DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Safeguarding Web Applications With Cloud Service Providers: Anti-CSRF Tokenization Best Practices
  • Rethinking Threat Detection and Response in Cloud-Native Ecosystems
  • Harnessing Security by Adopting Zero Trust Architecture
  • What Is IoT Gateway? Is It Important

Trending

  • Understanding the Shift: Why Companies Are Migrating From MongoDB to Aerospike Database?
  • Supervised Fine-Tuning (SFT) on VLMs: From Pre-trained Checkpoints To Tuned Models
  • Immutable Secrets Management: A Zero-Trust Approach to Sensitive Data in Containers
  • Accelerating Debugging in Integration Testing: An Efficient Search-Based Workflow for Impact Localization
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Private Cloud's Deployment

Private Cloud's Deployment

Software architecture to perform automated IAAS, PAAS, and SAAS deployments to private cloud with compliance, data privacy, and security.

By 
Joel Lopes user avatar
Joel Lopes
·
Jan. 22, 24 · Review
Likes (2)
Comment
Save
Tweet
Share
3.1K Views

Join the DZone community and get the full member experience.

Join For Free

Public clouds are designed for everyone but there are a lot of customers that need a private version of the cloud. Sometimes, they need physically isolated data centers and networks located in their own country. These private clouds offer Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and Software-as-a-Service (SaaS) service models just like other data centers. Some features on public cloud offerings might be delayed released in a private cloud as compliance and security complicate deployment.

As the race for private government clouds is heating up, governments are becoming more strict about their citizens' data. More and more private clouds are coming up. Some of the popular offerings in this area include Azure China, Azure Germany, Azure for US Government, AWS Germany, AWS China, Google for Government, and the list goes on. Compliance, data privacy, and security restrictions for these clouds apply not only to cloud customers but also to cloud providers. For instance, Azure developers would have to go through compliance requirements before their change is deployed in a private cloud. 

Typically, for restricted clouds to manage compliance, data privacy, and security restrictions, a third-party provider is required to manage deployments and maintenance for that cloud. Usually, ingress to these private clouds is allowed while egress is limited. There are a lot of options available for users of public clouds, but for private clouds, there is no readily available solution. Service providers have either in-house custom solutions or they have some cleared personnel who can log in and manually deployments to private clouds. For large service providers, there are hundreds of teams that need to perform thousands of releases into these private clouds on a daily basis. So, cloud operators executing deployment scripts and returning the result back to the developer won't scale for large service providers. Imagine each deployment for AWS service going through a cloud operator. Also, you can't have CI/CD deployment to these clouds because the provider needs control release to their private cloud at any point. They should have the capability to stop releases. Additionally, they need the capability to audit the deployments happening, as data should not leave their cloud. In this article, we will be discussing the possible architecture of these private cloud deployments. 

Architecture

high level architecture

At a high level (Figure 1), the developers on the public cloud can create a release request with all the release metadata and parameters. Pass the release request to the private cloud deployment service, and the private cloud deployment service will take care of deployment to the private cloud.

Private Cloud Deployment Service

Let's look at the different components in this system as shown in Figure 2:

  • Public Deployment Service (PDS): This service can take release metadata and release parameters and orchestrate release compliance requirement execution.
  • Public Compliance Manager (PCM): This service takes permission from the private cloud and makes sure of all public compliance requirements with the help of RCV. Sign the release request and request PCCM for private cloud-specific compliance.
  • Release Compliance Validator (RCV): This service validates that the compliance requirements are adhered to, like Federal Risk and Authorization Management Program (FedRAMP), International Traffic in Arms Regulations (ITAR), Criminal Justice Information System(CJIS)  guidelines for the US government.  
  • Private Cloud Compliance Manager (PCCM): Private cloud compliance manager receives requests from PCM. PCCM validates, approves, and creates release audit records with the help of RCV and sends a response back to PPM.
  • Private Release Compliance Validator (PRCV): This service is similar to RCV but validates compliance rules for private clouds.
  • Private Cloud Deployer (PCD): Manages the deployment in private clouds and returns only success/failure message to the Public Deployment Service (PDS).
  • Cloud Resource Deploy (CRD): Cloud resource that is actually being deployed.

Private cloud deployment service will have the above micro services deployed to multiple clouds. Public Deployment Service (PDS) receives requests in the form of release metadata and release parameters. Now, before we kick off the release in the private cloud, we need to ask permission from the private cloud. For this purpose, the Public Compliance Manager (PCM) establishes a bidirectional connection with its counterpart component, the Private Cloud Compliance Manager (PCCM). 

PCM will create a release request, sign it with its own private key, and send it to PCCM. PCCM will verify PCM signatures, ask the Release Compliance Validator (RCV) to validate the release request, and then request approval from private cloud admins. 

Once the release is approved, PCCM creates a signed record with its own signature and sends it to PCM. PCM and PCCM will both maintain their own private audit record with signatures from both parties. 

PCS will send all the release configurations and release metadata to the Private Cloud Deployer (PCD). Before triggering the release, PCD needs to confirm with PCAM that a particular release is approved for release on their private cloud and receives deployment credentials for private cloud deployment. Once confirmed, deployment will start in the private cloud, and only success/fail messages will be sent back to the public cloud to protect data privacy rules on the private cloud. 

PRCV and RCV can be the same code deployed with different configurations; the same applies to PCM and PPCM as, fundamentally, they are similar microservices with different configurations. Private cloud deployment service thus eliminates the need for Private Cloud operators to deploy service by establishing a secure connection with the public cloud and still taking control of deployments and their data.  

Conclusion

In this article, we have provided one of the architectures for deployment to private clouds. This article talks about a very high-level view of the system. Details like IPC, hosting platform, storage systems, and database systems are intentionally omitted from this article as depending on your cloud provider, you might have different options, and the selection of one over the other doesn’t affect the overall operation of the system. This architecture can help with deployments to private trusted clouds for different IaaS, PaaS, and SaaS providers. Our solution does provide high security, compliance checks, hooks, and auditing with the signatures of both parties. This architecture can be applied to several classes of problems where we have software producers and software consumers as two different organizations, and there is semi-trust between them.

Contextual design Cloud Release (computing) Requests security systems

Opinions expressed by DZone contributors are their own.

Related

  • Safeguarding Web Applications With Cloud Service Providers: Anti-CSRF Tokenization Best Practices
  • Rethinking Threat Detection and Response in Cloud-Native Ecosystems
  • Harnessing Security by Adopting Zero Trust Architecture
  • What Is IoT Gateway? Is It Important

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!