d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
6817f53591c41cc9ee0fbf404fda7ebfe2a5bcb9
smom-dbis-138/terraform/phases/PHASE1_SUMMARY.md
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

121 lines
3.8 KiB
Markdown
Raw Blame History

# Phase 1 Deployment Summary
## Overview
Phase 1 is the initial deployment to get the DeFi Oracle Meta Mainnet (ChainID 138) operational using a simplified VM-based architecture across 5 US Commercial Azure regions.
## Architecture
### West Europe (Admin/Control Plane)
- **Purpose**: Admin-only region, no workload nodes
- **Resources**:
- Key Vault for secrets management
- Nginx Proxy Server (Standard_D4plsv6) to route Cloudflare traffic
- Networking infrastructure
### 5 US Commercial Azure Regions (Workload)
- **Regions**: `eastus`, `westus`, `centralus`, `eastus2`, `westus2`
- **Per Region**:
- 1 VM using `Standard_D8plsv6` (8 vCPUs, Dplsv6 Family)
- Ubuntu 22.04 LTS Gen 2
- Docker Engine, NVM, Node.js 22 LTS, JDK 17
- Besu blockchain client
## Infrastructure Components
### Modules Created
1. **networking-vm** (`terraform/modules/networking-vm/`)
- Virtual Network (10.0.0.0/16)
- VM Subnet (10.0.1.0/24)
- Network Security Group with rules for:
- SSH (22)
- P2P TCP/UDP (30303)
- RPC HTTP (8545)
- RPC WebSocket (8546)
- Metrics (9545)
2. **nginx-proxy** (`terraform/modules/nginx-proxy/`)
- Nginx reverse proxy VM (Standard_D4plsv6)
- Load balancing across 5 US regions
- SSL/TLS termination (certbot ready)
- Cloudflare integration ready
3. **vm-deployment** (updated)
- Phase 1 cloud-init (`cloud-init-phase1.yaml`)
- Installs: Docker, NVM, Node 22 LTS, JDK 17
- Besu container setup
## Networking Security
### NSG Rules for Workload VMs
- **Inbound**:
- SSH (22): Allow from anywhere (TODO: restrict in production)
- P2P TCP (30303): Allow Besu P2P
- P2P UDP (30303): Allow Besu discovery
- RPC HTTP (8545): Allow from Nginx proxy (TODO: restrict)
- RPC WebSocket (8546): Allow from Nginx proxy (TODO: restrict)
- Metrics (9545): Allow Prometheus (TODO: restrict)
- **Outbound**: Allow all (internet access)
### NSG Rules for Nginx Proxy
- **Inbound**:
- HTTP (80): Allow from Cloudflare (TODO: restrict to Cloudflare IPs)
- HTTPS (443): Allow from Cloudflare (TODO: restrict to Cloudflare IPs)
- SSH (22): Allow for management (TODO: restrict to admin IPs)
- **Outbound**: Allow all (backend communication)
## Deployment Files
### Phase 1 Configuration
- `terraform/phases/phase1/phase1-main.tf`: Main Terraform configuration
- `terraform/phases/phase1/variables.tf`: Variable definitions
- `terraform/phases/phase1/terraform.tfvars.example`: Example variables
- `terraform/phases/phase1/README.md`: Deployment guide
### Phase 3 Archive
- `terraform/phases/phase3/multi-region-global.tf`: Archived 36-region AKS deployment plan
## Next Steps
1. **Deploy Phase 1**:
```bash
cd terraform/phases/phase1
terraform init
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your SSH key
terraform plan -out tfplan
terraform apply tfplan
```
2. **Configure SSL**:
- SSH to Nginx proxy VM
- Run certbot to configure SSL certificates
- Update Cloudflare DNS to point to Nginx proxy
3. **Harden Security**:
- Restrict NSG rules to specific IP ranges
- Configure Cloudflare IP ranges for Nginx proxy
- Restrict SSH access to admin IPs
4. **Monitor and Validate**:
- Verify Besu nodes are syncing
- Test RPC endpoints through Nginx proxy
- Monitor VM health and metrics
5. **Plan Phase 3 Expansion**:
- After Phase 1 is stable, deploy Phase 3 (36-region global AKS)
## Resource Naming Convention
All resources follow: `{cloud}-{env}-{region}-{resource}-{instance}`
- **Cloud**: `az` (Azure)
- **Environment**: `p` (prod), `d` (dev), `t` (test), `s` (staging)
- **Region**: 3-character code (e.g., `eus`, `wus`, `cus`, `eus2`, `wus2`, `wst`)
- **Resource**: Resource type abbreviation
- **Instance**: Sequential number (e.g., `001`)
Example: `az-p-eus-rg-comp-001` (Azure prod East US compute resource group 001)
Reference in New Issue View Git Blame Copy Permalink