Skip to main content
This page covers the Azure-specific bits. The actual Helm install — values, ingress, env vars — lives in Install with Helm.
ComponentAzure serviceNotes
KubernetesAKS3–5 nodes, ≥ Standard_D4s_v4 (4 vCPU / 16 GB), zone-redundant, cluster autoscaler enabled.
MongoDBMongoDB Atlas (preferred), or Cosmos DB API for MongoDBCosmos has version/feature gaps — validate with Prisme.ai first. See MongoDB.
PostgreSQL (alternative to Mongo)Azure Database for PostgreSQL — Flexible Server with Entra ID passwordless auth. See PostgreSQL.
ElasticsearchElastic Cloud on Azure or self-managed Elasticsearch on AKS via ECK. See Elasticsearch.
RedisAzure Managed Redis. See Redis.
Object storageAzure Blob Storage. Two containers are enough: models and uploads (the latter serves both public and private files, proxied by the api-gateway). Add a third public container fronted by Azure CDN / Front Door only if you want public assets served directly from a CDN.
File storage (PVC RWX)Azure Files with zone-redundant storage (ZRS), Premium tier, via CSI driver.
IngressApplication Gateway Ingress Controller (AGIC) or NGINX.
TLS / CertificatesAzure Key Vault + cert-manager, or AGIC + Key Vault TLS.
SecretsAzure Key Vault + Secrets Store CSI Driver or External Secrets Operator.
IdentityMicrosoft Entra ID Workload Identity (federated credentials).

Persistent storage

The shared RWX PVC (used by prismeai-functions) must be backed by Azure Files with ZRS. Premium tier recommended for hot workloads.

Infrastructure as Code

Use Bicep, ARM templates or the Terraform azurerm provider — Azure’s documentation is the canonical reference. Prisme.ai doesn’t ship a dedicated Azure IaC bundle.

DNS and TLS

Create two records (Azure DNS or your registrar): 
api.<your-domain>     -> Application Gateway / NGINX ingress public IP
studio.<your-domain>  -> same
A certificate covering both is the easiest path. Manage it in Key Vault and reference it from AGIC, or generate it via cert-manager.

Microsoft Entra ID passwordless auth

Entra ID lets you replace static passwords for Redis and PostgreSQL with short-lived tokens, using system-assigned or user-assigned managed identities.

Common setup

  1. Create a managed identity: 
    az identity create --name PrismeaiIdentity --resource-group RESOURCE_GROUP
  2. Wire the identity to AKS. Pick one: Option A — bind to the cluster (simpler, applies to all workloads): 
    az aks update --resource-group RESOURCE_GROUP --name CLUSTER_NAME \
  --enable-managed-identity \
  --assign-identity IDENTITY_ID --assign-kubelet-identity IDENTITY_ID
    Then set every azureSystemIdentity: true in your Helm values. Option B — federated credentials (per service account, recommended): 
    az identity federated-credential create --name prismeai-core-fic \
  --identity-name PrismeaiIdentity --resource-group RESOURCE_GROUP \
  --issuer <aks_oidc_issuer> \
  --subject system:serviceaccount:CORE_NAMESPACE:prismeai-backends-sa \
  --audiences api://AzureADTokenExchange

az identity federated-credential create --name prismeai-apps-fic \
  --identity-name PrismeaiIdentity --resource-group RESOURCE_GROUP \
  --issuer <aks_oidc_issuer> \
  --subject system:serviceaccount:APPS_NAMESPACE:prismeai-backends-sa \
  --audiences api://AzureADTokenExchange
    All backend services (everything except prismeai-console) need serviceAccount.name: prismeai-backends-sa in your Helm values. Replace CORE_NAMESPACE and APPS_NAMESPACE with your namespace names.
    Then set every azureManagedIdentityClientId in your Helm values to the managed identity’s clientId.

Redis

  1. Open your Azure Managed Redis instance.
  2. Go to Settings → Authentication.
  3. Enable Microsoft Entra ID authentication and select the managed identity.

PostgreSQL

  1. Connect with your Entra admin user: 
    export AZ_DATABASE_SERVER_NAME=prismeai
export AZ_DATABASE_NAME=<db>
export CURRENT_USERNAME=$(az ad signed-in-user show --query userPrincipalName --output tsv)
psql "host=$AZ_DATABASE_SERVER_NAME.postgres.database.azure.com \
      user=$CURRENT_USERNAME dbname=$AZ_DATABASE_NAME port=5432 \
      password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) \
      sslmode=require"
  2. Create a Postgres user attached to the managed identity (same name): 
    select * from pgaadauth_create_principal('PrismeaiIdentity', false, false);
  3. Grant permissions: 
    GRANT CREATE, USAGE ON SCHEMA public TO "PrismeaiIdentity";
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "PrismeaiIdentity";
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO "PrismeaiIdentity";
  4. In your Helm values, set the managed identity name as the user for all three PostgreSQL clients:
    • global.storage.permissions.user
    • prismeai-api-gateway.storage.users.user
    • prismeai-runtime.storage.collections.user

Ingress annotations

Application Gateway exposes two distinct settings:
  • Backend request timeout (≈ 60 s, under the api-gateway server keep-alive of 70 s) — socket reuse between client requests.
  • Idle request timeout (≈ 300 s) — kill an in-flight request only after this much inactivity, so SSE / long LLM streams aren’t dropped.
The full annotation reference lives in Helm install — Ingress and load balancer.

Next Steps

Install with Helm

Configure values and deploy core + apps namespaces.

Databases

PostgreSQL or MongoDB, Redis, Elasticsearch or OpenSearch.

Install products

Fresh-install walkthrough.

Migration v27

Migrate an existing instance to v27.