☁️ 🔒 🚀

Azure Deployment Architecture

The production deployment — running today at app.brainzbytes.com

Customer identity + BrainzBytes infrastructure, zero API keys, Managed Identity everywhere. Every Azure service is accessed via federated workload identity.

Base Architecture
Identity & Authentication
Entra ID (Admin SSO)
Provider tenant for platform engineers
Users: ajay@, sre@, devops@
Role: manager
MFA via Conditional Access
Magic Link (End Users)
Passwordless email authentication
Any email: Gmail, corporate, .edu
Role: viewer / developer
Self-register + admin approval
Self-Service Groups
Users create teams, invite members
Shared connectors, credentials, policies
Isolated per group (vault + RAG)
Cosmos-backed group model
🔒
JWT Session (OIDC or Magic Link) — unified session["user"]
BrainzBytes Platform (Azure Infrastructure)
Resource Group: aiopm-rg
AKS: contextweaver-aks 3 nodes • D2s_v3
Ingress Layer
Primary: App Gateway contextweaver-appgw
IP: 135.222.162.46 • WAF enabled
TLS termination • Path-based routing
Backup: ingress-nginx (nginx controller)
Namespace: ingress-nginx
LB: 4.153.112.104
default namespace Istio injected
cerebro-app 2/2
app + istio-proxy
ServiceAccount: contextweaver-sa
Workload Identity aiopm-mi
PeerAuthentication: PERMISSIVE
mcp1 namespace Istio injected
mcp1 engine 2/2
engine + istio-proxy
ServiceAccount: contextweaver-sa
Workload Identity aiopm-mi
PeerAuthentication: STRICT
4 plugins:
email (13 tools) github (6) payments (10) travel (4)
Managed Identity: aiopm-mi
Object ID: 7ee52e99-**** • Federated credentials for both namespace ServiceAccounts
X.509 cert, auto-rotated — no MFA needed (machine auth is stronger than password+MFA)
Contributor Key Vault Admin Cognitive Services User Search Data Contributor Cosmos DB Data Contributor AcrPull Managed Identity Operator
Azure Services All via Managed Identity — Zero Keys
ACR
aiopmacr.azurecr.io
2 container images
Pull via Managed Identity
Azure Key Vault
aiopm-kv
14 secrets stored
Access via MI, RBAC policy
Azure OpenAI
devpilotx-openai
gpt-5-chat + text-embedding-3-large
Cognitive Services User role
Azure AI Search
search-contextweaver
Vector indexes for RAG
Search Data Contributor role
Cosmos DB
db-contextweaver
cerebro database • 9 containers
Cosmos Data Contributor role
Azure Communication Services
contextweaver-comm
Email notifications (access codes, alerts)
Azure-managed domain, 100/day free
Private Endpoints
pe-cosmos · pe-keyvault
Zero public network access
VNet backbone + Private DNS Zones
External Services
Credentials stored in AKV:
Stripe API Gmail / Calendar GitHub API

Customer Isolation on Azure

Every customer gets dedicated Azure resources on a shared AKS cluster — complete separation at every layer.

Per-Customer Resources
🔒 Azure Key Vault — dedicated vault per customer
💾 Cosmos DB — separate database per customer
🔍 AI Search — separate search service per customer
👤 User-Assigned Managed Identity — per-customer MI with RBAC scoped to only its own resources
Isolation Controls
🌐 AKS Namespace — each customer in its own namespace with NetworkPolicy
🛡️ Istio mTLSSTRICT mode per customer namespace
🚦 App Gateway — routes *.brainzbytes.com → correct namespace by hostname
🔑 RBAC — each MI only has roles on its own resources
Full isolation architecture → Base Architecture
Azure Security Posture
Zero API Keys Managed Identity Istio mTLS HTTPS + WAF Workload Identity Azure Key Vault Entra ID SSO Magic Link Auth MFA via Conditional Access
Base Architecture AWS Architecture GCP Architecture