Infrastructure Architecture
Vulcan runs on Azure, deployed to Azure Kubernetes Service (AKS) in Sweden Central for GDPR compliance.
Resource Names
Actual Production Resources
Some resources have non-standard names due to Azure global uniqueness requirements:
- Key Vault:
vulcan-kv-se-prod(notvulcan-kv-prod) - Storage:
vulcanstprod(notvulcanstorageprod)
Azure Resources
Compute
| Resource | Name | SKU | Purpose |
|---|---|---|---|
| AKS Cluster | vulcan-aks-prod | Standard_D4s_v3 (3-10 nodes) | Kubernetes 1.32 with Cilium CNI |
| Container Registry | vulcanacrprod | Standard | Docker images |
Data
| Resource | Name | SKU | Purpose |
|---|---|---|---|
| PostgreSQL Flexible (core) | vulcan-pg-core-prod | Standard_D4s_v3 | Core databases (coresetup, contracts, documents) |
| PostgreSQL Flexible (ops) | vulcan-pg-ops-prod | Standard_D8s_v3 | Ops databases with pgvector (leads, quotation, projects, invoicing, planning, ai) |
| Redis Cache | vulcan-redis-prod | Premium P1 | Caching, sessions |
| Storage Account | vulcanstprod | Standard_LRS | Blob storage |
AI
| Resource | Name | Model | Purpose |
|---|---|---|---|
| Azure OpenAI | vulcan-openai-prod | GPT-4o | Quote evaluation, contract analysis |
| Azure OpenAI | vulcan-openai-prod | text-embedding-3-large | Document embeddings (1536 dim) |
| Azure OpenAI | vulcan-openai-prod | whisper | Voice transcription |
| Content Safety | vulcan-content-safety-prod | - | AI guardrails (jailbreak, PII, moderation) |
Messaging
| Resource | Name | SKU | Purpose |
|---|---|---|---|
| Service Bus | vulcan-sb-prod | Premium | MassTransit async messaging |
Security
| Resource | Name | Purpose |
|---|---|---|
| Key Vault | vulcan-kv-se-prod | Secrets management (RBAC enabled) |
| Application Insights | - | Monitoring |
| Log Analytics | - | Centralized logging |
Database Distribution
PostgreSQL Flexible Servers
├── vulcan-pg-core-prod (Standard_D4s_v3, 64GB)
│ ├── coresetup → vulcan-be-coresetup
│ ├── contracts → vulcan-be-contracts
│ └── documents → vulcan-be-documents
│
└── vulcan-pg-ops-prod (Standard_D8s_v3, 128GB, pgvector)
├── leads → vulcan-be-leads
├── quotation → vulcan-be-quotation
├── projects → vulcan-be-projects
├── invoicing → vulcan-be-invoicing
├── planning → vulcan-be-planning
└── ai → vulcan-be-ai (vector embeddings)Architecture Diagram
┌─────────────────────────────────────────────────────────────────┐
│ Azure Region: Sweden Central │
│ │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ Azure Kubernetes Service (K8s 1.32) │ │
│ │ Cilium CNI │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ vulcan-be- │ │ vulcan-be- │ │ vulcan-be- │ │ │
│ │ │ coresetup │ │ leads │ │ quotation │ ... │ │
│ │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │
│ │ │ │ │ │ │
│ └─────────┼───────────────┼───────────────┼──────────────────┘ │
│ │ │ │ │
│ ┌─────────▼───────────────▼───────────────▼──────────────────┐ │
│ │ PostgreSQL Flexible Servers │ │
│ │ ┌─────────────────────┐ ┌─────────────────────┐ │ │
│ │ │ vulcan-pg-core │ │ vulcan-pg-ops │ │ │
│ │ │ (D4s_v3, 64GB) │ │ (D8s_v3, 128GB) │ │ │
│ │ │ coresetup │ │ leads, quotation │ │ │
│ │ │ contracts │ │ projects, invoicing│ │ │
│ │ │ documents │ │ planning, ai │ │ │
│ │ └─────────────────────┘ └─────────────────────┘ │ │
│ └────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Redis Cache │ │ Service Bus │ │ Key Vault │ │
