☁️ 🔒 🚀

Azure Deployment Architecture

The production deployment — running today at app.brainzbytes.com

Customer identity + BrainzBytes infrastructure, zero API keys, Managed Identity everywhere. Every Azure service is accessed via federated workload identity.

Base Architecture
Customer Identity (Your Entra ID)
Entra ID
Personal Tenant
21343dd5-****
Users: ajaymgr@… etc.
MFA via Conditional Access
App Registration
contextweaver-app
Client: 0ed7c81d-****
Multi-tenant OIDC
Redirect URI
https://app.brainzbytes.com/oidc/callback
Authorization code flow
JWT with roles + groups
🔒
OIDC JWT Token — the ONLY thing crossing the boundary
BrainzBytes Platform (Azure Infrastructure)
Resource Group: aiopm-rg
AKS: contextweaver-aks 3 nodes • D2s_v3
Ingress Layer
Primary: App Gateway contextweaver-appgw
IP: 135.222.162.46 • WAF enabled
TLS termination • Path-based routing
Backup: ingress-nginx (nginx controller)
Namespace: ingress-nginx
LB: 4.153.112.104
default namespace Istio injected
cerebro-app 2/2
app + istio-proxy
ServiceAccount: contextweaver-sa
Workload Identity aiopm-mi
PeerAuthentication: PERMISSIVE
mcp1 namespace Istio injected
mcp1 engine 2/2
engine + istio-proxy
ServiceAccount: contextweaver-sa
Workload Identity aiopm-mi
PeerAuthentication: STRICT
4 plugins:
email (13 tools) github (6) payments (10) travel (4)
Managed Identity: aiopm-mi
Object ID: 7ee52e99-**** • Federated credentials for both namespace ServiceAccounts
X.509 cert, auto-rotated — no MFA needed (machine auth is stronger than password+MFA)
Contributor Key Vault Admin Cognitive Services User Search Data Contributor Cosmos DB Data Contributor AcrPull Managed Identity Operator
Azure Services All via Managed Identity — Zero Keys
ACR
aiopmacr.azurecr.io
2 container images
Pull via Managed Identity
Azure Key Vault
aiopm-kv
14 secrets stored
Access via MI, RBAC policy
Azure OpenAI
a4ohackathon2025
gpt-4o-mini + ada-002
Cognitive Services User role
Azure AI Search
search-contextweaver
Vector indexes for RAG
Search Data Contributor role
Cosmos DB
db-contextweaver
cerebro database • 8 containers
Cosmos Data Contributor role
External Services
Credentials stored in AKV:
Stripe API Gmail / Calendar GitHub API

Customer Isolation on Azure

Every customer gets dedicated Azure resources on a shared AKS cluster — complete separation at every layer.

Per-Customer Resources
🔒 Azure Key Vault — dedicated vault per customer
💾 Cosmos DB — separate database per customer
🔍 AI Search — separate search service per customer
👤 User-Assigned Managed Identity — per-customer MI with RBAC scoped to only its own resources
Isolation Controls
🌐 AKS Namespace — each customer in its own namespace with NetworkPolicy
🛡️ Istio mTLSSTRICT mode per customer namespace
🚦 App Gateway — routes *.brainzbytes.com → correct namespace by hostname
🔑 RBAC — each MI only has roles on its own resources
Full isolation architecture → Base Architecture
Azure Security Posture
Zero API Keys Managed Identity Istio mTLS HTTPS + WAF Workload Identity Azure Key Vault Entra ID SSO MFA via Conditional Access
Base Architecture AWS Architecture GCP Architecture