d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
6817f53591c41cc9ee0fbf404fda7ebfe2a5bcb9
smom-dbis-138/terraform/phases/PHASE1_SUMMARY.md
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

3.8 KiB
Raw Blame History

Phase 1 Deployment Summary

Overview

Phase 1 is the initial deployment to get the DeFi Oracle Meta Mainnet (ChainID 138) operational using a simplified VM-based architecture across 5 US Commercial Azure regions.

Architecture

West Europe (Admin/Control Plane)

  • Purpose: Admin-only region, no workload nodes
  • Resources:
    • Key Vault for secrets management
    • Nginx Proxy Server (Standard_D4plsv6) to route Cloudflare traffic
    • Networking infrastructure

5 US Commercial Azure Regions (Workload)

  • Regions: eastus, westus, centralus, eastus2, westus2
  • Per Region:
    • 1 VM using Standard_D8plsv6 (8 vCPUs, Dplsv6 Family)
    • Ubuntu 22.04 LTS Gen 2
    • Docker Engine, NVM, Node.js 22 LTS, JDK 17
    • Besu blockchain client

Infrastructure Components

Modules Created

  1. networking-vm (terraform/modules/networking-vm/)

    • Virtual Network (10.0.0.0/16)
    • VM Subnet (10.0.1.0/24)
    • Network Security Group with rules for:
      • SSH (22)
      • P2P TCP/UDP (30303)
      • RPC HTTP (8545)
      • RPC WebSocket (8546)
      • Metrics (9545)

  2. nginx-proxy (terraform/modules/nginx-proxy/)

    • Nginx reverse proxy VM (Standard_D4plsv6)
    • Load balancing across 5 US regions
    • SSL/TLS termination (certbot ready)
    • Cloudflare integration ready

  3. vm-deployment (updated)

    • Phase 1 cloud-init (cloud-init-phase1.yaml)
    • Installs: Docker, NVM, Node 22 LTS, JDK 17
    • Besu container setup

Networking Security

NSG Rules for Workload VMs

  • Inbound:
    • SSH (22): Allow from anywhere (TODO: restrict in production)
    • P2P TCP (30303): Allow Besu P2P
    • P2P UDP (30303): Allow Besu discovery
    • RPC HTTP (8545): Allow from Nginx proxy (TODO: restrict)
    • RPC WebSocket (8546): Allow from Nginx proxy (TODO: restrict)
    • Metrics (9545): Allow Prometheus (TODO: restrict)
  • Outbound: Allow all (internet access)

NSG Rules for Nginx Proxy

  • Inbound:
    • HTTP (80): Allow from Cloudflare (TODO: restrict to Cloudflare IPs)
    • HTTPS (443): Allow from Cloudflare (TODO: restrict to Cloudflare IPs)
    • SSH (22): Allow for management (TODO: restrict to admin IPs)
  • Outbound: Allow all (backend communication)

Deployment Files

Phase 1 Configuration

  • terraform/phases/phase1/phase1-main.tf: Main Terraform configuration
  • terraform/phases/phase1/variables.tf: Variable definitions
  • terraform/phases/phase1/terraform.tfvars.example: Example variables
  • terraform/phases/phase1/README.md: Deployment guide

Phase 3 Archive

  • terraform/phases/phase3/multi-region-global.tf: Archived 36-region AKS deployment plan

Next Steps

  1. Deploy Phase 1:

    cd terraform/phases/phase1
terraform init
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your SSH key
terraform plan -out tfplan
terraform apply tfplan

  2. Configure SSL:

    • SSH to Nginx proxy VM
    • Run certbot to configure SSL certificates
    • Update Cloudflare DNS to point to Nginx proxy

  3. Harden Security:

    • Restrict NSG rules to specific IP ranges
    • Configure Cloudflare IP ranges for Nginx proxy
    • Restrict SSH access to admin IPs

  4. Monitor and Validate:

    • Verify Besu nodes are syncing
    • Test RPC endpoints through Nginx proxy
    • Monitor VM health and metrics

  5. Plan Phase 3 Expansion:

    • After Phase 1 is stable, deploy Phase 3 (36-region global AKS)

Resource Naming Convention

All resources follow: {cloud}-{env}-{region}-{resource}-{instance}

  • Cloud: az (Azure)
  • Environment: p (prod), d (dev), t (test), s (staging)
  • Region: 3-character code (e.g., eus, wus, cus, eus2, wus2, wst)
  • Resource: Resource type abbreviation
  • Instance: Sequential number (e.g., 001)

Example: az-p-eus-rg-comp-001 (Azure prod East US compute resource group 001)

Reference in New Issue View Git Blame Copy Permalink