DEV Community

Cover image for Designing a Bank Web Application on Azure with PCI-DSS Compliance
Moses Daniel
Moses Daniel

Posted on • Edited on

Designing a Bank Web Application on Azure with PCI-DSS Compliance

Introduction

In today’s fintech landscape, ensuring that your banking application adheres to compliance standards like PCI-DSS (Payment Card Industry Data Security Standard) is critical. This guide walks you through designing a secure, three-tier bank web application on Microsoft Azure using PCI-DSS compliance principles.

We’ll set up a three-tier architecture:

  1. Frontend VM (Node.js and NPM)
  2. Backend VM (Java JDK)
  3. Database VM (MySQL Database)

The architecture will include a single VNet with three subnets, three NSGs for network security, and a strong firewall strategy.


Overview of Architecture

Key Components:

  • Virtual Network (VNet):
    • 3 Subnets: Frontend Subnet, Backend Subnet, and Database Subnet.
  • Virtual Machines (VMs):
    • VM1: Hosts Node.js and NPM (Frontend)
    • VM2: Hosts Java JDK (Backend)
    • VM3: Hosts MySQL (Database)
  • Network Security Groups (NSGs):
    • Frontend NSG: Protects the frontend.
    • Backend NSG: Protects the backend.
    • Database NSG: Secures database access.
  • PCI-DSS Compliance:
    • Secure transmission of sensitive data.
    • Strong firewall configuration.
    • Segmented architecture to limit lateral movement.

Step 1: Create the Virtual Network (VNet)

  1. Log into Azure Portal.
  2. Create a Virtual Network:
    • Navigate to Networking > Virtual Networks > Create.
    • Name: BankApp-VNet.
    • Address Space: 192.168.0.0/16.
    • Subnets:
      • Frontend Subnet: 192.168.2.0/24.
      • Backend Subnet: 192.168.1.0/24.
      • Database Subnet: 192.168.0.0/24.
    • Click Review + Create.

Step 2: Create Virtual Machines

VM1: Frontend (Node.js and NPM)

  1. Navigate to Compute > Virtual Machines > Create.
  2. Configuration:
    • Name: Frontend-VM.
    • Size: Standard_B2s (or equivalent).
    • Image: Ubuntu Server 22.04.
    • Subnet: Frontend Subnet.
  3. Install Node.js and NPM:
   sudo apt update && sudo apt upgrade -y
   sudo apt install -y nodejs npm
   node -v
   npm -v
Enter fullscreen mode Exit fullscreen mode

VM2: Backend (Java JDK)

  1. Repeat the steps above for Backend-VM:
    • Subnet: Backend Subnet.
  2. Install Java JDK:
   sudo apt update && sudo apt upgrade -y
   sudo apt install -y openjdk-17-jdk
   java -version
Enter fullscreen mode Exit fullscreen mode

VM3: Database (MySQL)

  1. Create Database-VM:
    • Subnet: Database Subnet.
  2. Install MySQL:
   sudo apt update && sudo apt upgrade -y
   sudo apt install -y mysql-server
   sudo mysql_secure_installation
Enter fullscreen mode Exit fullscreen mode

Step 3: Configure Network Security Groups (NSGs)

Frontend NSG

  1. Navigate to Networking > Network Security Groups > Create.
  2. Configure rules:
    • Allow HTTP (80) and HTTPS (443) inbound.
    • Deny all other inbound traffic.
    • Outbound: Allow only to backend subnet.

Backend NSG

  1. Create another NSG for Backend-VM:
    • Allow TCP port 8080 from frontend subnet.
    • Deny all other inbound traffic.
    • Outbound: Allow only to database subnet.

Database NSG

  1. Create the final NSG for Database-VM:
    • Allow MySQL (port 3306) inbound from backend subnet.
    • Deny all other inbound traffic.
    • Outbound: Deny all (or allow restricted outbound).

Step 4: Application Deployment

Frontend Deployment

  1. Set up your Node.js app on Frontend-VM:
   mkdir bank-frontend
   cd bank-frontend
   npm init -y
   npm install express
Enter fullscreen mode Exit fullscreen mode
  1. Create a sample index.js file:
   const express = require('express');
   const app = express();
   const PORT = 80;

   app.get('/', (req, res) => res.send('Bank Frontend Running!'));
   app.listen(PORT, () => console.log(`Server running on port ${PORT}`));
Enter fullscreen mode Exit fullscreen mode
  1. Run the application:
   node index.js
Enter fullscreen mode Exit fullscreen mode

Backend Deployment

  1. Create a sample Java REST API on Backend-VM:
    • Write and compile your REST API (e.g., using Spring Boot or JAX-RS).

Database Configuration

  1. Connect the Backend API to the MySQL Database:

    • Create a database for your bank application:
     CREATE DATABASE bank_app;
     CREATE USER 'bank_user'@'%' IDENTIFIED BY 'secure_password';
     GRANT ALL PRIVILEGES ON bank_app.* TO 'bank_user'@'%';
     FLUSH PRIVILEGES;
    

Step 5: Implement PCI-DSS Controls

1. Data Encryption

  • Enable SSL/TLS for communication between components:
    • Install Let's Encrypt SSL certificates for the frontend server.
    • Configure MySQL to use SSL for secure database connections.

2. Secure Authentication

  • Use strong passwords for all VMs and database users.
  • Configure Azure Key Vault to store sensitive secrets like database credentials.

3. Logging and Monitoring

  • Enable Azure Monitor to log network traffic and application activity.
  • Set up alerts for unusual behavior or unauthorized access attempts.

4. Segmentation

  • Subnets are already segmented; ensure NSG rules strictly enforce this segmentation.

Step 6: Test and Validate

Test Connectivity

  1. Verify that:
    • Frontend can communicate with the backend via the Backend NSG rules.
    • Backend can connect to the database securely using Database NSG.

Run PCI-DSS Tests

  • Use tools like AlienVault OSSIM or OpenVAS to validate compliance.

Step 7: Secure the Environment

  • Regularly update VMs and software.
  • Enable Azure Backup to back up critical data.
  • Conduct periodic penetration tests to identify vulnerabilities.

Image description


Conclusion

This architecture ensures a secure, scalable, and PCI-DSS-compliant bank web application. By using Azure’s robust infrastructure and best practices, you can focus on delivering value to your users while safeguarding sensitive financial data.

Top comments (0)