Skip to main content
Version: Omada Identity Cloud Private

Infrastructure architecture

Omada Identity Cloud Private uses the same Azure-based infrastructure as Omada Identity Cloud. The difference is in the hosting layer: all infrastructure resources are provisioned within your own Azure subscription and region, rather than in Omada's.

The following sections describe the Azure components and services that make up this infrastructure.

Azure infrastructure components

Azure resources are the individual cloud services and components – such as databases, storage, and compute clusters – provisioned within your Azure subscription. As part of the Cloud Private deployment, Omada creates the following Azure resources in your tenant's subscription:

ResourcePurpose
Azure Kubernetes Service (AKS)Runs containerized Omada services.
Azure SQL Database / SQL Elastic PoolStores application and identity data.
Azure Storage AccountsStores artifacts and backups.
Azure Container RegistryStores container images.
Azure Event HubsIngests identity event streams.
Azure Service BusInternal platform messaging.
Azure SignalRUsed for real-time communication components.
Azure Key VaultSecure storage for secrets and certificates.
Azure Log AnalyticsPlatform logging and monitoring.
Azure Application InsightsApplication telemetry.
Azure NetApp VolumesOptional high-performance storage.
Virtual Networks and SubnetsNetwork isolation for platform services.
Network Security GroupsNetwork traffic filtering.
Load Balancers and Public IPsExternal service exposure.
App Service / Web AppsHosts platform services.
Function AppsEvent processing and background workloads.
Managed DisksPersistent storage for compute services.

Networking

Network topology

The Cloud Private deployment uses Azure Virtual Networks (VNets) to provide network isolation and secure communication between platform components. Each environment has a dedicated VNet with subnets for compute (AKS), legacy system integration (CAG), App Service VNet integration, and future private endpoints.

For specific CIDR ranges, subnet sizes, and detailed configuration requirements, see Networking prerequisites.

Network security

Network Security Groups (NSGs) control inbound and outbound traffic for each subnet. For detailed NSG rule configurations, priority numbers, and customization guidance, see Network Security Groups in the deployment guide.

Private endpoints (optional)

Private endpoints enable private connectivity to Azure services from within your VNet, eliminating public internet exposure for critical services. The infrastructure supports private endpoints for:

Supported services:

  • Azure SQL Databaseprivatelink.database.windows.net
  • Azure Key Vaultprivatelink.vaultcore.azure.net
  • Azure Storage (Blob)privatelink.blob.core.windows.net

When enabled, private endpoints require:

  • A dedicated subnet sized /26 (minimum 59 usable IPs).
  • A private DNS zone in your subscription for name resolution.
  • Network rules allowing the private endpoint subnet to connect to the target services.
note

Private endpoints are not enabled by default. The required subnet is reserved during initial deployment to allow adoption at any point – for both new and existing deployments – without requiring network re-architecture. Enabling private endpoints requires a configuration change in shared-config.tf and a Terraform re-run.

DNS configuration

DNS configuration is required for both public-facing endpoints (external DNS) and service-to-service communication (internal DNS). For DNS zone setup, record configuration, and automation guidance, see DNS configuration in the deployment guide.

Authentication

Omada Identity Cloud Private is designed with managed identity as the preferred authentication pattern for Azure service-to-service communication. User-assigned managed identities are used for cloud-native application services to minimize credential handling. Service Principals with client secrets remain in use where Entra ID app roles require explicit identity registration, primarily for Enterprise Server to backend service flows.

note

SQL authentication currently uses username/password; managed identity for SQL is a planned improvement. Where secrets are required, they are stored in Azure Key Vault, and no credentials are hardcoded in deployment artifacts.

For the current implementation, authentication uses two complementary mechanisms for secure inter-service communication: User-assigned managed identities (preferred pattern) and Service Principals with client secrets (required for certain service-to-service flows).

note

User-assigned managed identities are the preferred authentication pattern. All credentials – including client secrets and connection strings – are stored in Azure Key Vault and never hardcoded. No inline secrets exist in Terraform outputs or application configuration files.

User-assigned managed identities

User-assigned managed identities are Azure resources managed by the deployment and assigned to compute services. They provide credential-less authentication to Azure services and are the preferred pattern for cloud-native service authentication.

