Implementation of 3-tier architecture using MVC 5 and WCF RRS feed

  • Question

  • User-497719095 posted

    Forgive me if this question has been asked already, I really did not want to ask this if it had already been addressed but I have not been successful in finding it.

    Needless to say, I have an existing web application in ASP.NET MVC 5. The client I built it for needs the application to be in a 3-tier architecture so that the View, Business Logic and Model are deployed on separate servers for security reasons. I have never developed a three-tier architecture and have been led to believe that the use of WCF (windows communication foundation) would aid in this implementation.

    As I am not used to using WCF or familiar with the actual implementation of a 3-tier architecture I have come seeking help on how I would go about converting my existing application to meet this requirement. I do understand the concept of how a three-tier architecture works, so there is no need to elaborate on the topic itself. My concern lies more with best practices for implementing it using my existing entity framework and LINQ queries as well as how to implement WCF for API interactions with the separate tiers.

    I have found 1 tutorial for MVC 3, but it does not make use of WCF and does not discuss deployment of the application or even seem compatible with MVC 5.

    Any links to a good tutorial or book on how to implement this architecture using MVC 5 and WCF would be welcome.

    Thanks in advance.

    Tuesday, December 2, 2014 1:57 PM

All replies

  • User-1611549905 posted

    Unfortunately, the best practice for implementing a 3-tier architecture is don't. (Martin Fowler's First Law of Distributed Object Design: don't distribute your objects. You can read his article here -- it's a must-read for anyone considering a three-tier architecture.) It just over-complicates things while destroying performance and offering very few if any benefits. I'm sceptical about claims that it offers anything in terms of security -- it does't do anything to mitigate most of the common vulnerabilities on the OWASP Top Ten list for instance (e.g. SQL injection, cross site request forgery, weak password management, session fixation, cross-site scripting etc), while poor performance makes you more vulnerable to denial of service attacks.

    Since your client has asked for it, however, the best you can do is just make the best of a bad job, though I'd also recommend increasing your quotes to account for the extra work involved. You'll need to pay more attention to reducing the number of requests made by the individual tiers -- your program might have a very "chatty" interface between your controllers and your business layer, for instance, whereas with a distributed architecture you need to have a "chunky" interface which gets everything you need in as few requests as possible. Depending on your application this may require significant changes and it may introduce a lot of additional complexity.

    Finally, I'd personally recommend using WebAPI rather than WCF for this unless you have specific requirements that WCF can offer (e.g. WS-*). WCF is more powerful and flexible than WebAPI but this power and flexibility comes at a price -- it gives you a lot of rope with which to hang yourself if you're not careful.

    Wednesday, December 3, 2014 6:24 AM
  • User-497719095 posted

    Thank you for your thoughts on this.  I think what you have hit on may be the reason it is hard to find examples of this implementation.  As you pointed out, the client has required that the application conform to this architecture, and I'm sure you know better than I, that the client is always right...

    Wednesday, December 3, 2014 9:13 PM
  • User-1611549905 posted

    Why not suggest to them an alternative approach? You could put a caching proxy server/load balancer such as HAProxy or nginx in the DMZ and have it access your application servers from there.

    This would give them the security benefits that they're looking for but at the same time you would retain all the advantages of having your application logic on a single tier.

    Monday, December 8, 2014 11:05 AM
  • User-1877113880 posted

    Take a look a this,


    Should give you some ideas if you still heading down the three tier application.

    Thursday, January 8, 2015 4:58 PM
  • User1080785583 posted

    this is my goto example for architecture concerns. http://www.codeproject.com/Articles/474212/Zombie-Explorer-An-n-tier-application-from-top-to

    not sure if its the best, but everything is in a single .dll and if I take advantage of azure worker process load balancing, it will scale itself out to local processes

    Wednesday, January 21, 2015 1:09 PM