Deploy OPAQUE on Azure¶

This guide walks you through deploying the Opaque platform into your Azure environment using the CLI installer.

You’ll prepare your environment, run the installer, and verify that the deployment completed successfully.

Overview¶

The OPAQUE CLI installer runs inside a container and automates the full deployment in your Azure environment. It creates the required infrastructure and provisions the platform, prompting you for configuration values along the way. Defaults are provided where applicable.

During installation, you’ll be asked to:

Choose a connectivity mode: Select public (simpler, internet-accessible endpoints) or private (fully isolated within your Azure network).
- Public is typically used for simpler deployments or environments without existing network infrastructure.
- Private is used when integrating with an existing Azure network and requires one of two options:
  - VNet peering (hub-and-spoke VNet architectures)
  - Azure Virtual WAN (Virtual WAN–based networking)
Configure certificate management: Choose to provide your own TLS certificates (you manage DNS and renewal) or use automated certificate provisioning (requires access to your domain’s DNS via Cloudflare).

The installation runs in two phases:

Bootstrap (~5 minutes) — creates initial Azure resources, including networking, identity, and a deployment VM.
Deployment (~30–45 minutes) — the VM completes the full Terraform deployment, including AKS clusters, services, and networking.

Once complete, the Opaque platform is available at your configured application URL.

Before you begin¶

The installer deploys the OPAQUE platform into your Azure environment using an interactive CLI. You’ll be prompted to provide configuration values across several steps, including infrastructure, networking, and TLS setup.

Before running the installer, ensure your environment is ready and that you have the required information on hand.

Azure requirements¶

An Azure subscription with Owner or Contributor + User Access Administrator permissions
An empty resource group in your target Azure region
Sufficient quota in the target region for:
- At least 1 virtual machine (Standard_B2s or larger)
- At least 2 AKS clusters
- Confidential computing nodes (Standard_DC4as_v5 or larger)

Required tools¶

Docker — runs the OPAQUE installer as a container (Install Docker)
Azure CLI (az) — authenticates to Azure and sets the target subscription for deployment (Install Azure CLI)

Information to gather before installation¶

You’ll be prompted for the following values during installation.

Azure details

Azure subscription ID
Azure tenant ID
Azure region
Resource group name

Credentials provided by OPAQUE

The following are required to run the installer and access the container registry

Customer identifier (unique ID for your organization)
Service principal (ID and secret) — used by the installer to access Opaque-managed resources (for example, retrieving configuration and secrets from a key vault)
OCI registry credentials (username and password) — used to pull the installer container

Deployment settings (defined by you)

Terraform VM password: Admin password for the VM that runs deployment automation
OPAQUE application subdomain: For example, yourdomain.opaque.com; used to access the UI and back-end services.

Private deployments only

If you plan to use private networking, gather the details for one of the following options:

Hub VNet (vnetPeering):
- Hub VNet resource ID
- Hub firewall private IP
- Peering service principal with Network Contributor access:
  - Application (client) ID
  - Secret
  - Tenant ID
  - Object ID
Azure Virtual WAN (virtualHub):
- Virtual Hub Resource ID
- Virtual Hub Route Table IDs (associated and propagated)
- Peering service principal with Network Contributor access:
  - Application (client) ID
  - Secret
  - Tenant ID
  - Object ID

TLS certificates

If using your own certificates, have these files ready:
- TLS certificate file (e.g., tls.crt)
- TLS private key file (e.g., tls.key)
Note

Your certificate must:
- Be a wildcard certificate (e.g., *.example.com).
- Include the full certificate chain.
If using automated certificate management, have the following ready:
- Cloudflare API token (for DNS validation)
- ZeroSSL credentials (HMAC key, key ID, and email address)

Most configuration options (such as VM size, scaling, and network ranges) are selected during installation.

Set up your environment¶

Before running the installer, prepare your local environment and Azure context.

Create an Azure resource group¶

Before running the installer, create an empty resource group in your target Azure region.

Go to the Opaque offering on Azure Marketplace (sign-in required).
Select the Opaque plan and click Create.
Enter the required values:
- Subscription
- Resource group name (create a new one)
- Region
- Application name (any name is fine)
Click Review + create, then Create.

This creates the resource group without deploying any resources.

Install the required tools¶

If you haven’t already, install the following tools:

Docker — used to run the installer container.
Azure CLI (az)** — used to authenticate and manage Azure resources.