Application service identities

IdentityPurposeAssigned To
Core Ingestion IdentityODS data ingestion10 function apps + 1 web app
Import Service IdentityImport processing1 function app + 1 web app
Provisioning Service IdentityUser provisioning1 function app + 1 web app
History Tracking IdentityAudit history tracking1 function app + 1 web app
ODS IdentityODS API authentication1 function app + 1 web app

Admin identities

Admin identities are user-assigned managed identities with elevated permissions, used for database migrations.

IdentityPurposeAssigned To
History Tracking Admin Identity (ht-admin-mi)Database migrations for History TrackingHistory Tracking service
ODS Admin Identity (ods-admin-mi)Database migrations for ODSODS service

Infrastructure identities

IdentityPurposeAssigned To
SignalR IdentityReal-time messaging via SignalRSignalR service; Import and Provisioning web apps and function apps (2 web apps + 2 function apps)
CAG VM IdentityCloud Application Gateway VM authenticationCAG Windows VM

All user-assigned managed identities are granted the minimum required permissions scoped to the specific resources each service needs to access. Key permissions include Storage Blob Data Reader and Azure Service Bus Data Sender.

These identities access Key Vault via access policies (Get, List permissions on secrets). For details, see Key Vault and secret management.

Service Principals (App Registrations)

Service Principals are used where managed identity authentication is not yet supported – primarily for Entra ID application role-based service-to-service flows. Client secrets are automatically generated and stored in Azure Key Vault.

note

The service principal list below is intended as an implementation-oriented overview. Validate the detailed exposed and consumed app-role mappings against the current Entra ID configuration before treating them as an authoritative reference.

Core Service Principals:

Service PrincipalPurposeApp Roles ExposedApp Roles Consumed
COPS APICentral authentication hub for all servicesEnterpriseServer, ImportService, CoreIngestion, WorkerService, RoPE, WorkerDownload, ProvisioningService(hub – provides roles)
Enterprise ServerMain application backendEnterpriseServer, RoPE, WorkerDownloadConsumes COPS API roles
Provisioning WorkerHandles identity provisioningEnterpriseServer, ProvisioningWorkerConsumes COPS API roles
Import ServiceIdentity import processingEnterpriseServer, ImportServiceConsumes COPS API roles
Core IngestionIdentity event processingCoreIngestionConsumes COPS API roles
Data ServiceDatabase operations and reportingUser impersonation scopeConsumes COPS API roles
Worker ServiceBackground job processingWorkerServiceConsumes COPS API roles
History TrackingHistorical audit trackinghistory_trackingConsumes COPS API roles

Authentication Flow:

  1. Service A requests an access token from Microsoft Entra ID
  2. Service A presents token to COPS API (hub)
  3. COPS API validates token contains appropriate app role
  4. COPS API grants access and returns data/API response

Database authentication

The Enterprise Server application connects to Azure SQL databases using SQL username/password authentication at runtime. This is the current model:

  • A SQL application account (username and password) is generated by Terraform and stored in Azure Key Vault.
  • During deployment, Ansible retrieves the credentials, creates the SQL login and database users, and injects an encrypted version of the password into the application configuration on the AKS pod.
  • The Enterprise Server application uses these credentials at runtime to connect to Azure SQL.

Current behavior and strategic direction:

  • Current behavior: For Ansible sql_execute tasks, Azure CLI authentication is currently the default operational path and requires an authenticated CLI session (az login) in the execution environment.
  • Strategic direction: Managed identity remains the preferred long-term pattern and is used where supported; SQL authentication will move toward managed identity as support is expanded.
note

SQL username/password authentication is the current model for Enterprise Server database connectivity. Migration to managed identity for SQL authentication is on the strategic roadmap but not yet implemented.

Key Vault access control

Access to Key Vault is managed through access policies. For details, see Key Vault and secret management.

Infrastructure sizing

The following sizing guidance is based on a medium reference profile: a single-tenant deployment handling approximately 150,000 to 500,000 managed objects, in a single Azure region, without cross-region high availability, and with standard log retention.

internal comment

This is currently the only published sizing profile. Additional profiles (small and large) are planned for a future update.

The table below is an indicative reference for a medium single-tenant profile. Values are intended as baseline guidance, not a strict guarantee of current implementation in every environment.

