Blueprints

Standardizing the architecture in the landscape brings many benefits.

Some of them are:

  • Reuse of the same products and components is easier.
  • Configuration templates can be created and maintained.
  • Policies can be created and maintained.
  • Education of project teams can be standardized too.
  • Faster deployment because of standardization (same interfaces/agreements between the components).
  • A clear scope of what must be implemented in the web application and what can be expected from upfront components.

This is why we recommend a blueprint architecture that addresses organizational security requirements. Therefore, the security team should be involved in these discussions and decisions.

Blueprint architecture

The following questions should guide you on which components and surrounding requirements directly influence how Microgateway is being used and where it must be integrated. After going through these points, a blueprint could be created which clearly defines the duties of each component.

What components are generally deployed?

  • Secure Entry Server in front of the Kubernetes cluster (e.g. Airlock Gateway).
  • Ingress Controller.
  • Service Mesh (e.g. Istio).
  • Airlock Microgateway.
  • Web application.
  • Identity and Access Management solution (e.g. Airlock IAM).
  • Other sidecars in the web application Pods that should be protected.

What is the responsibility of each component?

  • Load balancing between Kubernetes nodes.
  • Distribute traffic to the corresponding service.
  • mTLS between services.
  • Filtering traffic.
  • Enforce authentication.
  • Authenticate users and provide functions such as password forget, self-registration, ...
  • Propagate users' identity to the upstream service.
  • Observability.
  • ...

Are tenants or projects deployed in the same Kubernetes cluster?

  • Own Kubernetes cluster.
  • Own Kubernetes namespace.
  • ...

Which applications should be protected by Airlock Microgateway and which not?

  • Exclude or include any Kubernetes clusters.
  • Exclude or include any Kubernetes namespaces.
  • Exclude or include any applications.

What does the CI/CD pipeline look like? How are applications deployed and would the Microgateway be deployed too?

  • Manual deployment.
  • GitOps approach.
  • ...

What Telemetry requirements do exist?

  • Logs, metrics and tracing.

Which Telemetry stack is used?

  • Grafana, Loki, Promtail, Prometheus, Tempo.
  • Kibana, Elasticsearch, Logstash, Prometheus.
  • ...
 
Notice

A good blueprint should work for most projects and help the teams to speed up. Nevertheless, there might be circumstances where it makes sense to adjust the blueprint according to project needs. It is important to clarify whether it is mandatory or facultative to follow the blueprint and how to proceed if adjustments are required.

Usage

After developing or updating a blueprint it is important to incorporate it into the affected areas.

Possible sections which are affected:

  • Inform teams about the new blueprint.
  • Update the guidelines.
  • Update configuration templates.
  • Update policies.
  • Update scripts to assess the active configuration.
  • ...