Designing a Bank Web Application on Azure with PCI-DSS Compliance

Introduction

In today’s fintech landscape, ensuring that your banking application adheres to compliance standards like PCI-DSS (Payment Card Industry Data Security Standard) is critical. This guide walks you through designing a secure, three-tier bank web application on Microsoft Azure using PCI-DSS compliance principles.

We’ll set up a three-tier architecture:

1. Frontend VM (Node.js and NPM)
2. Backend VM (Java JDK)
3. Database VM (MySQL Database)

The architecture will include a single VNet with three subnets, three NSGs for network security, and a strong firewall strategy.

---

Overview of Architecture

Key Components:

• Virtual Network (VNet):
  • 3 Subnets: Frontend Subnet, Backend Subnet, and Database Subnet.
• Virtual Machines (VMs):
  • VM1: Hosts Node.js and NPM (Frontend)
  • VM2: Hosts Java JDK (Backend)
  • VM3: Hosts MySQL (Database)
• Network Security Groups (NSGs):
  • Frontend NSG: Protects the frontend.
  • Backend NSG: Protects the backend.
  • Database NSG: Secures database access.
• PCI-DSS Compliance:
  • Secure transmission of sensitive data.
  • Strong firewall configuration.
  • Segmented architecture to limit lateral movement.

---

Step 1: Create the Virtual Network (VNet)

1. Log into Azure Portal.
2. Create a Virtual Network:
   • Navigate to Networking > Virtual Networks > Create.
   • Name: BankApp-VNet.
   • Address Space: 192.168.0.0/16.
   • Subnets:
     • Frontend Subnet: 192.168.2.0/24.
     • Backend Subnet: 192.168.1.0/24.
     • Database Subnet: 192.168.0.0/24.
   • Click Review + Create.

---

Step 2: Create Virtual Machines

VM1: Frontend (Node.js and NPM)

1. Navigate to Compute > Virtual Machines > Create.
2. Configuration:
   • Name: Frontend-VM.
   • Size: Standard_B2s (or equivalent).
   • Image: Ubuntu Server 22.04.
   • Subnet: Frontend Subnet.
3. Install Node.js and NPM:

   sudo apt update && sudo apt upgrade -y
   sudo apt install -y nodejs npm
   node -v
   npm -v

VM2: Backend (Java JDK)

1. Repeat the steps above for Backend-VM:
   • Subnet: Backend Subnet.
2. Install Java JDK:

   sudo apt update && sudo apt upgrade -y
   sudo apt install -y openjdk-17-jdk
   java -version

VM3: Database (MySQL)

1. Create Database-VM:
   • Subnet: Database Subnet.
2. Install MySQL:

   sudo apt update && sudo apt upgrade -y
   sudo apt install -y mysql-server
   sudo mysql_secure_installation

---

Step 3: Configure Network Security Groups (NSGs)

Frontend NSG

1. Navigate to Networking > Network Security Groups > Create.
2. Configure rules:
   • Allow HTTP (80) and HTTPS (443) inbound.
   • Deny all other inbound traffic.
   • Outbound: Allow only to backend subnet.

Backend NSG

1. Create another NSG for Backend-VM:
   • Allow TCP port 8080 from frontend subnet.
   • Deny all other inbound traffic.
   • Outbound: Allow only to database subnet.

Database NSG

1. Create the final NSG for Database-VM:
   • Allow MySQL (port 3306) inbound from backend subnet.
   • Deny all other inbound traffic.
   • Outbound: Deny all (or allow restricted outbound).

---

Step 4: Application Deployment

Frontend Deployment

1. Set up your Node.js app on Frontend-VM:

   mkdir bank-frontend
   cd bank-frontend
   npm init -y
   npm install express

1. Create a sample index.js file:

   const express = require('express');
   const app = express();
   const PORT = 80;

   app.get('/', (req, res) => res.send('Bank Frontend Running!'));
   app.listen(PORT, () => console.log(`Server running on port ${PORT}`));

1. Run the application:

   node index.js

Backend Deployment

1. Create a sample Java REST API on Backend-VM:
   • Write and compile your REST API (e.g., using Spring Boot or JAX-RS).

Database Configuration

1. Connect the Backend API to the MySQL Database:

   • Create a database for your bank application:

    CREATE DATABASE bank_app;
    CREATE USER 'bank_user'@'%' IDENTIFIED BY 'secure_password';
    GRANT ALL PRIVILEGES ON bank_app.* TO 'bank_user'@'%';
    FLUSH PRIVILEGES;
   

---

Step 5: Implement PCI-DSS Controls

1. Data Encryption

• Enable SSL/TLS for communication between components:
  • Install Let's Encrypt SSL certificates for the frontend server.
  • Configure MySQL to use SSL for secure database connections.

2. Secure Authentication

• Use strong passwords for all VMs and database users.
• Configure Azure Key Vault to store sensitive secrets like database credentials.

3. Logging and Monitoring

• Enable Azure Monitor to log network traffic and application activity.
• Set up alerts for unusual behavior or unauthorized access attempts.

4. Segmentation

• Subnets are already segmented; ensure NSG rules strictly enforce this segmentation.

---

Step 6: Test and Validate

Test Connectivity

1. Verify that:
   • Frontend can communicate with the backend via the Backend NSG rules.
   • Backend can connect to the database securely using Database NSG.

Run PCI-DSS Tests

• Use tools like AlienVault OSSIM or OpenVAS to validate compliance.

---

Step 7: Secure the Environment

• Regularly update VMs and software.
• Enable Azure Backup to back up critical data.
• Conduct periodic penetration tests to identify vulnerabilities.

---

Conclusion

This architecture ensures a secure, scalable, and PCI-DSS-compliant bank web application. By using Azure’s robust infrastructure and best practices, you can focus on delivering value to your users while safeguarding sensitive financial data.