# Phase 1 Deployment Summary ## Overview Phase 1 is the initial deployment to get the DeFi Oracle Meta Mainnet (ChainID 138) operational using a simplified VM-based architecture across 5 US Commercial Azure regions. ## Architecture ### West Europe (Admin/Control Plane) - **Purpose**: Admin-only region, no workload nodes - **Resources**: - Key Vault for secrets management - Nginx Proxy Server (Standard_D4plsv6) to route Cloudflare traffic - Networking infrastructure ### 5 US Commercial Azure Regions (Workload) - **Regions**: `eastus`, `westus`, `centralus`, `eastus2`, `westus2` - **Per Region**: - 1 VM using `Standard_D8plsv6` (8 vCPUs, Dplsv6 Family) - Ubuntu 22.04 LTS Gen 2 - Docker Engine, NVM, Node.js 22 LTS, JDK 17 - Besu blockchain client ## Infrastructure Components ### Modules Created 1. **networking-vm** (`terraform/modules/networking-vm/`) - Virtual Network (10.0.0.0/16) - VM Subnet (10.0.1.0/24) - Network Security Group with rules for: - SSH (22) - P2P TCP/UDP (30303) - RPC HTTP (8545) - RPC WebSocket (8546) - Metrics (9545) 2. **nginx-proxy** (`terraform/modules/nginx-proxy/`) - Nginx reverse proxy VM (Standard_D4plsv6) - Load balancing across 5 US regions - SSL/TLS termination (certbot ready) - Cloudflare integration ready 3. **vm-deployment** (updated) - Phase 1 cloud-init (`cloud-init-phase1.yaml`) - Installs: Docker, NVM, Node 22 LTS, JDK 17 - Besu container setup ## Networking Security ### NSG Rules for Workload VMs - **Inbound**: - SSH (22): Allow from anywhere (TODO: restrict in production) - P2P TCP (30303): Allow Besu P2P - P2P UDP (30303): Allow Besu discovery - RPC HTTP (8545): Allow from Nginx proxy (TODO: restrict) - RPC WebSocket (8546): Allow from Nginx proxy (TODO: restrict) - Metrics (9545): Allow Prometheus (TODO: restrict) - **Outbound**: Allow all (internet access) ### NSG Rules for Nginx Proxy - **Inbound**: - HTTP (80): Allow from Cloudflare (TODO: restrict to Cloudflare IPs) - HTTPS (443): Allow from Cloudflare (TODO: restrict to Cloudflare IPs) - SSH (22): Allow for management (TODO: restrict to admin IPs) - **Outbound**: Allow all (backend communication) ## Deployment Files ### Phase 1 Configuration - `terraform/phases/phase1/phase1-main.tf`: Main Terraform configuration - `terraform/phases/phase1/variables.tf`: Variable definitions - `terraform/phases/phase1/terraform.tfvars.example`: Example variables - `terraform/phases/phase1/README.md`: Deployment guide ### Phase 3 Archive - `terraform/phases/phase3/multi-region-global.tf`: Archived 36-region AKS deployment plan ## Next Steps 1. **Deploy Phase 1**: ```bash cd terraform/phases/phase1 terraform init cp terraform.tfvars.example terraform.tfvars # Edit terraform.tfvars with your SSH key terraform plan -out tfplan terraform apply tfplan ``` 2. **Configure SSL**: - SSH to Nginx proxy VM - Run certbot to configure SSL certificates - Update Cloudflare DNS to point to Nginx proxy 3. **Harden Security**: - Restrict NSG rules to specific IP ranges - Configure Cloudflare IP ranges for Nginx proxy - Restrict SSH access to admin IPs 4. **Monitor and Validate**: - Verify Besu nodes are syncing - Test RPC endpoints through Nginx proxy - Monitor VM health and metrics 5. **Plan Phase 3 Expansion**: - After Phase 1 is stable, deploy Phase 3 (36-region global AKS) ## Resource Naming Convention All resources follow: `{cloud}-{env}-{region}-{resource}-{instance}` - **Cloud**: `az` (Azure) - **Environment**: `p` (prod), `d` (dev), `t` (test), `s` (staging) - **Region**: 3-character code (e.g., `eus`, `wus`, `cus`, `eus2`, `wus2`, `wst`) - **Resource**: Resource type abbreviation - **Instance**: Sequential number (e.g., `001`) Example: `az-p-eus-rg-comp-001` (Azure prod East US compute resource group 001)