│ │ (Premium P1) │ │ (Premium) │ │ (RBAC) │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ Azure OpenAI ││
│ │ GPT-4o │ text-embedding-3-large │ whisper ││
│ └─────────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────┘Kubernetes Architecture
yaml
# Cluster configuration
cluster:
name: vulcan-aks-prod
version: "1.32"
network_plugin: azure
network_dataplane: cilium
# Namespace structure
namespaces:
- vulcan-staging # Staging environment
- vulcan-prod # Production environment
# Per namespace deployments
deployments:
- vulcan-web
- vulcan-be-coresetup
- vulcan-be-leads
- vulcan-be-quotation
- vulcan-be-contracts
- vulcan-be-projects
- vulcan-be-invoicing
- vulcan-be-documents
- vulcan-be-ai
- vulcan-be-planning
services:
- ClusterIP for internal communication
- LoadBalancer for public endpoints
ingress:
- Nginx Ingress Controller
- TLS termination
- Path-based routingKey Vault Secrets
| Secret | Purpose |
|---|---|
pg-admin-password | PostgreSQL admin password |
servicebus-connection | Service Bus connection string |
redis-connection | Redis connection string |
storage-connection | Storage account connection string |
openai-api-key | Azure OpenAI API key |
openai-endpoint | Azure OpenAI endpoint URL |
Deployment Pipeline
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Push │ │ GitLab CI │ │ AKS │
│ to Branch │ → │ Pipeline │ → │ Deployment │
└──────────────┘ └──────────────┘ └──────────────┘
Pipeline Stages:
1. Build - Compile code, run tests
2. Docker - Build and push image to ACR
3. Deploy - Update Kubernetes deployment
4. Verify - Health checkEnvironment Configuration
Staging
URL: https://staging.vulcan.hantverksdata.se
Branch: develop
Deployment: Automatic after tests pass
Approval: None requiredProduction
URL: https://vulcan.hantverksdata.se
Branch: main
Deployment: Manual trigger
Approval: RequiredInfrastructure as Code
vulcan-infrastructure/
├── terraform/
│ ├── modules/
│ │ ├── aks/
│ │ ├── postgresql/
│ │ ├── redis/
│ │ ├── keyvault/
│ │ └── openai/
│ ├── environments/
│ │ ├── staging/
│ │ └── production/
│ └── main.tf
├── kubernetes/
│ ├── base/
│ │ ├── deployments/
│ │ ├── services/
│ │ └── ingress/
│ └── overlays/
│ ├── staging/
│ └── production/
└── scripts/
├── deploy.sh
└── rollback.shMonitoring
Application Insights
- Request tracing
- Dependency tracking
- Exception logging
- Performance metrics
Log Analytics
- Centralized log aggregation
- KQL queries
- Alerting rules
Dashboards
- Azure Portal dashboards
- Grafana (optional)
- Datadog (pending - requires API keys)
Security
Network
- AKS with Cilium CNI
- Network policies
- Private endpoints for PaaS (planned)
Identity
- Azure AD integration
- Managed Identity for services
- RBAC for resources
Secrets
- Key Vault for all secrets
- No secrets in code or config
- Automatic rotation where supported
Disaster Recovery
| Component | RPO | RTO | Strategy |
|---|---|---|---|
| Database | 5 min | 1 hour | Point-in-time restore (35-day retention) |
| Storage | 0 | 0 | GRS replication |
| AKS | N/A | 30 min | Multi-replica deployments |
Cost Estimation
| Resource | Monthly Cost |
|---|---|
| AKS (3 nodes) | ~$600 |
| PostgreSQL (2 servers) | ~$1,000 |
| Azure OpenAI | ~$300-800 |
| Service Bus Premium | ~$400 |
| Redis Premium | ~$500 |
| Storage | ~$100 |
| Other (KV, ACR, etc.) | ~$100 |
| Total | ~$3,000-3,500 |