Service Deployment in the Multi-Zone Architecture

The CMS TRA Foundation, Multi Zone Architecture section provides definitions of the Zones. It places restrictions on the location and type of Web Services deployed within CMS Processing Environments. Both the CMS TRA Multi-Zone Architecture and the Virtual Data Center concept encourage communications within like zones, regardless of data center. While communication may be possible to the cloud environments from CMS data centers, the cloud boundaries for ‘like’ zones is not always clear. Zones in the cloud may be a mixture of CMS and cloud service provider services, therefore the implementor must verify the security posture when communicating between zones. For the specifics of multi-data center access, please refer to CMS TRA - Network Services, Wide Area Network Services, which provides additional business rules regarding security and networking.

Please note that the multi-zone architecture, most notably in the cloud environment, may not necessarily specify the number of zones. The zones defined in the multi-zone architecture are built upon the services framework and the functions these services perform. The presentation zone supports edge services while the application and data zone support applications and data services correspondingly.

Allowable Zones

The Presentation Zones may host Web Services only if:

  • The services provide access to static data via HTTP GET requests where the http server performs no processing (such as template expansion or reference data) other than delivering the requested data.

All requests originating outside the Presentation Zone must be validated and inspected at the Presentation Zone. The Application Zone is the recommended zone for most Web Services, and in particular, for hosting such services as:

  • Business Rules Services

  • Portlet Services

  • Business Logic Services

  • Business Process Automation Services

  • Enterprise Application Integration Services

  • Email Routing Services

  • Aggregation Services

  • Orchestration Services

The Data Zone is recommended for hosting such services as:

  • Data Access Services

  • Data Transformation Services

  • Data Replication Services

  • Job Control Services

  • Mainframe-based Services

Management Zone services are strictly restricted to support for operations and information security. Ordinary applications may not host their services in the Management Zone .

The following services should be hosted in the Management Zone :

  • Logging Services

  • Control Services

  • Other Security or Infrastructure Support Services

Data Access Services

In accord with the CMS TRA Multi-Zone Architecture, any applications that require information from CMS data sources must not communicate directly with the data sources (e.g., databases or external web services) themselves. Instead, they must use Data Access Services and mediation principles to access data in databases. By decoupling applications from the database implementations, CMS can deploy new technologies and upgrade old ones without undue effect on service consumers.

Within the TRA Application Development section, Business Rules and Recommended Practices topic, BR-SA-4, Use TRB-approved Data Zone Mediation and Data Access Services to Request Data from the Data Zone covers the use and mediation of data access services.

Data Access Services store, access, and update data from CMS internal and external data sources. They are a layer of data access logic between the distributed data stores and the service consumers who access them. Data is accessible through data services as an abstraction, which helps to hide the details of the raw data. A Data Web Service delivers data using a Message Model that includes the metadata and content. Service consumers leverage this Message Model to access the required data, and the Data Web Service handles the collection and distribution of the data to the shared data consumer.

Data Access Services provide loose coupling between the service consumer and the underlying physical data stores (e.g., databases). These services offer the capability to improve data quality, integrate data, apply business / data rules, and transform data from varied sources. They help integrate, aggregate, and manage data sources. Data Access Services also provide authoritative interfaces to enterprise information.

To best ensure the integrity and authority of CMS enterprise data, Data Access Services should be the sole mechanism by which an application web service or business application can interact with the CMS enterprise data. The orchestrated use of Data Access Services can better ensure effective database interaction in business application performance while also avoiding data contention issues. As shown in Data Access Services in the Data Zone, these services are deployed into the Data Zone.

Data Access Services in the Data Zone; This figure depicts the Presentation, Application, and Data Zones. These zones map one-for-one to the presentation, application, and data layers. The messaging layer is an additional layer that lies between the Application and Data Zone. The Data Zone mediation service resides both in this layer and also in the Data Zone. It is the only component in that layer.
Data Access Services in the Data Zone

Data Web Services must maintain the integrity of data sources by managing transactions autonomously. These services must not rely on or expect service consumers to maintain databases or other data sources in a consistent state on behalf of the consumed web service (e.g., passing in data sources as parameters). It may also be necessary for Data Web Services to orchestrate data transactions across multiple database tables to ensure data source consistency. Data transactions must avoid deadlock by design and ensure performance levels remain within service levels.