Azure Deployment Specifications

High-level Azure Deployment Networking Diagram

This diagram shows the overall wallet network topology of the Institutional Vault deployment:

graph TD
    Internet --> DNS[Azure DNS Zone]
    DNS --> Ingress[AKS Ingress / Load Balancer]

    subgraph Region[Azure Region]
      subgraph VNet[VNet 10.1.0.0/16]
        subgraph AKSSubnet[AKS Subnet 10.1.8.0/21]
          Ingress --> AKSCluster
          subgraph AKSCluster[AKS Cluster 10.2.0.0/16]
            WalletPods[Wallet Pods]
          end
        end

        subgraph DBSubnet[DB Subnet 10.1.0.0/24]
          Postgres[PostgreSQL Flexible Server]
        end

        WalletPods --> Postgres
      end
    end

Network and Firewall Ports

The table below summarizes the minimum network and firewall rules required for the Institutional Vault AKS deployment.

Source	Destination	Protocol / Port(s)	Purpose / Notes
External users / administrators (External Network)	`ingress-nginx` public IP (AKS Load Balancer)	TCP 443 (HTTP 80 opt.)	Wallet UI / API, approval flows, and webhook endpoints. HTTP 80 is used only for HTTPS redirect.
AKS worker nodes / wallet pods (AKS subnet)	PostgreSQL Flexible Server (`DB Subnet 10.1.0.0/24`)	TCP 5432	Application database traffic from wallet services to Azure PostgreSQL Flexible Server.
Wallet pods (application namespace)	Cluster DNS (`kube-dns` in `kube-system` namespace)	UDP/TCP 53	Pod DNS resolution inside the AKS cluster.
Wallet pods (application namespace)	Azure DNS / Azure public services (e.g. Key Vault, AAD/OIDC, ACR)	TCP 443	Outbound HTTPS for identity, secrets, image pulls, and Azure control-plane APIs.
Wallet pods (application namespace)	External / internal blockchain node RPC endpoints	TCP 443, 8555–8556, 8546	Node RPC connectivity for on-chain operations over HTTPS and WebSocket.
Wallet pods (application namespace, internal)	NATS pods / services inside AKS	TCP 4222, 8222, 8443	Internal message bus (NATS) and related monitoring endpoints within the cluster only.

These ports should be reflected in any perimeter firewall, Azure NSG rules, and on-prem network controls used in the deployment.

Recommended Service and Infrastructure Sizing

The following tables summarize the recommended sizing derived from the Azure Terraform and Helm configuration.

Kubernetes Workload Sizing (per pod)

Service Name	Resource Type	CPU (cores)	Memory (GB)
Wallet UI / API (includes approval)	microservice container	1	1
WalletConnect service	microservice container	1	1
MPA Policy-node	microservice container	1	1
EVM tracker (per chain)	microservice container	0.5	0.5
NATS message broker	microservice container	0.5	1

Azure Infrastructure Sizing

Component	Resource Type	CPU Cores	Memory (GB)	Azure Specification
AKS system node pool	Kubernetes worker node	2	8	`Standard_D2s_v5`, `node_count = 1` (default).
AKS application node pool	Kubernetes worker node	2	8	`Standard_D2s_v5`, autoscaling `1–3` nodes.
AKS confidential node pool	Kubernetes worker node (CVM)	4	16	`Standard_DC4s_v3`, autoscaling `1–3` nodes.
Relational Database (per replica)	Database PaaS	4	16	Azure PostgreSQL Flexible Server, SKU `GP_Standard_D4s_v3`.
Key Vault	Secrets management	N/A	N/A	Azure Key Vault, SKU `Standard`.
Container Registry	Container registry	N/A	N/A	Azure Container Registry, SKU `Standard`.
Log Analytics Workspace + Storage	Monitoring and log retention	N/A	N/A	`PerGB2018` workspace with export to a Standard LRS storage account.