myDRE Highlevel Architecture
Introduction
This article describes the myDRE High-level Architecture.
Note:
- Development, Acceptance, and Production are separated environments.
Description
- Compute Infrastructure. myDRE.org Portal serves as the frontend for the solution offering self-services capabilities for administrators and researchers alike. The web infrastructure runs on isolated infrastructure in an App Service Environment
- The provisioning engine handles resource provisioning, RBAC, App registrations and configuration for the research workloads.
- The Workspace Infrastructure is a Microsoft Azure Subscription under the billing account of the Tenant.
- The Workspace Infrastructure runs under the billing account of the Tenant, it is controlled and managed via myDRE AAD
- The Workspace Infrastructure uses the billing agreement of the Tenant for all resources deployed in the Research Infrastructure
- A Tenant can have one or more Workspace Infrastructures (=a Microsoft Azure Subscription)
- Per Workspace Infrastructure it must be decided to which Microsoft Azure Region, On-Premise Infrastructure it will be connected
- See also: Multi-Region Implementation
- The Research Infrastructure includes VMs, SMB File Shares, and related network and security infrastructure
- The Research Infrastructure is governed by the policies of the Workspace Infrastructure
- The Shared Services enable provisioning, identity management, governance and security, using Azure Services.
- The Shared Services run under the billing agreement of anDREa
- The Shared Services uses the billing agreement of the Tenant
- The researchers connect to the VMs using RDP, the resource IPs are added to allow-list JIT and are cleaned up daily
- On-Premises Infrastructure. Virtual machines can optionally connect to the tenant's on-premises infrastructure for specific use cases like License Servers or Storage services
- See for more details: License Server Access from anDREa
- The On-Premise Infrastructure is fully managed by the Tenant
- All ingress of data is authorized and all egress of data is through an approval flow enabled by the managed data transfer services
User exposure (examples)
The myDRE High-level Architecture is the design behind the user interfaces like:
Workspace Infrastructure
The users will see all the Workspaces they are member of; including Workspaces belonging to different Organisations.
Research Infrastructure
Depending on the role, users can (re)configure their resources in a friendly and easy way. Like resizing a Virtual Machine, changing the deallocation time, ingress and egress data, add and remove members, add and manage external access (e.g. IP whitelisting).
Related Articles
myDRE - pencilling out the Shared Tenant
First version: 2021-05-27 Last updated: 2021-05-27 Introduction The following short videos give a quick mental picture of myDRE as a Shared Tenant. The view point taken is that how the enrolment takes place; the technical process on how to make myDRE ...myDRE and IAM
Current implementation Every user will get their own @mydre.org username. Security - every user is subject to the same policies No guest-accounts Minimally every 24h Multi-Factor Authentication (MFA) is required Trusted devices cannot be created ...myDRE & Firewalls
Introduction For domain and URL-whitelisting a Firewall is required. anDREa can provide the following options Using your own organization's firewall with Bastion Architecture (preferred) Using your own organization's firewall Deploying an Azure ...Bastion Architecture
Introduction Azure Bastion is a service that allows you to connect to a virtual machine using your browser. Bastion provides secure RDP and SSH connectivity to all of the virtual machines in your workspace without exposing RDP or SSH ports to the ...anDREa & myDRE - an Introduction
Introduction The ultimate proof is in the eating as goes for myDRE. However, you might want to get a taste first. The short videos below give a quick insight. Why myDRE was created Duration: 1:31 (2022-11-15) History of anDREa BV Duration: 4:46 ...