Admin Login
Guides
Start typing to search…

Azure Deployment Specifications

📝 Understand the Wallet Azure networking, sizing and quotas.

High-level Azure Deployment Networking Diagram

This diagram shows the overall wallet network topology of the Institutional Vault deployment:

graph TD
    Internet --> DNS[Azure DNS Zone]
    DNS --> Ingress[AKS Ingress / Load Balancer]

    subgraph Region[Azure Region]
      subgraph VNet[VNet 10.1.0.0/16]
        subgraph AKSSubnet[AKS Subnet 10.1.8.0/21]
          Ingress --> AKSCluster
          subgraph AKSCluster[AKS Cluster 10.2.0.0/16]
            WalletPods[Wallet Pods]
          end
        end

        subgraph DBSubnet[DB Subnet 10.1.0.0/24]
          Postgres[PostgreSQL Flexible Server]
        end

        WalletPods --> Postgres
      end
    end

Network and Firewall Ports

The table below summarizes the minimum network and firewall rules required for the Institutional Vault AKS deployment.

SourceDestinationProtocol / Port(s)Purpose / Notes
External users / administrators (External Network)ingress-nginx public IP (AKS Load Balancer)TCP 443 (HTTP 80 opt.)Wallet UI / API, approval flows, and webhook endpoints. HTTP 80 is used only for HTTPS redirect.
Wallet pods, MPA policy-node pods (AKS subnet)PostgreSQL Flexible Server (DB Subnet 10.1.0.0/24)TCP 5432Application database traffic from wallet services and MPA policy nodes to Azure PostgreSQL Flexible Server.
Wallet pods, MPA policy-node pods (internal)NATS pods / services inside AKSTCP 4222, 8222, 8443Internal message bus (NATS) used by wallet services and MPA policy nodes for orchestration messaging.
Wallet pods, MPA policy-node podsCluster DNS (kube-dns in kube-system namespace)UDP/TCP 53Pod DNS resolution inside the AKS cluster.
Wallet pods, MPA policy-node podsAzure DNS / Azure public services (e.g. Key Vault, AAD/OIDC, ACR)TCP 443Outbound HTTPS for identity, secrets, image pulls, and Azure control-plane APIs. MPA policy nodes use this for OIDC key discovery and optionally Azure Key Vault.
Wallet pods (application namespace)External / internal blockchain node RPC endpointsTCP 443, 8555–8556, 8546Node RPC connectivity for on-chain operations over HTTPS and WebSocket.
Wallet pods (application namespace)Blockdaemon API (https://svc.blockdaemon.com)TCP 443Blockchain data, staking, token, pricing, balance and transaction queries via Blockdaemon.
Wallet pods (application namespace)WalletConnect relay (wss://relay.walletconnect.com)TCP 443 (WSS)WalletConnect v2 relay for dApp-to-wallet session and signing communication.
Wallet pods (application namespace)ApproverApp Expo push service (https://expo.host)TCP 443Outbound push notifications to mobile devices via Expo push notification service.
Wallet pods (application namespace)Chainalysis KYT API (https://api.chainalysis.com) (optional)TCP 443KYT compliance screening for withdrawal and deposit transactions. Required only when Chainalysis integration is enabled.
Wallet pods (application namespace)Canton validator, scan API and DA Utilities (https://api.utilities.digitalasset.com) (optional)TCP 443, gRPC 443Canton ledger, validator and scan API access, plus Digital Asset utility services. Required only when Canton/Daml blockchain support is enabled.

These ports should be reflected in any perimeter firewall, Azure NSG rules, and on-prem network controls used in the deployment.

Recommended Service and Infrastructure Sizing

The following tables summarize the recommended sizing derived from the Azure Terraform and Helm configuration.

Kubernetes Workload Sizing (per pod)

Service NameResource TypeCPU (cores)Memory (GB)
Wallet UI / API (includes approval)microservice container11
WalletConnect servicemicroservice container11
MPA Policy-nodemicroservice container11
EVM tracker (per chain)microservice container0.50.5
NATS message brokermicroservice container0.51

Azure Infrastructure Sizing

ComponentResource TypeCPU CoresMemory (GB)Azure Specification
AKS system node poolKubernetes worker node28Standard_D2s_v5, node_count = 1 (default).
AKS application node poolKubernetes worker node28Standard_D2s_v5, autoscaling 1–3 nodes.
AKS confidential node poolKubernetes worker node (CVM)416Standard_DC4s_v3, autoscaling 1–3 nodes.
Relational Database (per replica)Database PaaS416Azure PostgreSQL Flexible Server, SKU GP_Standard_D4s_v3.
Key VaultSecrets managementN/AN/AAzure Key Vault, SKU Standard.
Container RegistryContainer registryN/AN/AAzure Container Registry, SKU Standard.
Log Analytics Workspace + StorageMonitoring and log retentionN/AN/APerGB2018 workspace with export to a Standard LRS storage account.

Updated 4 days ago