Deployment

Target Architecture — Final-State Design

This page describes the final-state deployment model of the Governance, Security & Compliance Platform: eleven independently deployable .NET 10 / ASP.NET Core services plus workers, on Azure container hosting, with infrastructure provisioned as code via Pulumi. Pipelines run through Azure DevOps, consistent with DevOps & GitOps.

Runtime Model

• Containerised microservices — each of the eleven services is a container image, deployed independently with its own release cadence and database.
• Hosting — Azure Container Apps (or AKS for high-isolation editions), one revision per service, blue/green or canary promotion gated by the platform's own deployment-gate policy.
• Workers — the eight workers run as separate scale-to-zero-capable container apps / jobs (MassTransit consumers and scheduled jobs on ConnectSoft.WorkerTemplate).
• Messaging — Azure Service Bus (topics/subscriptions) via MassTransit; per-context topics as in Events.
• Data — per-service Azure SQL / PostgreSQL; Redis for the PDP hot cache; Azure Blob for audit exports and compliance evidence; Azure Key Vault for secret references and platform secrets.
• Identity — OpenIddict authorization server; managed identities for Key Vault, Blob, and Service Bus access.

Deployment Topology

flowchart TB
    subgraph Edge["Edge / Studio"]
        BFF["Factory Studio BFF"]
    end
    subgraph Mesh["Governance Services (Container Apps)"]
        Engine["PolicyEngineService"]
        Def["PolicyDefinitionService"]
        Eval["PolicyEvaluationService"]
        Approval["ApprovalService"]
        Audit["AuditService"]
        Compliance["ComplianceReportService"]
        Finding["SecurityFindingService"]
        Secret["SecretGovernanceService"]
        Iso["TenantIsolationPolicyService"]
        Class["DataClassificationService"]
        Risk["RiskScoringService"]
    end
    subgraph Workers["Workers (Jobs)"]
        W["8 governance workers"]
    end
    subgraph Data["Data plane"]
        SQL["Azure SQL / PostgreSQL (per service)"]
        Redis["Redis cache"]
        Blob["Azure Blob (audit/evidence)"]
        KV["Azure Key Vault"]
        SB["Azure Service Bus"]
    end

    BFF -->|REST/gRPC| Engine
    BFF --> Approval
    BFF --> Audit
    BFF --> Compliance
    BFF --> Finding
    Engine --> Eval
    Eval --> Iso
    Eval --> Class
    Eval --> Risk
    Engine --> Redis
    Mesh --> SQL
    Mesh --> SB
    Workers --> SB
    Audit --> Blob
    Compliance --> Blob
    Secret --> KV
    Mesh --> KV

Hold "Alt" / "Option" to enable pan & zoom

Scaling

Component	Scaling driver	Notes
PolicyEngineService / PolicyEvaluationService	HTTP/gRPC RPS + latency	Stateless; scales out on the inline PDP path; Redis-cached policy bundles.
ApprovalService	Request volume + open-request count	Stateful aggregate; DB-bound.
AuditService	Write throughput	Write-optimised; partitioned by tenant/time.
SecurityScanIngestionWorker / DataClassificationWorker	Service Bus queue depth	KEDA-scaled on backlog with prefetch/concurrency caps.
ComplianceReportWorker	Report queue	Burst-scaled; long-running jobs.
Other services/workers	RPS / queue depth	Scale-to-zero where idle (suppliers, batch workers).

Autoscale rules are defined in Pulumi and respect tenant fairness (per-tenant concurrency caps prevent one tenant starving the PDP).

Configuration

• Pulumi IaC — all infrastructure (container apps, databases, Service Bus, Key Vault, Blob, Redis, identities, network, scaling rules) is declared in Pulumi stacks per environment (dev/test/staging/prod).
• Options binding — service config via ConnectSoft.Extensions.Options; environment-specific values supplied by the platform, secrets resolved from Key Vault at startup.
• Per-tenant settings — isolation mode, residency, and edition entitlements via ConnectSoft.Extensions.Saas.Options.
• Feature flags — risk thresholds, escalation tiers, and policy-pack enablement are runtime-configurable without redeploy.

Secrets

• Key Vault for everything sensitive — connection strings, signing keys, and external credentials are stored in Azure Key Vault and read via managed identity; nothing sensitive sits in container env vars or pipeline variables in plaintext.
• Governed references — SecretGovernanceService tracks SecretReferences for the secrets the factory produces/uses; the platform's own secrets are likewise vault-resident (see Storage and Security).

Health & Readiness

• Health checks — liveness/readiness via ConnectSoft.Extensions.Diagnostics.HealthChecks, aggregated by the Health Checks Aggregator; checks cover DB, Service Bus, Redis, Key Vault, and Blob connectivity.
• Startup gates — a service reports ready only after policy bundles are loaded/cached and migrations (DatabaseModel.Migrations) are applied.
• Graceful drain — on shutdown, services stop accepting new work, finish in-flight evaluations, and let MassTransit complete or re-queue messages.
• Resilience — retries, circuit breakers, and timeouts on inter-service calls; the PDP fails safe (deny/gate) if a supplier is unavailable rather than failing open.

Release & Promotion

Promotion of governance services through environments is itself subject to the platform's deployment-gate policy: a production release evaluates policy and (when flagged) requires human approval — the platform governs its own delivery. Pipelines and GitOps mechanics are described in DevOps & GitOps.

Related

• Microservices · Storage · Security · Observability · Workers
• DevOps & GitOps · Runtime Cloud