System Scope and Context

App Suite Proxy is a layer 7 reverse proxy and load balancer that initially receives and forwards any HTTP traffic that targets App Suite MW HTTP-based APIs and the delivery of static App Suite UI resources.

Business Context

User

Sends out HTTP requests through a web browser or other clients and receives responses from the App Suite system.

L4 Proxy

Proxies incoming TCP connections of HTTP requests by forwarding them to any available App Suite Proxy instance. Responsibilities like DOS mitigation lie within this component, not with App Suite Proxy.

Identity & Access Management

System that identifies, authenticates and authorizes users that want to interact with App Suite through the HTTP protocol. For an authenticated request, App Suite Proxy asks the Identity & Access Management System to determine the according target shard, if it cannot be determined by other (cheaper) means like cookies.

App Suite Shards

A number of distinct App Suite deployments, consisting of all desired subsystems like MW, UI, Mobile API Facade, etc. App Suite Proxy routes each request to a single shard, that the user behind the request belongs to.

Technical Context

App Suite Proxy is a pure layer 7 component, accepting and forwarding only HTTP traffic. The underlying network architecture for internet services is usually sophisticated, however this is only considered throughout this document where necessary.

High availability of App Suite Proxy and the need to serve millions of users is considered a hard requirement for anyone operating an App Suite deployment. Therefore it is considered, that multiple instances of App Suite Proxy are running in parallel and are distributed across multiple pieces of underlying hardware. Again, the details of how this can be done are out of scope for this document.

It is required and expected, that the L4 Proxy in front of App Suite Proxy routes TCP connections consistently, so that always full HTTP payloads are transmitted between peers.

App Suite Proxy maintains connections to all available App Suite UI/MW instances as well as to connected infrastructure services like Identity and Access Management systems. Load balancing and request routing are explicitly responsibilities of App Suite Proxy.

Edge Router

An internet edge router that announces virtual IP(s) of the App Suite deployment to internet routers through the border gateway protocol. It routes incoming IP packages for such an IP to the L4 Proxy, which handles the encapsulated transport protocol.

L4 Proxy

Terminates or forwards TCP traffic for the App Suite deployment by listening for packages that belong to the according virtual IP. Outgoing packages are sent to App Suite proxy instances, preserving TCP streams, so that complete HTTP messages arrive at the proxy instances.

Server

A physical computer that runs one or more programs to provide the App Suite service or infrastructure services like Identity & Access Management. The underlying hardware is supposed to be commodity server hardware. However, how software components are spread across and run on top of that hardware is out of scope for this section.