Curiosity

Deploying on Azure

Curiosity Workspace runs unchanged on Azure. The deployment shape is the same as the Docker or Kubernetes guide; what's specific to Azure is the surrounding infrastructure.

Reference architecture (production)

Concern Azure service Notes
Compute Azure VM (D8s v5+) or AKS AKS recommended for production fleet.
Persistence Premium SSD managed disks (Premium_LRS) 200 GB starter.
Backups Azure Backup snapshots or Disk Snapshots Replicate to a paired region.
Ingress + TLS Application Gateway or Front Door Or NGINX Ingress on AKS with cert-manager.
Private access VNet + private endpoint Egress controlled via Azure Firewall or NAT Gateway.
Identity Workload Identity (AKS) or Managed Identity (VM) For Key Vault access.
Secrets Azure Key Vault Inject via Key Vault CSI driver or env-var sidecar.
Logs Azure Monitor / Log Analytics Or set MSK_LOG_PATH for file-based collection.
Metrics Azure Monitor + Container Insights Plus internal /api/endpoints/metrics.
DNS Azure DNS or your existing registrar → Front Door / App Gateway.

Option A: Azure VM

  1. Create a Linux VM (Ubuntu 22.04 or RHEL 9, D8s v5 / 8 vCPU / 32 GB).
  2. Attach a Premium SSD managed disk (≥ 200 GB) and mount it at /srv/curiosity. See Azure Documentation: Attach a data disk to a Linux VM.
  3. Install Docker and bring up the workspace via Docker Compose. Pull secrets from Key Vault before starting the container.
  4. Front with Application Gateway with a managed certificate.
  5. Schedule disk snapshots via Azure Backup or a Logic App calling the snapshot API.

Option B: AKS

  1. Provision the AKS cluster with system + user node pools in a private subnet. Enable Workload Identity for secret access.
  2. Verify storage class: AKS exposes managed-csi (Standard SSD) and managed-csi-premium by default. Use managed-csi-premium for production. See Use Azure Disk with AKS.
  3. Install the Application Gateway Ingress Controller (AGIC) or NGINX Ingress, and cert-manager for ACME certificates.
  4. Install the Azure Key Vault Secrets Provider (CSI) so the manifest can reference Key Vault secrets directly.
  5. Apply the manifest from Kubernetes, setting:
    • storageClassName: managed-csi-premium
    • volumeClaimTemplates.resources.requests.storage: 200Gi
    • ingressClassName: azure-application-gateway (or nginx).

Identity (SSO) on Azure

Use the Microsoft Entra ID guide — it's the same SSO flow, named after the new Entra ID branding. Map Entra ID groups to Workspace teams so ReBAC reflects your real org structure.

Observability

  • Logs: stream container stdout to Log Analytics via Container Insights on AKS, or via the Azure Monitor Agent on a VM.
  • Metrics: ingest /api/endpoints/metrics (admin) into Azure Monitor with a self-hosted Prometheus scraper, or use Azure Managed Prometheus.
  • Alerts: liveness, ingestion failure rate, disk IOPS, container restarts.

Production checklist (Azure-specific)

  • Pinned image tag, not :latest.
  • Premium SSD managed disk; backups via Azure Backup or snapshot policy.
  • Secrets in Azure Key Vault, surfaced via CSI or Workload Identity.
  • Application Gateway or Front Door terminates TLS with HSTS.
  • Egress allowlist documented (LLM provider, registry, NuGet).
  • Azure Monitor alerts for liveness, latency, container restart rate.
  • Restore drill completed and dated.

See also

Referenced by

© 2026 Curiosity. All rights reserved.
Powered by Neko