# Phase 1: Initial Deployment - 5 US Commercial Azure Regions

## Overview

Phase 1 is the initial deployment to get the DeFi Oracle Meta Mainnet (ChainID 138) operational. This phase uses a simpler VM-based architecture before expanding to the full 36-region global AKS deployment (Phase 3).

## Architecture

- **West Europe**: Admin/control-plane only (no workload)
  - Key Vault for secrets management
  - Nginx Proxy Server to route Cloudflare traffic to backend VMs

- **5 US Commercial Azure Regions**: Workload VMs
  - `eastus` (East US)
  - `westus` (West US)
  - `centralus` (Central US)
  - `eastus2` (East US 2)
  - `westus2` (West US 2)

## VM Configuration

Each US region deploys:
- **1 VM** using `Standard_D8plsv6` (8 vCPUs, Dplsv6 Family)
- **Ubuntu 22.04 LTS Gen 2** image
- **Software Stack**:
  - Docker Engine
  - NVM (Node Version Manager)
  - Node.js 22 LTS
  - JDK 17 (OpenJDK)
  - Besu blockchain client

## Networking

### NSG Rules for VMs

- **SSH (22)**: Allow from anywhere (restrict in production)
- **P2P TCP (30303)**: Allow Besu P2P communication
- **P2P UDP (30303)**: Allow Besu P2P discovery
- **RPC HTTP (8545)**: Allow from Nginx proxy only (TODO: restrict)
- **RPC WebSocket (8546)**: Allow from Nginx proxy only (TODO: restrict)
- **Metrics (9545)**: Allow Prometheus metrics (TODO: restrict to monitoring)

### NSG Rules for Nginx Proxy

- **HTTP (80)**: Allow from Cloudflare (TODO: restrict to Cloudflare IP ranges)
- **HTTPS (443)**: Allow from Cloudflare (TODO: restrict to Cloudflare IP ranges)
- **SSH (22)**: Allow for management (TODO: restrict to admin IPs)

## Deployment

### Prerequisites

1. Azure CLI installed and authenticated
2. Terraform >= 1.0
3. SSH public key for VM access
4. Cloudflare domain configured (for SSL certificates)

### Steps

1. **Navigate to Phase 1 directory**:
   ```bash
   cd terraform/phases/phase1
   ```

2. **Copy and configure variables**:
   ```bash
   cp terraform.tfvars.example terraform.tfvars
   # Edit terraform.tfvars with your values:
   # - ssh_public_key: Your SSH public key
   # - Other variables as needed
   ```

3. **Initialize Terraform**:
   ```bash
   terraform init
   ```

4. **Plan deployment**:
   ```bash
   terraform plan -out tfplan
   ```

5. **Apply deployment**:
   ```bash
   terraform apply tfplan
   ```

6. **Configure SSL on Nginx Proxy**:
   ```bash
   # SSH to the Nginx proxy VM
   ssh besuadmin@<nginx-proxy-public-ip>
   
   # Run certbot to configure SSL
   sudo certbot --nginx -d your-domain.com --non-interactive --agree-tos --email admin@example.com
   ```

7. **Configure Cloudflare**:
   - Point your domain's A record to the Nginx proxy public IP
   - Enable Cloudflare proxy (orange cloud)
   - Configure SSL/TLS mode to "Full" or "Full (strict)"

## Outputs

After deployment, Terraform will output:
- **phase1_us_regions**: Information about each US region deployment (VMs, IPs)
- **nginx_proxy**: Nginx proxy server information (FQDN, public IP, backend count)
- **key_vault_name**: Key Vault name in West Europe

## Next Steps

After Phase 1 is operational:
1. Monitor VM health and Besu node synchronization
2. Configure monitoring and alerting
3. Restrict NSG rules to specific IP ranges
4. Plan Phase 3 expansion to 36 global regions with AKS

## Phase 3 Archive

The full 36-region global AKS deployment plan is archived in `terraform/phases/phase3/` and will be deployed after Phase 1 is stable.