Azure Deployment

This guide covers Azure Container Apps for managed deployment and a VM-based Docker setup for more control.

Use Cases

Managed autoscaling for production traffic
Private networking with VNet integration
Fast pilot environments with minimal ops overhead

Architecture Choices

Azure Container Apps for managed ingress and autoscaling
Azure VM + Docker for full control and custom networking

Option A: Azure Container Apps

1. Build and push an image

# Build locally
docker build -t koreshield .

# Tag for Azure Container Registry
docker tag koreshield:latest <registry-name>.azurecr.io/koreshield:latest

# Push
az acr login --name <registry-name>
docker push <registry-name>.azurecr.io/koreshield:latest

2. Create the Container App

az containerapp create \
  --name koreshield \
  --resource-group <resource-group> \
  --environment <env-name> \
  --image <registry-name>.azurecr.io/koreshield:latest \
  --target-port 8000 \
  --ingress external \
  --env-vars OPENAI_API_KEY=your-api-key

3. Configure secrets (recommended)

Use secrets for API keys instead of inline env vars:

az containerapp secret set \
  --name koreshield \
  --resource-group <resource-group> \
  --secrets OPENAI_API_KEY=your-api-key

Then reference the secret in your app configuration.

4. Verify health

curl https://<app-url>/health

Option B: Azure VM + Docker

1. Create a VM

Ubuntu 22.04 recommended
Open inbound port 8000 or front with a reverse proxy

2. Install Docker

sudo apt-get update
sudo apt-get install -y docker.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER

3. Run KoreShield

Use the KoreShield image provided for your account and pass JWT/provider keys as environment variables.

Secrets and Config

Use Azure Key Vault for provider keys
Reference Key Vault secrets in Container Apps
Use environment variables or managed secrets for configuration

Networking and TLS

Terminate TLS with Azure Front Door or Application Gateway
Restrict ingress to trusted IPs or private endpoints
Use VNet integration for private services

Observability

Ship logs to Azure Monitor or Log Analytics
Enable json_logs: true for structured logs
Scrape /metrics with Prometheus or a managed monitor

Security Notes

Use Azure Key Vault for API keys.
Enable json_logs: true and ship logs to Azure Monitor.
Restrict inbound access to trusted networks.

Troubleshooting

401 responses: verify KORESHIELD_API_KEY header on clients
Container Apps not starting: confirm image pull permissions for ACR
Timeouts: increase ingress timeout and client timeouts for streaming
Provider errors: confirm Key Vault secrets are injected into the app

Next Steps

Add monitoring in ../monitoring/prometheus.mdx

Use Cases​

Architecture Choices​

Option A: Azure Container Apps​

1. Build and push an image​

2. Create the Container App​

3. Configure secrets (recommended)​

4. Verify health​

Option B: Azure VM + Docker​

1. Create a VM​

2. Install Docker​

3. Run KoreShield​

Secrets and Config​

Networking and TLS​

Observability​

Security Notes​

Troubleshooting​

Next Steps​