Part 1 - Understanding Enterprise Deployment
Part 1 describes, in more detail, the features and requirements of industry-standard enterprise deployment for which the Tableau Server Enterprise Deployment Guide has been designed.
The following network diagram shows a generic datacenter tiered deployment with Tableau Server reference architecture.
Industry standards and deployment requirements
The following are features of industry standard deployments. These are the requirements that the reference architecture has been designed for:
- A multi-tiered network design: The network is bound by protected subnets to limit access at each layer: web layer, application layer, and data layer. No single communication is able to pass across subnets, as all communication is terminated at the next subnet.
- Ports and protocols blocked by default: Each subnet or security group will block all inbound and outbound ports and protocols by default. Communication is enabled, in part, by opening exceptions in the port or protocol configuration.
- Off-box web authentication: User requests from the internet are authenticated by an authentication module on the reverse proxy in the web tier. Therefore, all requests to the application layer are authenticated at the web tier before passing into the protected application layer.
- Platform-independent: Solution can be deployed with on-premises server applications or in the cloud.
- Technology-agnostic: Solution can be deployed in a virtual machine environment or in containers. May also be deployed on Windows or Linux. However, this initial version of the reference architecture and supporting documentation has been developed for Linux running in AWS.
- Highly available: All components in the system are deployed as a cluster and designed to operate in an active/active or active/passive deployment.
- Siloed roles: Each server performs a discrete role. This design partitions all servers such that access may be minimized to service-specific administrators. For example, DBAs manage PostgreSQL for Tableau, identity administrators manage authentication module in web tier, network and cloud administrators enable traffic and connectivity.
- Linearly scalable: as discrete roles, you can scale each tier service independently according to load profile.
- Client support: The reference architecture supports all Tableau clients: Tableau Desktop (versions 2021.2 or later), Tableau Mobile, and Tableau Web Authoring.
Security measures
As stated, a primary feature of industry standard datacenter design is security.
- Access: Each tier is bound by a subnet that enforces access control at the network layer using port filtering. Communication access between subnets may also be enforced by the application layer with authenticated services between processes.
- Integration: Architecture is designed to plug-in with Identity Provider (IdP) on reverse proxy in the web tier .
- Privacy: Traffic into the web tier is encrypted from the client with SSL. Traffic into the internal subnets may optionally be encrypted as well.
Web proxy tier
The web tier is a subnet in the DMZ (also referred to as the perimeter zone) that acts as a security buffer between the internet and the internal subnets where applications are deployed. The web tier hosts reverse proxy servers that do not store any sensitive information. The reverse proxy servers are configured with an AuthN plugin to pre-authenticate client sessions with a trusted IdP, before redirecting the client request to Tableau Server. For more information, see Pre-authentication with an AuthN module.
Load-balancers
The deployment design includes an enterprise load-balancing solution in front of the reverse proxy servers.
Load balancers provide important security and performance enhancements, by
- Virtualizing the front-end URL for the application tier services
- Enforcing SSL encryption
- Offloading SSL
- Enforcing compression between the client and the web tier services
- Protecting against DOS attacks
- Providing high-availability
Note: Tableau Server version 2022.1 includes the Tableau Server Independent Gateway. The Independent Gateway is a standalone instance of the Tableau Gateway process that serves as a Tableau-aware reverse proxy. At the time of release, the Independent Gateway has been validated, but not fully tested in the EDG reference architecture. After full testing is complete the EDG will be updated with Tableau Server Independent Gateway prescriptive guidance.
Application tier
The application tier is in a subnet that runs the core business logic of the server application. The application tier consists of services and processes that are configured across distributed nodes in a cluster. The application tier is only accessible from the web tier and is not directly accessible by users.
Performance and reliability are improved by configuring the application processes such that processes with different resource-use profiles (i.e., CPU intensive vs memory intensive) are co-located.
Data tier
The data tier is a subnet that holds valuable data. All traffic to this tier originates from the application tier and is therefore already authenticated. In addition to access requirements at the network layer with port configuration, this layer should include authenticated access and optionally encrypted traffic with the application tier.