You can deploy TIBCO BusinessConnect^™ on Azure cloud, taking into account security, load balancing, and fault tolerance. As broadcasting and multicasting is not supported on Azure, the system uses TIBCO Rendezvous Routing Daemon (RVRD) for communication.

Architecture details

The following image shows one of the architectures to deploy TIBCO BusinessConnect^™ on Azure cloud:

The deployment consists of Azure Virtual Network (Vnet) with public & private subnets, Azure SQL database, Azure Storage Files, Azure Application Gateway and Azure load balancer.

Azure Vnet

TIBCO BusinessConnect^™ can be deployed within Vnet consisting of public and private subnets. Vnet enables you to create subnets and configure communication rules within the subnets.

Public Subnet

Public subnet contains components that must be accessible over the internet. In a BusinessConnect^™ deployment,  BusinessConnect^™ Gateway Server is in the public subnet as it must be accessible over the internet.

With the public subnet, Azure Network security group is configured to open specific ports for communication.

Private Subnets for Interior Server and TIBCO Administrator

A private subnet contains components that do not need direct access to the internet. BusinessConnect^™ Interior Server and TIBCO Administrator is deployed in a private subnet.

In a private subnet, Azure Network security group is configured to open specific ports for communication.

Private Process communication

To facilitate communication between Private process and Interior Server instances, a TIBCO Enterprise Management Service (EMS) server is deployed in a private subnet.

Azure SQL Database

For security purposes, BusinessConnect^™ database must be accessible only within the Vnet. Network security group is configured to open specific ports for communication with the VM's under Private subnet.

Azure Application Gateway

Application Gateway is required to balance the load between different machines in a Public subnet. Application Gateway can direct web traffic to specific resources by assigning listeners to ports.

IP Address of Application Gateway is used as the endpoint URL for trading partner to communicate with the BusinessConnect^™.

Azure Load Balancer for Outgoing Connections

Azure Load Balancer facilitates the machines in a private subnet to connect over internet. Load Balancer performs the required IP translations. IP translation will help trading partner to white list the IP address of load balancer for security purposes. 

IP addresses of the machines in a private subnet are never exposed, but the public IP address of the Load Balancer is seen by the trading partner.

RVRD setup

Azure cloud does not support broadcasting or multicasting on the network.

To enable communication between Interior Server instances and TIBCO Administrator and between Gateway Server instances and Interior Server instances, you must setup RVRD neighbour interfaces on each of these instances.

Azure Storage Files

Azure Storage is used to create Shared and Temp folders. These folders should be accessible by all the IS-engines and BW PrivateProcess.

Creating Azure Vnet with public and private subnets

1. Log in to your Azure subscription account.
2. Create a new virtual network, which is required to setup TIBCO BusinessConnect^™ securely.
   a. On Azure portal, select "Create a resource" and select Virtual network under "Networking" with a default subnet (naming is as Public).
   b. Follow the directions in the portal to create public and private subnets.
       You must create one public subnet, two private subnets and an AppGateway Subnet for Azure Application Gateway
               i. First, create one public subnet while creating Vnet.
              ii. Then, add three more subnets, two for private and one for AppGateway by using the "+Subnet" option on the previously created Vnet.
                  For ease of understanding, the following subnet naming convention is recommended

• PublicSubnet
• AppGatewaySubnet
• PrivateSubnetPP
• PrivateSubnetIS 

Note: Azure VNet does not provide a default VNet and does not have private or public subnet. Resources connected to a VNet have access to the Internet, by default. Network Security Groups rules associated to subnets control accesses to resources within subnet.

Creating VM instances in private and public subnets

BusinessConnect^™ consists of the following components:

• Gateway Server
• Interior Server
• TIBCO Administrator
• Database Server

Out of these components, one must have access to the Gateway Server over the internet. In other words, only Gateway Server directly serves requests over the internet.

Note: Alternatively, if you want to access TIBCO Administrator over internet you can deploy TIBCO Administrator in PublicSubnet.

You must create two Gateway Server instances inside PublicSubnet. Next, create two or more Interior Server instances and one TIBCO Administrator server instance, depending on the load and requirement in PrivateSubnetIS.

Make sure that the Interior Server VM's created are associated to an "Availability set". This is mandatory, as the machines later be associated to Azure Load Balancer through availability set. 

Setting up RVRD connections

Azure cloud does not support broadcasting or multicasting. By default, TIBCO Rendezvous^® works on broadcasting and multicasting. To enable

Rendezvous^® to work successfully, configure RVRD between different instances.

BusinessConnect^™ setup needs RVRD communication between each of the following components:

• TIBCO Administrator and Interior Server
• Gateway Server and Interior Server

On every VM instance, start RVRD and add neighbor interfaces, depending on the component with which the instance needs to communicate.

Further, the following subjects should be allowed:

• • AX.BC.> (BC installation name)
  • com.tibco.pof.>
  • com.tibco.repo.>
  • _HAWK.>

Adding instances to TIBCO Administrator domain

You must add the instances to the TIBCO Administrator domain so that it can be monitored from TIBCO Administrator UI. The detailed procedure to add the instances to the domain is available in Chapter 2, “Adding a Machine to a Domain” of the Domain Utility User’s Guide.

To access the guide, open the following URL and navigate to TIBCO Runtime Agent > Domain Utility User’s Guide:

Creating SQL database on Azure cloud

Next, you must create a database. On Azure cloud we can use SQL database service which comes with added advantages of HA and maintenance. For this configuration, we can create Azure SQL Database. For more information, see https://docs.microsoft.com/en-us/azure/sql-database/sql-database-get-started-portal

Using Azure portal, create a SQL Database by selecting Databases under marketplace. Once SQL database starts running connect to it.

Setting up Network security groups

Each subnet has the associated network security group created for you. Network security groups ensure security by allowing or disallowing the flow of traffic on particular entities and from IP addresses.

Configure the incoming/outgoing ports for the Network security groups as per deployment requirements. Read more at https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-network-security-groups

Setting up the Azure Application Gateway

An Application Gateway is required to balance the load between different Gateway Server instances. Using Application Gateway on Azure portal, configure Application Gateway to add Gateway Server instances. Application Gateway has the endpoint URL, which a trading partner uses to communicate with BusinessConnect^™.

Application Gateway requires an empty subnet. For more information, see https://docs.microsoft.com/en-us/azure/application-gateway/quick-create-portal

Further Azure Application Gateway can be configured to terminate SSL connection at Application Gateway for security and performance.

Creating an Azure Load Balancer for outgoing connections

By default, every resource on a Vnet has an internet access, which can be controlled using NSG rules.

To enable connections through single IP Address to the Trading Partner on a different network, you must create Azure Load Balancer. This enables the trading partner to whitelist a single IP address for security.

For more information, see https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-create-basic-load-balancer-portal

On Azure portal, create Azure Load balancer and associate the Interior server VM's on PrivateSubnetIS. 

Note: The Interior Server machines on PrivatesubnetIS should be associated to an availability set, so that they can be associated to Azure load balancer through back-end pool settings.

An outgoing internet connection is required for Interior Server plug-ins.

Setting up Azure Storage File system

Azure Storage File system should be accessed by all the engines on PrivateSubnetIS and is shared among InteriorServer and Private Process machines.

Create a storage account on azure portal associated to required resource group, For more information, see https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account?tabs=portal

Once the storage account is created, create a folder and mount the path on all the Interior servers to access Azure storage. These folders are then configured as Shared and Temp folder using TIBCO Administrator.