DEV Community

Cover image for **Designing a Bank Web Application on Azure with PCI-DSS Compliance**
Moses Daniel
Moses Daniel

Posted on

**Designing a Bank Web Application on Azure with PCI-DSS Compliance**

Introduction

In today’s fintech landscape, ensuring that your banking application adheres to compliance standards like PCI-DSS (Payment Card Industry Data Security Standard) is critical. This guide walks you through designing a secure, three-tier bank web application on Microsoft Azure using PCI-DSS compliance principles.

We’ll set up a three-tier architecture:

  1. Frontend VM (Node.js and NPM)
  2. Backend VM (Java JDK)
  3. Database VM (MySQL Database)

The architecture will include a single VNet with three subnets, three NSGs for network security, and a strong firewall strategy.


Overview of Architecture

Key Components:

  • Virtual Network (VNet):
    • 3 Subnets: Frontend Subnet, Backend Subnet, and Database Subnet.
  • Virtual Machines (VMs):
    • VM1: Hosts Node.js and NPM (Frontend)
    • VM2: Hosts Java JDK (Backend)
    • VM3: Hosts MySQL (Database)
  • Network Security Groups (NSGs):
    • Frontend NSG: Protects the frontend.
    • Backend NSG: Protects the backend.
    • Database NSG: Secures database access.
  • PCI-DSS Compliance:
    • Secure transmission of sensitive data.
    • Strong firewall configuration.
    • Segmented architecture to limit lateral movement.

Step 1: Create the Virtual Network (VNet)

  1. Log into Azure Portal.
  2. Create a Virtual Network:
    • Navigate to Networking > Virtual Networks > Create.
    • Name: BankApp-VNet.
    • Address Space: 192.168.0.0/16.
    • Subnets:
      • Frontend Subnet: 192.168.2.0/24.
      • Backend Subnet: 192.168.1.0/24.
      • Database Subnet: 192.168.0.0/24.
    • Click Review + Create.

Step 2: Create Virtual Machines

VM1: Frontend (Node.js and NPM)

  1. Navigate to Compute > Virtual Machines > Create.
  2. Configuration:
    • Name: Frontend-VM.
    • Size: Standard_B2s (or equivalent).
    • Image: Ubuntu Server 22.04.
    • Subnet: Frontend Subnet.
  3. Install Node.js and NPM:
   sudo apt update && sudo apt upgrade -y
   sudo apt install -y nodejs npm
   node -v
   npm -v
Enter fullscreen mode Exit fullscreen mode

VM2: Backend (Java JDK)

  1. Repeat the steps above for Backend-VM:
    • Subnet: Backend Subnet.
  2. Install Java JDK:
   sudo apt update && sudo apt upgrade -y
   sudo apt install -y openjdk-17-jdk
   java -version
Enter fullscreen mode Exit fullscreen mode

VM3: Database (MySQL)

  1. Create Database-VM:
    • Subnet: Database Subnet.
  2. Install MySQL:
   sudo apt update && sudo apt upgrade -y
   sudo apt install -y mysql-server
   sudo mysql_secure_installation
Enter fullscreen mode Exit fullscreen mode

Step 3: Configure Network Security Groups (NSGs)

Frontend NSG

  1. Navigate to Networking > Network Security Groups > Create.
  2. Configure rules:
    • Allow HTTP (80) and HTTPS (443) inbound.
    • Deny all other inbound traffic.
    • Outbound: Allow only to backend subnet.

Backend NSG

  1. Create another NSG for Backend-VM:
    • Allow TCP port 8080 from frontend subnet.
    • Deny all other inbound traffic.
    • Outbound: Allow only to database subnet.

Database NSG

  1. Create the final NSG for Database-VM:
    • Allow MySQL (port 3306) inbound from backend subnet.
    • Deny all other inbound traffic.
    • Outbound: Deny all (or allow restricted outbound).

Step 4: Application Deployment

Frontend Deployment

  1. Set up your Node.js app on Frontend-VM:
   mkdir bank-frontend
   cd bank-frontend
   npm init -y
   npm install express
Enter fullscreen mode Exit fullscreen mode
  1. Create a sample index.js file:
   const express = require('express');
   const app = express();
   const PORT = 80;

   app.get('/', (req, res) => res.send('Bank Frontend Running!'));
   app.listen(PORT, () => console.log(`Server running on port ${PORT}`));
Enter fullscreen mode Exit fullscreen mode
  1. Run the application:
   node index.js
Enter fullscreen mode Exit fullscreen mode

Backend Deployment

  1. Create a sample Java REST API on Backend-VM:
    • Write and compile your REST API (e.g., using Spring Boot or JAX-RS).

Database Configuration

  1. Connect the Backend API to the MySQL Database:

    • Create a database for your bank application:
     CREATE DATABASE bank_app;
     CREATE USER 'bank_user'@'%' IDENTIFIED BY 'secure_password';
     GRANT ALL PRIVILEGES ON bank_app.* TO 'bank_user'@'%';
     FLUSH PRIVILEGES;
    

Step 5: Implement PCI-DSS Controls

1. Data Encryption

  • Enable SSL/TLS for communication between components:
    • Install Let's Encrypt SSL certificates for the frontend server.
    • Configure MySQL to use SSL for secure database connections.

2. Secure Authentication

  • Use strong passwords for all VMs and database users.
  • Configure Azure Key Vault to store sensitive secrets like database credentials.

3. Logging and Monitoring

  • Enable Azure Monitor to log network traffic and application activity.
  • Set up alerts for unusual behavior or unauthorized access attempts.

4. Segmentation

  • Subnets are already segmented; ensure NSG rules strictly enforce this segmentation.

Step 6: Test and Validate

Test Connectivity

  1. Verify that:
    • Frontend can communicate with the backend via the Backend NSG rules.
    • Backend can connect to the database securely using Database NSG.

Run PCI-DSS Tests

  • Use tools like AlienVault OSSIM or OpenVAS to validate compliance.

Step 7: Secure the Environment

  • Regularly update VMs and software.
  • Enable Azure Backup to back up critical data.
  • Conduct periodic penetration tests to identify vulnerabilities.

Image description


Conclusion

This architecture ensures a secure, scalable, and PCI-DSS-compliant bank web application. By using Azure’s robust infrastructure and best practices, you can focus on delivering value to your users while safeguarding sensitive financial data.

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay