Unit 1.2: The Canonical Layered Architecture
Introduction
There is one architecture shape that recurs across almost every regulated enterprise deployment on IONOS, and it is worth learning as a default before studying any single product. The decision it encodes is where traffic is allowed to enter, how far it is allowed to travel, and what stays unreachable from the internet entirely. Getting that boundary right at the topology level is far cheaper than retrofitting it later, because on IONOS the network tier a resource sits in is the primary thing that determines whether it is exposed. This unit draws the canonical shape and explains the reasoning, so that the per-tier products in Modules 3 through 6 each have an obvious home.
1. The Canonical Shape: Public L7, Stateless Compute, Private L4, Private Data
The shape reads top to bottom as a sequence of narrowing trust.
At the edge sits a public Layer 7 load balancer. The Managed Application Load Balancer (ALB) distributes incoming application-layer traffic to targets based on user-defined policies, routing on content such as host and path. It is the one component intended to face the internet, and it is where TLS is terminated. Because it routes on application content, it is also where request-level concerns (path-based routing, host-based routing) are expressed.
Behind it sits the stateless compute tier: the application servers. These hold no durable state of their own. That is a deliberate property, not an accident, because it lets the tier be scaled, replaced, or failed over freely. Anything that must persist is pushed downward.
Between the application tier and the data it depends on sits a private Layer 4 load balancer. The Managed Network Load Balancer (NLB) operates at TCP/IP Layer 4; it distributes any TCP-based traffic and its rules and health checks are strictly Layer 4. Placed privately, it spreads connections across the data-tier nodes without ever being reachable from the internet, and it does not terminate TLS, so end-to-end encryption can run straight through to the backend.
At the bottom sits the private-only data tier: managed databases, the cache, shared storage. These are reached only over private LANs through the internal balancer. They have no public interface at all.
The composition, public L7 to stateless compute to private L4 to private data, is the platform's idiomatic expression of defence in depth. Each downward step removes reachability: the internet can talk to the ALB, the ALB can talk to the app tier, the app tier can talk to the data tier through the NLB, and the data tier can talk to no one uninvited.
For FinCorp, this is the shell its regulated workload drops into. The public ALB carries customer-facing HTTPS and terminates TLS at the EU edge; the stateless application servers run the business logic and externalise their state; the private NLB fronts the relational cluster and cache; and the database itself is never exposed. The compliance story, which Unit 1.4 develops, is materially easier to make when the data tier is architecturally incapable of accepting an inbound connection from outside the VDC.
2. Why Private-by-Default, and Where Everything Else Attaches
The layout is not chosen for elegance; it falls out of how IONOS networking actually behaves and how its protections bind.
A LAN inside a VDC is private until it is explicitly connected to the internet; exposure is something you add, not something you remove. That single property is what makes private-by-default the path of least resistance: leave a tier on a private LAN and it is already unreachable. The reasoning compounds with where IONOS security controls apply. NIC-level firewalls and Network Security Groups bind to server NICs at the VDC level only; they do not apply to the Managed ALB or NLB, nor to the Managed Kubernetes cluster abstraction. Because you cannot wrap the managed balancers in a security group, you cannot lean on a firewall to compensate for putting a database on a public path. The topology itself, what sits on a private LAN, has to do the isolation. Segmentation is therefore the load-bearing control, and the three-tier split (public edge, private app, private data) is the minimum that expresses it cleanly.
The same shape absorbs the rest of the platform without changing:
- Containers. A Managed Kubernetes node pool attaches to the LANs like any other compute and takes the role of the stateless application tier. A manifest does not auto-provision an IONOS balancer; the public ALB and any private NLB are provisioned separately and pointed at the cluster, so the cluster slots into the existing shape rather than replacing it.
- Dedicated VMware (Private Cloud). A regulated VMware workload runs on the dedicated SDDC and links back to the standard-compute estate over hybrid connectivity, occupying the compute layer for workloads that need single-tenant isolation while the elastic edge stays on standard compute.
- AI services. The managed AI Model Hub is a fully managed, publicly-reachable inference API (its OpenAI-compatible and native endpoints are internet-facing, not private-LAN-only); the application tier calls it over an outbound path in the same way it would call any external SaaS API, while datasets it draws on can still live in Object Storage and a managed database on the private data tier below the application layer.
- Hybrid connectivity. VPN and NAT gateways and private interconnects attach at the edge and the egress path, extending the same private fabric to on-premises sites rather than punching new holes through the tiers.
Every later module fills one band of this diagram: networking builds the edge and the two balancers, compute builds the application tier, data builds the bottom tier, containers and AI attach above and beside it. The shape does not change; the contents do.
Decision Summary
| Tier | IONOS construct | Exposure | Governing rule |
|---|---|---|---|
| Public edge | Managed ALB (Layer 7) | Internet-facing | Only intended public entry point; terminates TLS; routes on content. |
| Application | Stateless compute or Kubernetes node pool | Private LAN, reached via the ALB | Holds no durable state so it can scale or fail over freely. |
| Internal balancing | Managed NLB (Layer 4) | Private only | TCP pass-through, no TLS termination; never internet-facing. |
| Data | Managed databases, cache, shared storage | Private only, no public interface | Reached only through the internal balancer over private LANs. |
Default to this shape and justify any deviation. Segmentation, not a rule set, keeps the data tier safe, so place a tier on a public LAN only when it is meant to face the internet.
Summary
The canonical IONOS enterprise architecture narrows trust in four steps: a public Layer 7 ALB at the edge, a stateless compute tier behind it, a private Layer 4 NLB in front of the data, and a private-only data tier at the bottom. It is private-by-default because LANs are private until connected and because the managed balancers cannot be wrapped in a security group, which makes topology the real isolation control. Containers, dedicated VMware, AI, and hybrid links all attach to this shape without altering it, which is why every later module simply fills in one band of the same diagram.
Key Points:
- The default shape is public L7 ALB to stateless compute to private L4 NLB to private-only data, with each downward step removing reachability.
- Private-by-default holds because a LAN is private until explicitly connected to the internet, so exposure is something you add deliberately.
- NIC firewalls and NSGs bind to server NICs only, not to the managed ALB/NLB or the Kubernetes cluster abstraction, so segmentation by topology is the load-bearing control.
- Containers, dedicated VMware, AI services, and hybrid connectivity attach to the same shape rather than changing it; later modules fill in one tier each.