myDRE Highlevel Architecture
Introduction
This article describes the myDRE High-level Architecture.
Note:
- Development, Acceptance, and Production are separated environments.
Description
- Compute Infrastructure. myDRE.org Portal serves as the frontend for the solution offering self-services capabilities for administrators and researchers alike. The web infrastructure runs on isolated infrastructure in an App Service Environment
- The provisioning engine handles resource provisioning, RBAC, App registrations and configuration for the research workloads.
- The Workspace Infrastructure is a Microsoft Azure Subscription under the billing account of the Tenant.
- The Workspace Infrastructure runs under the billing account of the Tenant, it is controlled and managed via myDRE AAD
- The Workspace Infrastructure uses the billing agreement of the Tenant for all resources deployed in the Research Infrastructure
- A Tenant can have one or more Workspace Infrastructures (=a Microsoft Azure Subscription)
- Per Workspace Infrastructure it must be decided to which Microsoft Azure Region, On-Premise Infrastructure it will be connected
- See also: Multi-Region Implementation
- The Research Infrastructure includes VMs, SMB File Shares, and related network and security infrastructure
- The Research Infrastructure is governed by the policies of the Workspace Infrastructure
- The Shared Services enable provisioning, identity management, governance and security, using Azure Services.
- The Shared Services run under the billing agreement of anDREa
- The Shared Services uses the billing agreement of the Tenant
- The researchers connect to the VMs using RDP, the resource IPs are added to allow-list JIT and are cleaned up daily
- On-Premises Infrastructure. Virtual machines can optionally connect to the tenant's on-premises infrastructure for specific use cases like License Servers or Storage services
- See for more details: License Server Access from anDREa
- The On-Premise Infrastructure is fully managed by the Tenant
- All ingress of data is authorized and all egress of data is through an approval flow enabled by the managed data transfer services
User exposure (examples)
The myDRE High-level Architecture is the design behind the user interfaces like:
Workspace Infrastructure
The users will see all the Workspaces they are member of; including Workspaces belonging to different Organisations.
Research Infrastructure
Depending on the role, users can (re)configure their resources in a friendly and easy way. Like resizing a Virtual Machine, changing the deallocation time, ingress and egress data, add and remove members, add and manage external access (e.g. IP whitelisting).
Related Articles
myDRE - pencilling out the Shared Tenant
First version: 2021-05-27 Last updated: 2021-05-27 Introduction The following short videos give a quick mental picture of myDRE as a Shared Tenant. The view point taken is that how the enrolment takes place; the technical process on how to make myDRE ...
myDRE and IAM
Current implementation Every user will get their own @mydre.org username. Security - every user is subject to the same policies No guest-accounts Minimally every 24h Multi-Factor Authentication (MFA) is required Trusted devices cannot be created ...
myDRE & Firewalls
Introduction For domain and URL-whitelisting a Firewall is required. anDREa can provide the following options Using your own organization's firewall with Bastion Architecture (preferred) Using your own organization's firewall Deploying an Azure ...
anDREa & myDRE - an Introduction
Introduction The ultimate proof is in the eating as goes for myDRE. However, you might want to get a taste first. The short videos below give a quick insight. Why myDRE was created Duration: 1:31 (2022-11-15) History of anDREa BV Duration: 4:46 ...
myDRE as a SaaS
Introduction myDRE is a product developed and maintained by anDREa BV that allows a Service Provider to offer services to Tenants. Each Tenant is able to self-service create Workspaces for storing and processing data. The Service Provider operates ...