Skip to content
Corridor GenGuardX Corridor GenGuardX Corridor GGX Documentation

Azure

Ask AI
Open in ChatGPT Open in Claude Open in Gemini Open in Perplexity View Markdown

Use this page to choose and configure an Azure deployment path for Corridor.

Section titled “Recommended Azure Paths”
PathUse whenPrimary docs
AKSYou already operate Kubernetes or need Kubernetes-native scaling and operationsKubernetes
Azure Container AppsYou want Azure-managed containers without managing a Kubernetes clusterTerraform
Azure VMsYou want a traditional VM-based install and direct OS controlManual

AKS-Specific Configuration

Section titled “AKS-Specific Configuration”

AKS uses the shared corridor/kubernetes-ggx manifests. Start with the Kubernetes page, then apply the Azure-specific requirements below.

Required Azure Services

Section titled “Required Azure Services”
  • Azure Kubernetes Service for the managed Kubernetes cluster.
  • Azure Database for PostgreSQL for Corridor metadata.
  • Azure Files Premium or another approved read-write-many storage provider.
  • Azure Virtual Network for private networking.
  • Azure DNS or another DNS provider.

Optional but common services:

  • Azure Key Vault for secrets.
  • Azure Monitor for logs and metrics.
  • Azure Front Door or Web Application Firewall for edge protection.
  • Application Gateway Ingress Controller when your platform standardizes on Application Gateway.

Permissions

Section titled “Permissions”

The deploying identity needs permission to manage:

  • AKS clusters and node pools.
  • Virtual networks, subnets, route tables, private DNS zones, and network security groups.
  • Managed identities and role assignments.
  • Azure Files storage accounts and file shares.
  • PostgreSQL servers, firewall rules, and private endpoints when used.
  • DNS records and TLS certificate resources when managed in Azure.
  • Key Vault secrets when application secrets are stored there.

Cluster Add-ons

Section titled “Cluster Add-ons”

Install or enable these before applying the Corridor overlay:

  • Azure Files CSI Driver.
  • NGINX Ingress Controller or Application Gateway Ingress Controller.
  • cert-manager if TLS is issued from the cluster.
  • Azure Monitor Container Insights or another approved observability stack.
  • Network Policy if your environment requires pod-to-pod controls.

Networking

Section titled “Networking”

Production AKS deployments should normally use controlled ingress and private connectivity to PostgreSQL and storage. Network security groups and database firewall rules must allow:

  • Ingress controller to reach corridor-app and corridor-jupyter.
  • Corridor pods to reach Azure Database for PostgreSQL.
  • Corridor pods to mount Azure Files.
  • Pods to pull Corridor images from the configured registry.

Azure Container Apps With Terraform

Section titled “Azure Container Apps With Terraform”

The corridor/terraform-azurerm-ggx module deploys Corridor on Azure Container Apps. This is the main non-Kubernetes Azure container path.

The module provisions or configures:

  • Container Apps for the Corridor app, worker, Jupyter, PostgreSQL-facing configuration, and Nginx routing.
  • Azure Files for shared state.
  • Optional dedicated workload profiles when higher memory or predictable capacity is required.
  • Outputs for the app URL, Jupyter URL, Container App Environment, storage account, and database details.

Important inputs include the Azure region, ACR login server, ACR service principal credentials, image name, image version, Corridor license key, database admin password, and optional workload profile.

Terminal window
terraform init
terraform plan
terraform apply

Azure VM-Based Installs

Section titled “Azure VM-Based Installs”

An Azure VM deployment follows the Manual path. The Azure VM installation pattern is:

  1. Create a resource group and Azure VM, commonly Standard_D8s_v3 or larger for an all-in-one deployment.
  2. Attach and mount a data disk for /opt/corridor and application state.
  3. Create Azure Database for PostgreSQL.
  4. Install Python 3.11, Java 8 for Spark, Nginx, and unzip.
  5. Extract the Corridor installation bundle.
  6. Install the app, api, worker-api, worker-spark, and jupyter components.
  7. Configure database and application settings.
  8. Run database migrations.
  9. Create systemd services and start the components.

Use Azure VMs when you need direct host access or your organization standardizes on VM operations. Use AKS or Azure Container Apps when you want managed container operations.

Security Notes

Section titled “Security Notes”
  • Use managed identities where possible.
  • Store secrets in Key Vault or an approved secret store.
  • Use private networking for PostgreSQL and storage.
  • Enable encryption at rest for database and file storage.
  • Restrict SSH access and use just-in-time access where available.
  • Enable Azure Monitor and alerting before production rollout.