Instead of hosting demilitarized zone workloads in on-premise VMs, Platform as a Service offerings can provide simpler, more flexible management.
With Platform as a Service (PaaS), you get access to a shared development platform. Demilitarized zone (DMZ) workloads tend to be Web-based, and so does PaaS, so it can be a good idea to offload that DMZ traffic elsewhere with Platform as a Service. Plus, you can account for bursts in DMZ workloads by simply adding more processing power with PaaS.
A DMZ setup benefits from Platform as a Service because there’s less infrastructure for you to manage. Instead of being responsible for the entire virtual machine (VM) in a DMZ setup, you can simply manage the single, hosted application.
We already take this lightweight approach with other services. You probably don’t task a VM with grabbing anti-malware signatures, for example; you point that anti-malware server toward its vendor’s services. Services that someone else provides may be more difficult to see and feel than a VM, but they’re no less useful for the day-to-day activities of your business.
Why use PaaS for your DMZ setup?
Platform as a Service offerings such as Microsoft’s Windows Azure abstract the resources a VM needs in a DMZ setup at a slightly higher level. Here’s how PaaS makes DMZ workload management simpler:
Consider a Web server that exists in your DMZ setup today. Keeping that Web server operational requires all the typical management tasks an entire VM requires, even tasks that exist outside the scope of the server itself, such as configuration management. With VMs hosting your DMZ setup, you end up managing a whole lot more than you’d need to with Platform as a Service.
Platform as a Service makes sense for DMZs because, if a VM is really an abstraction of processing, memory, storage, and networking, it stands to reason that layers of abstraction could exist elsewhere as well. Platform as a Service can deliver the Web server’s needs without all those extra surrounding bits and the effort to manage extraneous tasks. Its abstraction can potentially deliver the entirety of a VM in an abstracted equivalent to the core four resources your DMZ setup requires.
Pros and cons of Platform as a Service for DMZ setup
Cloud computing benefits -- such as fully automated scaling and the ability to add CPU power when website traffic spikes -- are great, but they’re also not simple to achieve with most VMs. You usually can’t just increase the size of a physical server when you need additional capacity.
Once it fits in the platform’s framework and is coded to support its capabilities, your DMZ application can automatically provide additional resources when necessary. It can also spawn additional instances of itself to scale horizontally when user load increases. Platform as a Service brings all these cloud computing benefits while sitting atop an infrastructure someone else owns -- and it’s also priced to enjoy the benefits of economies of scale.
You must still keep that DMZ setup secure. Access to internal resources must be made available, and you should secure that access. Your DMZ application’s code must be free of exploitable vulnerabilities, as must the platform itself. Segregating data from processing can add further protection.
Platform as a Service indeed delivers a lightweight abstraction, but it does so at a cost. Offerings such as Windows Azure usually require DMZ applications to be specially coded to fit within the platform’s framework. If an application isn’t already coded to operate on the PaaS, then you have to recode it to work, which can get pretty complex.
This kind of DMZ setup is one of your best starting points for evolving past simple virtualization to reap the benefits of cloud computing benefits. Your VMs are indeed something you can see and feel, but adding your DMZ setup to a Platform as a Service brings less complexity and more flexibility.
This was first published in July 2011