2a4753eb2d
- Resolve stash: merge load_deployment_env path with secure-secrets and CR/LF RPC strip - create-pmm-full-mesh-chain138.sh delegates to sync-chain138-pmm-pools-from-json.sh - env.additions.example: canonical PMM pool defaults (cUSDT/USDT per crosscheck) - Include Chain138 scripts, official mirror deploy scaffolding, and prior staged changes Made-with: Cursor
Phase 1: Initial Deployment - 5 US Commercial Azure Regions
Overview
Phase 1 is the initial deployment to get the DeFi Oracle Meta Mainnet (ChainID 138) operational. This phase uses a simpler VM-based architecture before expanding to the full 36-region global AKS deployment (Phase 3).
Architecture
-
West Europe: Admin/control-plane only (no workload)
- Key Vault for secrets management
- Nginx Proxy Server to route Cloudflare traffic to backend VMs
-
5 US Commercial Azure Regions: Workload VMs
eastus(East US)westus(West US)centralus(Central US)eastus2(East US 2)westus2(West US 2)
VM Configuration
Each US region deploys:
- 1 VM using
Standard_D8plsv6(8 vCPUs, Dplsv6 Family) - Ubuntu 22.04 LTS Gen 2 image
- Software Stack:
- Docker Engine
- NVM (Node Version Manager)
- Node.js 22 LTS
- JDK 17 (OpenJDK)
- Besu blockchain client
Networking
NSG Rules for VMs
- SSH (22): Allow from anywhere (restrict in production)
- P2P TCP (30303): Allow Besu P2P communication
- P2P UDP (30303): Allow Besu P2P discovery
- RPC HTTP (8545): Allow from Nginx proxy only (TODO: restrict)
- RPC WebSocket (8546): Allow from Nginx proxy only (TODO: restrict)
- Metrics (9545): Allow Prometheus metrics (TODO: restrict to monitoring)
NSG Rules for Nginx Proxy
- HTTP (80): Allow from Cloudflare (TODO: restrict to Cloudflare IP ranges)
- HTTPS (443): Allow from Cloudflare (TODO: restrict to Cloudflare IP ranges)
- SSH (22): Allow for management (TODO: restrict to admin IPs)
Deployment
Prerequisites
- Azure CLI installed and authenticated
- Terraform >= 1.0
- SSH public key for VM access
- Cloudflare domain configured (for SSL certificates)
Steps
-
Navigate to Phase 1 directory:
cd terraform/phases/phase1 -
Copy and configure variables:
cp terraform.tfvars.example terraform.tfvars # Edit terraform.tfvars with your values: # - ssh_public_key: Your SSH public key # - Other variables as needed -
Initialize Terraform:
terraform init -
Plan deployment:
terraform plan -out tfplan -
Apply deployment:
terraform apply tfplan -
Configure SSL on Nginx Proxy:
# SSH to the Nginx proxy VM ssh besuadmin@<nginx-proxy-public-ip> # Run certbot to configure SSL sudo certbot --nginx -d your-domain.com --non-interactive --agree-tos --email admin@example.com -
Configure Cloudflare:
- Point your domain's A record to the Nginx proxy public IP
- Enable Cloudflare proxy (orange cloud)
- Configure SSL/TLS mode to "Full" or "Full (strict)"
Outputs
After deployment, Terraform will output:
- phase1_us_regions: Information about each US region deployment (VMs, IPs)
- nginx_proxy: Nginx proxy server information (FQDN, public IP, backend count)
- key_vault_name: Key Vault name in West Europe
Next Steps
After Phase 1 is operational:
- Monitor VM health and Besu node synchronization
- Configure monitoring and alerting
- Restrict NSG rules to specific IP ranges
- Plan Phase 3 expansion to 36 global regions with AKS
Phase 3 Archive
The full 36-region global AKS deployment plan is archived in terraform/phases/phase3/ and will be deployed after Phase 1 is stable.