Skip to content

Deployment

Target Architecture — Final-State Design

This page describes the final-state deployment model of the Integration Platform. All infrastructure is provisioned as code with Pulumi; services are containerised .NET 10 applications, messaging is MassTransit on Azure Service Bus, persistence is Azure SQL / PostgreSQL, secrets are in Azure Key Vault, and payloads are in Azure Blob.

The platform deploys as a set of independently releasable services and workers, each scaling on its own signal. Because it is the factory's external edge, deployment emphasises egress control, secret access via Managed Identity, and resilient autoscaling that absorbs vendor latency without back-pressuring the rest of the factory.

Runtime Model

  • Containerised services. Each of the 14 microservices and 5 workers ships as a container image and runs on the factory's container platform (Azure Container Apps / AKS), one deployment per service.
  • API vs worker hosts. Request-serving services run as HTTP/gRPC deployments behind the gateway; workers (WebhookDeliveryWorker, IntegrationSyncWorker, CredentialRotationWorker, ExternalApiHealthWorker, IntegrationRetryWorker) run as long-lived consumers/scheduled hosts.
  • Messaging. All services connect to Azure Service Bus via MassTransit; subscriptions and topics are provisioned by Pulumi.
  • Egress control. Outbound vendor traffic routes through a controlled egress (NAT / firewall) with allow-listed destinations; inbound webhooks terminate at a hardened ingress that performs signature verification before fan-in.

Deployment Topology

flowchart TB
    subgraph Edge["Ingress / Egress"]
        GWIn["Webhook Ingress<br/>(signature verify)"]
        Egress["Controlled Egress<br/>(allow-list)"]
    end

    subgraph Services["Integration Services (.NET 10)"]
        Ado["AzureDevOpsIntegrationService"]
        GH["GitHubIntegrationService"]
        Models["Model Provider Services<br/>(OpenAI / AzureOpenAI / Ollama / MCP)"]
        Cloud["CloudProviderAdapterService"]
        Comms["Communication Services<br/>(Email / SMS)"]
        Biz["Commerce + Business Systems"]
        Registry["VendorApiClientRegistryService"]
        Gateway["WebhookGatewayService"]
    end

    subgraph Workers["Workers"]
        WDW["WebhookDeliveryWorker"]
        Sync["IntegrationSyncWorker"]
        Rot["CredentialRotationWorker"]
        Health["ExternalApiHealthWorker"]
        Retry["IntegrationRetryWorker"]
    end

    subgraph Data["Managed Data Services"]
        SQL[("Azure SQL / PostgreSQL")]
        KV[("Azure Key Vault")]
        Blob[("Azure Blob")]
        Bus[("Azure Service Bus")]
        Redis[("Redis")]
    end

    GWIn --> Gateway
    Services --> Egress
    Egress --> Vendors["External Vendors"]
    Vendors --> GWIn

    Services --> SQL
    Services --> Bus
    Gateway --> Blob
    Registry --> KV
    Registry --> Redis
    Workers --> Bus
    Rot --> KV
    Health --> Vendors
Hold "Alt" / "Option" to enable pan & zoom

Scaling

Component Scale signal Notes
Model provider services Concurrent request / queue depth Scale out for agent burst; respect provider rate limits
Source-control services Request rate + webhook volume Scale with pipeline/PR activity
WebhookGatewayService Inbound request rate Hardened, horizontally scaled; stateless verify/normalise
WebhookDeliveryWorker Service Bus queue depth Scales to drain delivery backlog within retry SLA
IntegrationSyncWorker Scheduled + connection count Respects per-provider rate-limit budget
ExternalApiHealthWorker Connection count Fixed cadence; lightweight
Relational store Vertical + read replicas Per-tenant partitioning; geo-redundant backup

KEDA-style autoscalers scale workers on Service Bus queue length; HTTP services scale on concurrency and CPU. Circuit breakers prevent scaling into a degraded vendor.

Configuration

  • Pulumi defines all infrastructure: service deployments, Service Bus topics/subscriptions, SQL/PostgreSQL, Key Vault, Blob, Redis, ingress/egress, and autoscaling rules — versioned and reviewed alongside code.
  • Per-service options follow the *.Options project convention (provider endpoints, retry policies, rate-limit profiles, probe intervals) bound from environment configuration.
  • Environment promotion (dev → staging → production) is driven by the DevOps & GitOps Platform; each environment has isolated Service Bus namespaces, databases, and Key Vaults.

Secrets

  • Managed Identity grants each service least-privilege access to its Key Vault entries and Azure resources — no bootstrap secrets in config.
  • Key Vault holds all vendor credentials, signing secrets, and tokens; rotation runs via the CredentialRotationWorker (see Workflows).
  • Connection strings for SQL/Service Bus/Blob are resolved via Managed Identity or Key Vault references, never embedded in images.

Health

  • Liveness / readiness probes on every service; readiness gates on Service Bus connectivity and store reachability.
  • External health is a separate signal owned by ExternalApiHealthWorker and surfaced to Observability; a degraded vendor opens a circuit rather than failing readiness.
  • Graceful shutdown drains in-flight deliveries/runs and lets MassTransit finish or re-queue messages before termination.
  • Zero-downtime deploys via rolling updates; workers are idempotent so redelivery during deploy is safe.