You can deploy TIBCO BusinessConnect^™ on Amazon Web Services (AWS), taking into account security, load balancing, and fault tolerance. As broadcasting and multicasting is not supported on AWS, the system uses Rendezvous Routing Daemon (RVRD) for communication.

Architecture details

The following image shows one of the architectures to deploy TIBCO BusinessConnect^™ on AWS cloud (a jpeg file is attached for easier readability):

The deployment consists of Amazon Virtual Private Cloud (VPC) with public & private subnets, NAT gateway, Amazon Internet gateway, Amazon RDS database, and an Amazon load balancer.

Amazon VPC

TIBCO BusinessConnect^™ can be deployed within VPC consisting of public and private subnets. VPC enables you to create subnets and configure communication rules within the subnets.

Public Subnet

Public subnet contains components that must be accessible over the internet. In a BusinessConnect^™ deployment,  BusinessConnect^™ Gateway Server is in the public subnet as it must be accessible over the internet.

With the public subnet, an Amazon EC2 security group is configured to open specific ports for communication.

Private Subnet for Interior Server

A private subnet contains components that do not need direct access to the internet. BusinessConnect^™ Interior Server and TIBCO Administrator is deployed in a private subnet.

The Interior Server might have some plug-ins that must connect over the internet. This can be facilitated by using a NAT gateway in the public subnet. In a private subnet, an Amazon EC2 security group is configured to open specific ports for communication.

Private Subnet for database server

For security purposes, BusinessConnect^™ database must be accessible only within the VPC. A private subnet cannot connect over the internet using network address translation (NAT). However, an Amazon

EC2 security group is configured to open specific ports for communication.

NAT Gateway

NAT gateway facilitates the machines in a private subnet to connect over the internet. NAT performs the required IP translations.

IP addresses of the machines in a private subnet are never exposed, but the public IP address of the NAT gateway is visible.

Internet Gateway

Internet gateway on Amazon cloud enables the communication over the internet. The internet gateway is associated with a public subnet.

RVRD setup

Amazon cloud does not support broadcasting or multicasting on the network.

To enable communication between Interior Server instances and TIBCO Administrator, and between Gateway Server instances and Interior Server instances , you must setup RVRD neighbour interfaces on each of these instances.

Private Process communication

To facilitate communication between Private process and Interior Server instances, a TIBCO Enterprise Management Service (EMS) server is deployed in a private subnet.

Creating Amazon VPC with public and private subnets

1. Log in to your Amazon account.
2. Create a new virtual private cloud (VPC), which is required to setup TIBCO BusinessConnect^™ securely.
   1. On Amazon cloud, start the VPC wizard and select VPC with Public and Private Subnets.
   2. Follow the direction in the wizard to create public and private subnets. 
      You must create one public subnet and three private subnets.
      1. First, add one public subnet and one private subnet.
      2. Then, in different  zones on Amazon cloud, add two more private subnets by using the Create Subnet option and selecting the previously created VPC. 
         For ease of understanding, the following subnet naming convention is recommended:

• PublicSubnet
• PrivateSubnetIS
• PrivatSubnetNoInternet_ZONE1
• PrivatSubnetNoInternet_ZONE2

Note: Amazon mandates that RDS database be deployed in a subnet group that has at least two subnets in different zones.

Creating EC2 instances in private and public subnets

BusinessConnect^™ consists of the following components:

• Gateway Server
• Interior Server
• TIBCO Administrator
• Database Server

Out of these components, one must have access to the Gateway Server over the internet. In other words, only Gateway Server directly serves requests over the internet.

Note: Alternatively, if you want to access TIBCO Administrator over internet you can deploy TIBCO Administrator in PublicSubnet.

You must create two Gateway Server instances inside PublicSubnet. Next, create two or more Interior Server instances and one TIBCO Administrator server instance, depending on the load and requirement in PrivateSubnetIS.

Adding instances to TIBCO Administrator domain

You must add the instances to the TIBCO Administrator domain so that it can be monitored from TIBCO Administrator UI. The detailed procedure to add the instances to the domain is available in Chapter 2, “Adding a Machine to a Domain” of the Domain Utility User’s Guide.

To access the guide, open the following URL and navigate to TIBCO Runtime Agent > Domain Utility User’s Guide.

Creating RDS database in a private subnet

Next, you must create a database server on Amazon cloud. For this configuration, we can create Amazon RDS for MySQL.  Use the MySQL JDBC driver available on the MySQL website.

Using RDS dashboard on Amazon cloud, create a subnet group containing the two private subnets that you created earlier: PrivatSubnetNoInternet_ZONE1 and PrivatSubnetNoInternet_ZONE2. Then, start the MySQL instance and select the subnet group that you created earlier.

Make a note of the endpoint, user name, and password.

Setting up RVRD connections

Amazon cloud does not support broadcasting or multicasting. By default, TIBCO Rendezvous^® works on broadcasting and multicasting. To enable

Rendezvous^® to work successfully, configure RVRD between different instances.

BusinessConnect^™ setup needs RVRD communication between each of the following components:

• • TIBCO Administrator and Interior Server
  • Gateway Server and Interior Server

On every EC2 instance, start RVRD and add neighbor interfaces, depending on the component with which the instance needs to communicate.

Further, the following subjects should be allowed:

• • AX.BC.> (BC installation name)
  • com.tibco.pof.>
  • com.tibco.repo.>
  • _HAWK.>

Creating an internet gateway and the NAT gateway

To enable internet access, we must create an internet gateway. For more information, see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html.

1. Using Amazon cloud dashboard, create an internet gateway. This gateway needs to be associated with PublicSubnet.
2. To associate the internet gateway with PublicSubnet, select PublicSubnet Route Table and associate the internet gateway that you had created earlier.
3. To enable only the outgoing internet access from PrivateSubnetIS, create a NAT gateway in PublicSubnet and associate it with PrivateSubnetIS. Select PrivateSubnetIS Route Table and associate the NAT gateway. An outgoing internet connection is required for Interior Server plug-ins such as FTP and SFTP, which needs to pull/post files from/to servers.

Setting up security groups

Each subnet has the associated security group created for you. Security groups ensure security by allowing or disallowing the flow of traffic on particular ports and from IP addresses.

Configure the incoming ports for the security groups as per deployment requirements. Read more at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Setting up the load balancer

A load balancer is required to balance the load between different Gateway Server instances. Using EC2 load balancer dashboard, configure the load balancer to add Gateway Server instances. Load balancer has the endpoint URL, which a trading partner uses to communicate with BusinessConnect^™.

Further EC2 load balancer can be configured to terminate SSL connection at load balancer. This ensures that the connection between BusinessConnect^™ on AWS and Trading Partner is secured.