0

I am using XACML 3.0 I just want to know which is the best practices for separating the PEP and PDP instances. I have three scenarios here which one is best as per the cloud way of implementation.

  1. I have one instance of PEP which will communicate to multiple PDP instances.
  2. I have multiple PEP and multiple PDP instances which will communicate to each other.
  3. I have multiple PEP instances which will communicate to one PDP instance.
Utsav
  • 1,593
  • 4
  • 22
  • 46

1 Answers1

0

The typical deployment I see is one or more enforcement points (PEP) talking to a load balancer that sits in front of multiple PDPs that are all equally configured.

That's true of any version of XACML.

PDPs rarely communicate together though you could imagine you'd have a PDP talking to another via a PIP connector.

--- EDIT --- Here's an architecture diagram

Load balancing the PDP

David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • Thanks David, so this means the best practise as per the cloud architecture is I can have multiple PEP points that will communicate with Load balancers and Load balancers will communicate to multiple PDP points. – Utsav Jan 07 '14 at 14:14
  • Yes. I forgot to add that PDPs are stateless which is why you can load balance them so easily – David Brossard Jan 08 '14 at 06:50
  • Hi David if I don't want to introduce the load balancers in between PEP and PDP then how we can manage the communication between PEP and PDP – Utsav Jan 09 '14 at 06:31
  • If you do not want to use server-side load balancing, you could always use client-side load balancing and configure PEPs with multiple PDP endpoints. – David Brossard Jan 09 '14 at 13:24