myDRE Highlevel Architecture

myDRE Highlevel Architecture


Introduction

This article describes the myDRE High-level Architecture.

Note:
  1. Development, Acceptance, and Production are separated environments.

Description 

  1. Compute Infrastructure. myDRE.org Portal serves as the frontend for the solution offering self-services capabilities for administrators and researchers alike. The web infrastructure runs on isolated infrastructure in an App Service Environment
  2. The provisioning engine handles resource provisioning, RBAC, App registrations and configuration for the research workloads.
  3. The Workspace Infrastructure is a Microsoft Azure Subscription under the billing account of the Tenant.
    1. The Workspace Infrastructure runs under the billing account of the Tenant, it is controlled and managed via myDRE AAD
    2. The Workspace Infrastructure uses the billing agreement of the Tenant for all resources deployed in the Research Infrastructure
    3. A Tenant can have one or more Workspace Infrastructures (=a Microsoft Azure Subscription)
      1. Per Workspace Infrastructure it must be decided to which Microsoft Azure Region, On-Premise Infrastructure it will be connected
      2. See also: Multi-Region Implementation
  4. The Research Infrastructure includes VMs, SMB File Shares, and related network and security infrastructure
    1. The Research Infrastructure is governed by the policies of the Workspace Infrastructure
  5. The Shared Services enable provisioning, identity management, governance and security, using Azure Services.
    1. The Shared Services run under the billing agreement of anDREa
    2. The Shared Services uses the billing agreement of the Tenant 
  6. The researchers connect to the VMs using RDP, the resource IPs are added to allow-list JIT and are cleaned up daily
  7. On-Premises Infrastructure. Virtual machines can optionally connect to the tenant's on-premises infrastructure for specific use cases like License Servers or Storage services
    1. See for more details: License Server Access from anDREa
    2. The On-Premise Infrastructure is fully managed by the Tenant
  8. All ingress of data is authorized and all egress of data is through an approval flow enabled by the managed data transfer services



User exposure (examples)

The myDRE High-level Architecture is the design behind the user interfaces like:

Workspace Infrastructure

The users will see all the Workspaces they are member of; including Workspaces belonging to different Organisations.




Research Infrastructure

Depending on the role, users can (re)configure their resources in a friendly and easy way. Like resizing a Virtual Machine, changing the deallocation time, ingress and egress data, add and remove members, add and manage external access (e.g. IP whitelisting).


    • Related Articles

    • myDRE - pencilling out the Shared Tenant

      First version: 2021-05-27 Last updated: 2021-05-27 Introduction The following short videos give a quick mental picture of myDRE as a Shared Tenant. The view point taken is that how the enrolment takes place; the technical process on how to make myDRE ...
    • myDRE and IAM

      Current implementation Every user will get their own @mydre.org username. Security - every user is subject to the same policies No guest-accounts Minimally every 24h Multi-Factor Authentication (MFA) is required Trusted devices cannot be created ...
    • myDRE & Firewalls

      Introduction For domain and URL-whitelisting a Firewall is required. anDREa can provide the following options Using your own organization's firewall with Bastion Architecture (preferred) Using your own organization's firewall Deploying an Azure ...
    • anDREa & myDRE - an Introduction

      Introduction The ultimate proof is in the eating as goes for myDRE. However, you might want to get a taste first. The short videos below give a quick insight. Why myDRE was created Duration: 1:31  (2022-11-15) History of anDREa BV Duration: 4:46 ...
    • myDRE as a SaaS

      Introduction myDRE is a product developed and maintained by anDREa BV that allows a Service Provider to offer services to Tenants. Each Tenant is able to self-service create Workspaces for storing and processing data. The Service Provider operates ...