultaneous users.

These servers and based on Microsoft SQL Server would be configured with clusters to ensure load sharing and failover of the DBMS, along with the Always On technology in asynchronous mode to ensure that all read requests are balanced and do not remain pending concurrent write (this technology will be implemented according to the number of servers that are made available to host the solution).

In addition to the previously mentioned advantages and in case it is necessary to better guarantee the anonymity of the information of the files physically hosted in the storage, including backups, we can take advantage of the transparent encryption functionality (TDE). When this functionality is considered, the client is obliged to save and maintain the encryption key backup.

User environment

The entire system for the user will be web-based so that the installation of the necessary components for the proper functioning of the application in the various existing user environments can be minimized, and we also guarantee that it will be multiplatform (in relation to which browser will be used) and agnostic regarding the operating system, being possible its installation and operation on any operating system.

The only necessary component and which will require installation will be the component for digital signature of documents and which needs administrative rights for installation (If applicable to the proposed system).

The software to be delivered will be modular, flexible, customizable, and user-friendly, ensuring that there will be user profiles and based on that profile and their "department" will have access or not to some module and even filter the access to information they are entitled to.

Technology to implement

At this moment, all the technology used is based on the implementation of open-source ASP.NET MVC 4 technology. This technology requires the Internet Information Service and the Microsoft Windows operating system.

Regarding all system reports, they will be based on Reporting Services technology, as this allows greater versatility in the characteristics of the reports.