Create a working directory¶

mkdir opaque-installer && cd opaque-installer

(Optional) Prepare TLS certificates¶

If you plan to use your own TLS certificates, create a certs directory and copy your certificate and key:

mkdir -p certs
cp /path/to/your/tls.crt certs/tls.crt
cp /path/to/your/tls.key certs/tls.key

Your directory should look like this:

opaque-installer/
└── certs/
    ├── tls.crt
    └── tls.key

Authenticate to Azure¶

Log in to Azure and set the subscription where you want to deploy Opaque:

az login
az account set --subscription <your-subscription-id>

Configure the installation¶

Set the installer version and provide your Opaque registry credentials, then run the installer script:

export INSTALLER_VERSION=<TBD>2.6.2
export OCI_REGISTRY_USERNAME=<provided-by-opaque>
export OCI_REGISTRY_PASSWORD=<provided-by-opaque>

curl -fsSL "https://opaquemanagedappprod.blob.core.windows.net/container/${INSTALLER_VERSION}/run-install.sh" | bash -s --

Replace <TBD> with installer version
Replace <provided-by-opaque> with the credentials you received from Opaque
The INSTALLER_VERSION variable allows you to control which version of the installer you run.

The script will:

Prompt for your OCI registry credentials.
Download the installer container.
Create a config.yaml file in your working directory.
Launch the interactive installer.

(Optional) Enable debug output¶

To see detailed progress during installation, add the --debug flag:

curl -fsSL "https://opaquemanagedappprod.blob.core.windows.net/container/${INSTALLER_VERSION}/run-install.sh" | bash -s -- --debug

What happens next¶

The installer launches an interactive CLI and guides you through a series of steps. For each prompt, enter a value and press Enter to continue.

You can accept default values where provided.

Step 1: Enter Azure deployment details¶

Provide the Azure and Opaque credentials used to deploy the environment.

You’ll be prompted to enter:

Azure subscription ID
Azure tenant ID
Azure region
Resource group name
Customer identifier
Service principal ID
Service principal secret

Next, configure the Terraform runner VM:

Select a VM size based on available quota in your Azure subscription:
- Standard_B2s
- Standard_B2ms
- Standard_E2_v3
- Standard_E2_v5
Use any option that is available in your subscription. If a size is unavailable due to quota limits, select another.
Enter a VM admin password.

Step 2: Configure your application¶

Enter your application subdomain, (for example: yourdomain.opaque.com).

Next, choose whether to enable OpenTelemetry (OTLP) monitoring (for exporting metrics to an external system).

If you enable it, you’ll be prompted for:

OTLP endpoint
OTLP bearer token

Note

OpenTelemetry must be enabled during deployment. It cannot be enabled later without redeploying.

Step 3: Define infrastructure settings¶

In this step, you define how your deployment handles workload attestation and scaling. These settings determine how your Opaque environment operates at runtime.

You’ll be prompted in succession to choose:

Data plane node size for your AKS cluster — select one of four confidential compute VM sizes:
- Standard_DC4as_v5 — Small footprint. Best for development, testing, or lightweight workloads with minimal concurrency.
- Standard_DC8as_v5 — Moderate capacity. Suitable for small production workloads and moderate data processing.
- Standard_DC16as_v5 — High capacity. Designed for production workloads with larger datasets and higher parallelism.
- Standard_DC32as_v5 — Maximum performance. Ideal for compute-intensive workloads, large-scale data processing, and high concurrency.
Note

Larger sizes provide more compute capacity for data processing workloads, but require sufficient Azure quota and incur higher cost.
Whether to enable autoscaler for data plane AKS cluster — autoscaling allows the cluster to scale automatically based on workload demand. If enabled, enter the maximum number of nodes (for example: 5).

Step 4: Configure networking¶

Choose how Opaque connects to your network.

First, select a connectivity mode:

Public — uses public endpoints for cluster and service access
Private — keeps all resources on private IP space within your Azure network

If you choose private mode

Select your hub connection type:

VNet peering — for hub-and-spoke VNet architectures
Azure Virtual WAN (Virtual Hub) — for Virtual WAN–based networking

Then provide the required hub and peering details.

VNet peering configurationAzure Virtual WAN (Virtual Hub) configuration

If you choose VNet peering, you’ll be prompted to provide:

Hub connection details

Hub VNet resource ID
Hub firewall private IP
Peering service principal:
- Application ID
- Secret
- Tenant ID
- Object ID

VNet configuration

Define address ranges for your deployment:

VNet CIDR (default provided)
Terraform runner subnet CIDR
Client subnet CIDR
Data plane subnet CIDR

Kubernetes service networking (internal, non-routable)

Client cluster service CIDR
Client cluster DNS IP
Data plane cluster service CIDR
Data plane cluster DNS IP

You can keep the default values or adjust them to match your internal IP plan.

