Skip to main content

Azure Infrastructure

The BigHammer platform can be deployed on Microsoft Azure using various provisioning methods, including:

  • Azure Portal
  • Azure CLI (az)
  • Terraform / Bicep
  • Infrastructure-as-Code (IaC) tools approved by the customer

Regardless of the provisioning method used, the following reference architecture, resource requirements, and configuration values should be used as the baseline for setting up the infrastructure required for the BigHammer platform.

note

The exact implementation may vary based on customer-specific security, networking, compliance, and operational requirements. The reference values below are the minimum recommended configuration for deploying and operating the BigHammer platform on Azure.

Deploy readiness

After foundation is provisioned, use Prerequisites for the Helm deploy checklist (add-ons, networking, tools).

Azure serviceDescription
AKSPrivate or public AKS cluster with Workload Identity
PostgreSQL Flexible ServerApplication DB, Keycloak DB, users, SSL — passwords in Key Vault
Key VaultBootstrap secrets; RBAC mode recommended
Azure DNS / private DNSApplication hostname resolution
Azure Blob / ADLS Gen2Schemas, artifacts, optional Airflow DAG storage
Azure Container Registry (ACR)Mirrored container images and Helm OCI charts
Managed identitiesESO + application pod access to Key Vault and storage
Azure Bastion (optional)Operator access without public jumpbox SSH

Subscription & networking (reference)

SettingReference value
SubscriptionCustomer-specific
RegionCustomer-specific (example: <your-azure-region>)
Resource groupCustomer-specific naming convention
VNet CIDRCustomer-specific (example: 10.0.0.0/16)
AKS subnetDedicated subnet with sufficient IP space
Private endpoints subnetKey Vault, storage, PostgreSQL PEs
DNSPrivate DNS zones for PaaS endpoints and app hostnames

AKS

SettingReference value
Cluster nameCustomer-specific
Kubernetes versionBigHammer tested: 1.34.x (other supported AKS versions typically work)
Workload IdentityEnabled
OIDC issuerEnabled
Network pluginAzure CNI or kubenet per customer policy
Node pool SKUStandard_D2ads_v5 (scale per workload; HPA enabled in chart)
Node count≥ 3 for production-style dev; autoscale per policy

Node pool — platform / AI Agent (required)

SettingReference value
Pool nameCustomer-specific
VM sizeStandard_D8as_v5 or larger for multi-service dev
OS disk≥ 128 GB managed disk
Max podsPer subnet IP planning
Azure Policy / DefenderPer customer security baseline

PostgreSQL Flexible Server

SettingReference value
Server nameCustomer-specific
PostgreSQL version16 (tested)
SKUStandard_D2ads_v5 General Purpose
Storage≥ 32 GB with auto-grow
Public accessDisabled (private access recommended)
Backup retentionPer customer policy (minimum 7 days for dev)
Entra authOptional; password auth + Entra supported

Databases

Provision on the PostgreSQL server. Names must match Helm values (POSTGRES_DB, KC_DB_URL).

DatabasePurposeHelm / chart
bighammer_db_<env>Application data (APIs, workers, keycloakapi_db schema)POSTGRES_DB on app services
keycloak_db_<env>Keycloak server database (SSO runtime tables)KC_DB_URL on bhkeycloak
Two databases — do not confuse
ApplicationKeycloak server
Databasebighammer_db_<env>keycloak_db_<env>
Provisioned byBootstrap script + automationAutomation / create-dbs-azure.sh
Chart serviceAPIs, workers, bhkeycloakapibhkeycloak only
Env varsPOSTGRES_DB, dual-role usersKC_DB_URL, KC_DB_USERNAME, KC_DB_PASSWORD
DB userbh_dev_user / bh_app_userkeycloak_db_user
Key Vault passwordazure-postgres-master-password, bh-app-user-passwordbh-kcdbpwd

bhkeycloakapi uses the application database (schema keycloakapi_db), not the Keycloak server database.

Database users

UserPurposeKey Vault secret
Admin loginBootstrap / automationNot used by Helm at runtime
bh_dev_userMigrations / Alembic — DDLazure-postgres-master-password
bh_app_userRuntime — DML (BH_APP_USER)bh-app-user-password
keycloak_db_userKeycloak JDBCbh-kcdbpwd

After provisioning:

  1. Application DB — run schema/grant SQL via create-dbs-azure.sh (see Scripts Reference).
  2. Keycloak DB — database and user created by automation; password in Key Vault as bh-kcdbpwd.
  3. One-time secrets — push remaining Key Vault secrets before Helm install — Key Vault Secrets.

DNS

SettingReference value
ZoneCustomer-specific private or public zone
DomainCustomer-specific (example: dataplatform.example.com)
RecordsA/CNAME for each global.ingress.*HostName → ingress load balancer IP

Record examples: ui.<env>.<domain>, catalog.<env>.<domain>, kc.<env>.<domain>.

Key Vault

SettingReference value
Vault nameCustomer-specific
AuthorizationRBAC (recommended)
NetworkPrivate endpoint recommended
Soft deleteEnabled per customer policy

Secret names and chart mapping: Key Vault Secrets.

Storage (Blob / ADLS Gen2)

ResourcePurpose
Storage accountSchema artifacts, utilities, optional Loki/Airflow blobs
ContainersPer-service paths (schemas, DAGs, logs)
AccessPrivate endpoint + managed identity or account key in Key Vault

Azure Container Registry (reference)

SettingReference value
RegistryCustomer ACR after mirror
Login server<registry>.azurecr.io
Image path prefix<registry>.azurecr.io/<repository>/
Helm OCIoci://<registry>.azurecr.io/bh-helm-release/bighammer

Customer mirror workflow: Release Manifest & Distribution.

Workload Identity (managed identities)

Managed identityKubernetes service account(s)Azure RBAC
ESO identityexternal-secrets-operator in platform namespaceKey Vault Secrets User
Platform identityApp KSAs / kubelet identityKey Vault Secrets User, AcrPull, Storage Blob Data Contributor

Full bindings and chart config: Workload Identity.

Optional platform services

ServicePurpose
Azure DatabricksAnalytics / lakehouse (VNet-injected)
Airflow on AKSWorkflow orchestration — Airflow Deployment
Azure AI FoundryLLM / embeddings for bhaiagent

Helm chart inputs (after provisioning)

Map provisioned resources into your environment values file (for example values-<env>.yaml):

Helm pathSource
global.secretStore.vaultUrlKey Vault URI
global.secretStore.tenantIdMicrosoft Entra tenant ID
global.secretStore.managedIdentityClientIdESO managed identity client ID
global.image.repositoryACR login server + repository prefix
POSTGRES_HOSTPostgreSQL FQDN or private endpoint
POSTGRES_USER / POSTGRES_DBbh_dev_user / application database name
BH_APP_USERbh_app_user
global.bhkeycloak.env.KC_DB_USERNAMEkeycloak_db_user
global.bhkeycloak.env.KC_DB_URLJDBC URL with Keycloak database name
Key Vault secret keysSee Key Vault Secrets

Renaming databases or users

If provisioning uses different database or user names than the reference defaults, update every consumer in your values-<env>.yaml overlay — chart templates read runtime values from Helm values, not hardcoded names.

ObjectChart env varTypical services
Application DBPOSTGRES_DBAPIs, workers, bhkeycloakapi
Keycloak DBKC_DB_URLbhkeycloak only
Keycloak userKC_DB_USERNAMEbhkeycloak

Also update bootstrap scripts and Key Vault secret values to match.

Customer artifact mirror workflow: Release Manifest & Distribution.