Home
This Azure Blueprint solution automatically deploys a multi-tier web application architecture with pre-configured security controls to help customers achieve compliance with FedRAMP requirements. The solution consists of Azure Resource Manager (ARM) templates and PowerShell scripts that guide resource deployment and configuration. An accompanying Blueprint compliance matrix is provided, showing security control inheritance from Azure and where deployed resources and configurations align with NIST SP 800-53 security controls, thereby enabling organizations to fast-track compliance obligations.
This Azure Blueprint solution is made up of a combination of JSON configuration files and PowerShell scripts that are handled by Azure Resource Manager's API service to deploy network resources within Azure Government Cloud. For more information about template deployment read the following links:
This solution deploys a notional architecture for a web application with a database backend. The architecture includes a web tier, data tier, Active Directory infrastructure, application gateway and load balancer. Virtual machines deployed to the web and data tiers are configured in an availability set and SQL Servers are configured in an Always On availability group for high availability. A management jumpbox (bastion host) provides a secure connection for administrators to access deployed resources.
The architecture includes the following Azure products:
-
Virtual Machines
- (1) Management/Bastion (Windows Server 2016 Datacenter)
- (2) Active Directory Domain Controller (Windows Server 2016 Datacenter)
- (2) SQL Server Cluster Node (Windows Server 2012 R2 on SQL2014SP2)
- (1) SQL Server Witness (Windows Server 2016 Datacenter)
- (2) Web/IIS (Windows Server 2016 Datacenter)
-
AvailabilitySets
- (1) Active Directory Domain Controllers
- (1) SQL Cluster Nodes and Witness
-
Virtual Network
- (1) /16 VNet
- (5) /24 Subnets
- DNS Settings are set to both Domain Controllers
-
Load Balancer
- (1) SQL Loadbalancer
-
Application Gateway
- (1) WAF Application Gateway -- Enabled -- Firewall Mode: Prevention -- Rule set: OWASP 3.0 -- Listener: Port 443
- Storage
- Backup
-
Key Vault
- (1) keyVault -- (3) Access Policies (user, AADServicePrincipal, BackupFairFax) -- (7) Secrets (aadClientID, aadClientSecret, adminPassword, azurePassword, azureUserName, keyEncryptionKeyURL, sqlServerServiceAccountPassword)
- Azure Active Directory
- Azure Resource Manager
- Application Insights
- Log Analytics
-
Automation
- (1) Automation Account
- Scheduler
-
Operations Management Suite
- (1) OMS Workspace
IA-5.h, IA-5.i, IA-5 (7), SC-12, SC-12 (1), SC-12 (2)
IA-5.b, IA-5.e, IA-5 (1).a, IA-5 (1).b, IA-5 (1).c, IA-5 (1).d, IA-5 (1).e, IA-5 (1).f, IA-5 (4), IA-5 (7)
IA-2, IA-4.d
AC-2 (3), AC-7.a, AC-7.b, AC-8.a, AC-8.b, AC-10, AC-11.a, AC-11.b, AC-11 (1), AC-12, AC-12 (1).a, AC-12 (1).b, IA-4.e
AC-2.a
AC-2 (7).a, AC-3, AC-6, AC-6 (8), AC-6 (10), AU-6 (7), AU-9, AU-9 (4), AU-12 (3), CM-5
SI-2.a, SI-2.c, SI-2 (1), SI-2 (2)
CM-6.b, CM-7.a, CM-7.b, SC-28 (1)
SI-3.a, SI-3.b, SI-3.c, SI-3 (1), SI-3 (2), SI-3 (7)
CM-5 (3), CM-6.a, CM-6.b, CM-6.d, CM-6 (1), CM-6 (2), CM-7.a, CM-7.b, SC-7 (12), SI-2.c
AC-17 (2), SC-8, SC-8 (1), SC-23, SC-23 (1), SC-23 (3)
AC-17 (3), SC-7 (3)
AU-9, AU-9 (3)
AU-5.a, AU-5.b, AU-5 (2)
AC-2.g, AC-2 (1), AC-2 (4), AC-2 (7).b, AC-2 (12).a, AC-2 (12).b, AC-6 (9), AC-17 (1), AU-2.a, AU-2.d, AU-3, AU-12.a, AU-12.b, AU-12.c, CM-5 (1)
AU-4, AU-4 (1), AU-5 (1), AU-11
AU-9, AU-9 (3)
AU-6 (3), AU-6 (4), AU-7.a, AU-7.b, AU-7 (1), AU-9 (2), AU-11, AU-12 (1), SC-7.a
AU-8.a, AU-8.b, AU-8 (1).a, AU-8 (1).b
SC-28, SC-28 (1)
CP-7.a, CP-7.b, CP-7.c, CP-7 (1), CP-7 (3)
CP-9.a, CP-9.b, CP-9.d, CP-9 (5)
CP-6.a, CP-6.b, CP-6 (1), CP-6 (2)
CP-10 (2)
AC-17 (3), SC-5, SC-7.a, SC-7.b, SC-7.c, SC-7 (3), SC-7 (5), SC-7 (11), SC-7 (12)
AC-4
SC-2, SC-3, SC-7 (13), SC-7 (21)