If you choose Azure Virtual WAN, you’ll be prompted to provide:

Virtual Hub connection details

Virtual Hub resource ID
Associated route table ID
Propagated route table IDs
Virtual Hub route table labels (optional)
Peering service principal:
- Application ID
- Secret
- Tenant ID
- Object ID

VNet configuration

Define address ranges for your deployment:

VNet CIDR (default provided)
Terraform runner subnet CIDR
Client subnet CIDR
Data plane subnet CIDR

Kubernetes service networking (internal, non-routable)

Client cluster service CIDR
Client cluster DNS IP
Data plane cluster service CIDR
Data plane cluster DNS IP

You can keep the default values or adjust them to match your internal IP plan

Step 5: Configure TLS certificates¶

In this step, choose how TLS certificates are managed for your deployment.

If you use your own certificate, provide the file locations for:

TLS certificate file (e.g., <*path*>/tls.crt)
TLS private key file (e.g., <*path*>/tls.key)

Note

Your certificate must:

Be a wildcard certificate (e.g., *.example.com).
Include the full certificate chain.

If you do not use your own certificate, choose No and provide your:

Cloudflare API token
ZeroSSL HMAC key
ZeroSSL key ID
ZeroSSL email

Opaque uses these credentials to provision and manage TLS certificates automatically.

Step 6: Review and start deployment¶

After completing all configuration steps, the installer displays a confirmation prompt:

Proceed with installation?
Yes   No

Select Yes to begin deployment.

Once you proceed, the installer runs in two phases:

Bootstrap (~5 minutes) — Creates initial Azure resources, including networking, identity, and a deployment VM.
Deployment (~30–45 minutes) — The VM runs the full Terraform deployment, provisioning AKS clusters and Opaque services. During this phase, the installer shows periodic status updates, for example:
```
i Waiting for deployment to complete on VM (this may take 30-45 minutes)...
  Deployment in progress... (5m elapsed)
  Deployment in progress... (10m elapsed)
  ...
```
Monitor progress (optional)

During deployment, you can follow progress in the Azure Portal:
- In your resource group, you’ll see resources being created, including:
  - Virtual network and subnets
  - A deployment VM
  - A storage account used for deployment state
- Once the VM is created, most of the deployment runs from that VM.
- The storage account’s tfstate container includes:
  - terraform.tfstate — Terraform state for the deployment
  - terraform.tfvars.json — configuration generated from your inputs
  - terraform_outputs.json — outputs produced after deployment
These can help you verify progress or troubleshoot issues.

For private deployment, you can also monitor progress directly from the VM using the Azure Serial Console.

When deployment finishes, you’ll see the following notification:

Installation Complete

Opaque platform deployed!

NOTE: Opaque may need to approve Private Endpoints.
Your Opaque application may not function properly until that has been completed.

Application URL: https://app.opaque.example.org

After deployment¶

Once installation is complete, your Opaque environment is ready to access.

The platform is available at your application URL.
Opaque may need to approve Private Endpoints before the platform is fully operational.
The Terraform runner VM remains running and is used for future updates or maintenance.

Manage and recover an installation¶

If the installation fails, fix the underlying issue and re-run the installer. Previously completed steps are skipped automatically.

Resume installation¶

To continue from where the installation stopped:

curl-fsSL"https://opaquemanagedappprod.blob.core.windows.net/container/${INSTALLER_VERSION}/run-install.sh" | bash -s -- --resume

The installer uses the config.yaml file and saved progress in your working directory to resume the deployment.

Restart the installation¶

To start over from the beginning (while keeping your configuration):

curl-fsSL"https://opaquemanagedappprod.blob.core.windows.net/container/${INSTALLER_VERSION}/run-install.sh" | bash -s -- --reset

This clears the installation progress but preserves your configuration values.

Check installation status¶

You can check the current installation state at any time:

curl-fsSL"https://opaquemanagedappprod.blob.core.windows.net/container/${INSTALLER_VERSION}/run-install.sh" | bash -s -- --status

Inspect deployment from the VM (advanced)¶

For deeper inspection, you can connect to the deployment VM.

# Public deployment
ssh opaque@<vm-public-ip>

Then check:

# Deployment logs
tail-f ~/logs/deploy-*.log

# Cloud-init status
cloud-init status

# Terraform state
cd ~/opaque-tf-modules/customer-deployment-env
terraform show

Clean up resources¶

To remove all resources created by the installer, delete the resource group:

az group delete --name <resource-group-name> --yes --no-wait

This deletes all deployed infrastructure, including the VM, virtual network, storage account, and AKS clusters. This operation is irreversible.

Reset installer state¶

To reset the installer’s progress without deleting Azure resources:

curl-fsSL"https://opaquemanagedappprod.blob.core.windows.net/container/${INSTALLER_VERSION}/run-install.sh" | bash -s -- --reset

This clears the progress stored in config.yaml while preserving your configuration values. Existing Azure resources are not deleted and will be reused on the next run.