Azure Architecture Reference

Architecture Diagram

Resources by Type

Compute Resources

Resource	Count	Purpose
AKS Cluster	1	Kubernetes orchestration
System Node Pool	1	System pods (fixed 3 nodes)
User Node Pool	1	Application workloads
GPU Node Pool	0-1	AI/ML workloads (optional)
Cassandra Pool	0-1	Temporal database (optional)

Total VMs: 6-24 (3 system + 3-10 user + 0-5 GPU + 0-6 Cassandra)

Network Resources

Resource	Count	Purpose
Virtual Network	1	Network boundary
Subnets	4-5	Network segmentation
NSGs	4-5	Traffic control
Route Tables	3-4	Traffic routing
Private DNS Zones	7	Internal name resolution
Private Endpoints	7	Secure PaaS access
Bastion Host	0-1	Secure VM access
Public IPs	0-1	Bastion endpoint

Data & Storage Resources

Resource	Count	Purpose
PostgreSQL Server	1	Relational database
Redis Cache	1	Distributed cache
Storage Account	1	Blob/File storage
AI Search Service	0–1	Full-text search (optional)
OpenAI Service	0–1	LLM models (optional)

Security Resources

Resource	Count	Purpose
Key Vault	1	Secrets management
Managed Identity	1-2	Service authentication
RBAC Role Assignments	10+	Access control

Monitoring Resources

Resource	Count	Purpose
Log Analytics Workspace	1	Centralized logging
Data Collection Rule	1	AKS metrics
Diagnostic Settings	7+	Resource logging
Datadog Connection	0-1	External monitoring

Network Architecture

Address Space Planning

VNet: 10.0.0.0/16 (65,536 IPs)
├── AKS Subnet: 10.0.1.0/24 (256 IPs)
├── Bastion Subnet: 10.0.2.0/26 (64 IPs)
├── Database Subnet: 10.0.3.0/24 (256 IPs)
└── Private Endpoints: 10.0.4.0/25 (128 IPs)

Pod CIDR: 10.244.0.0/16 (65,536 IPs)
Service CIDR: 10.243.0.0/16 (65,536 IPs)

Traffic Flow

Egress (Internet):

Pods/VMs → NAT Gateway → Public IP → Internet
(Stateful, return traffic allowed)

Ingress (Internal):

Service IP → Load Balancer → Pod IP (via CNI)

Database Access:

AKS Pods → Private Endpoint → Private Link → PostgreSQL
(DNS: server.postgres.database.azure.com)

External Service Access:

AKS Pods → API Gateway / Load Balancer → OpenAI / AI Search
(Via Private Endpoints)

AKS Configuration Deep Dive

API Server Access

Type: Private cluster (recommended) Endpoint: Internal only Access Method: Bastion host or VPN DNS: k8s..azmk8s.io (private)

Network Policies

Engine: Azure Network Policy Scope: Pod-to-pod communication Default: Allow all (unrestricted) Configuration: Define in Kubernetes manifests

Container Registry

Integration: Azure Container Registry (optional) Authentication: Managed identity or pull secrets Pulling: Private endpoint (optional)

Monitoring & Observability

Azure Monitor Agent: Deployed in kube-system Metrics: CPU, Memory, Disk, Network Logs: Container stdout/stderr, Kubernetes events Dashboards: Pre-built in Log Analytics

Getting Started

Infrastructure

Agents

Evaluations

Uploading Data

Creating Applications

Creating Applications

Evaluation Datasets

Inference

Miscellaneous

Managing Annotations

Components

Azure Architecture Reference

Architecture Diagram

Resources by Type

Compute Resources

Network Resources

Data & Storage Resources

Security Resources

Monitoring Resources

Network Architecture

Address Space Planning

Traffic Flow

AKS Configuration Deep Dive

API Server Access

Network Policies

Container Registry

Monitoring & Observability

Getting Started

Infrastructure

Agents

Evaluations

Uploading Data

Creating Applications

Creating Applications

Evaluation Datasets

Inference

Miscellaneous

Managing Annotations

Components

​Architecture Diagram

​Resources by Type

​Compute Resources

​Network Resources

​Data & Storage Resources

​Security Resources

​Monitoring Resources

​Network Architecture

​Address Space Planning

​Traffic Flow

​AKS Configuration Deep Dive

​API Server Access

​Network Policies

​Container Registry

​Monitoring & Observability

Architecture Diagram

Resources by Type

Compute Resources

Network Resources

Data & Storage Resources

Security Resources

Monitoring Resources

Network Architecture

Address Space Planning

Traffic Flow

AKS Configuration Deep Dive

API Server Access

Network Policies

Container Registry

Monitoring & Observability