Where deployment automation, platform validation, or confirmed implementation details differ (for example, App Service Plan topology or Service Bus tier usage by environment), use the values validated by the implementation and update this page accordingly.

Medium profile – Dev / QA / Prod SKUs

ComponentDevQAProd
AKS node pool – worker VMs (Windows)1 × Standard_B8as_v22 × Standard_B8as_v22 × Standard_D8s_v3
App Service PlanBasic B3 (1 instance)Premium v3 P0V3 (1 instance)Premium v3 P0V3 (1 instance)
SQL Elastic Pool / SQL DB (vCore)General Purpose, 2 vCoreGeneral Purpose, 4 vCoreBusiness Critical, 8 vCore
Storage AccountStorageV2, Standard, LRS, Hot, 50 GBStorageV2, Standard, LRS, Hot, 100 GBStorageV2, Standard, LRS, Hot, 200 GB
Event Hubs NamespaceStandard (1 TU)Standard (1–2 TU)Standard (2–4 TU)
Service Bus Namespace1 Standard & 1 Premium1 Standard & 1 Premium1 Standard & 1 Premium
SignalRStandard S1 (1 unit)Premium P1 (1 unit)Premium P1 (1 unit)
Log Analytics Workspace~10–30 GB/month~30–50 GB/month~150+ GB/month
Application InsightsMinimalModerateProduction-level telemetry
Load BalancerStandard (1)Standard (1)Standard (1)
Public IPStandard (2)Standard (2)Standard (2)
Managed Disks (AKS / VMs)Standard SSD, LRS, 127 GiBStandard SSD, LRS, 127 GiBStandard SSD, LRS, 127 GiB

The following table provides additional configuration and retention details for storage and monitoring resources.

ResourceTypeConfigurationRetention
Storage AccountStandard StorageV2LRS (locally redundant), Blob storage30 days (configurable)
Log AnalyticsPerGB2018 SKUDev: 0.5 GB/day, QA: 1 GB/day, Prod: 1 GB/dayDev / QA: 30 days, Prod: 90 days
Application InsightsWeb type100% (default sampling rate; configurable)90 days (default)

Environment-specific differences

AspectDevelopmentQAProduction
SQL Public Access✓ Enabled✓ Enabled✗ Disabled
CAG Public IP✓ Enabled✓ Enabled✗ Disabled
SQL BackupLocal (LRS)Zone-redundant (ZRS)Geo-redundant (GRS)
SQL Zone Redundancy✗ Disabled✗ Disabled✓ Enabled
Log Retention30 days30 days90 days
Recommended UseDevelopment/POCUAT/StagingProduction workloads

Primary cost drivers

The following components have the most significant impact on total Azure infrastructure cost:

  • Compute – AKS node pool and App Service Plan scaling model.
  • Database – SQL Elastic Pool performance tier and data growth rate.
  • Logging – Log Analytics log ingestion volume and retention policy.
  • Messaging – Event Hubs and Service Bus throughput requirements.
  • Optional features – Security and compliance add-ons (for example, Microsoft Defender for Cloud, extended retention).
  • Premium-tier Azure Service Bus
note

Production sizing reflects a single-region deployment without cross-region redundancy. Enabling high availability or geo-redundancy will increase cost. Dev and QA environments are sized for functional validation and controlled load, not production-scale throughput.

SKU selection guidance

AKS node SKUs:

  • Standard_B8as_v2 / Standard_D8s_v3 (default): Suitable for standard workloads.
  • Standard_D16s_v5 (16 vCPU/64 GB): Large-scale deployments or data-intensive workloads.
note

SKU must support Hypervisor Generation 1. Verify generation support for your chosen SKU before deployment.

SQL Database SKUs:

  • General Purpose, 2 vCore (default Dev): Suitable for development and low-traffic environments.
  • General Purpose, 4 vCore (default QA): Suitable for staging and moderate workloads.
  • Business Critical, 8 vCore (default Prod): Recommended for production workloads with SLA requirements.

App Service Plan SKUs:

  • Basic B3: Suitable for development environments.
  • Premium v3 P0V3: Recommended for QA and production environments.

tip

For the prerequisites you need to have in place before deploying, see Prerequisites. For deployment instructions, see the Deployment guide.