Skip to content

Deployed resources

This document outlines the resources provisioned in your Azure subscription when you deploy OPAQUE. It provides a high-level overview of the deployment process, the resources created, and how they integrate with Opaque’s control plane.

Deployment overview

OPAQUE is deployed using Azure Kubernetes Service (AKS) clusters with confidential compute capabilities. All sensitive workloads run within hardware-backed, attested environments that ensure data confidentiality and runtime integrity.

Core compute resources are deployed inside your Azure subscription and operate within a secure, hardware-attested environment.

The following diagram provides an overview of the deployment architecture.

Diagram of the standard AKS deployment when deploying OPAQUE through Azure Marketplace

In this configuration, OPAQUE deploys two managed AKS clusters within your Azure subscription:

  • A client cluster, which hosts the user-facing interface, REST API, and encryption/decryption services.
  • A data plane cluster, which executes agentic AI and analytics workflows in a confidential compute environment. Core components such as the workload manager and workload processor handle job execution and enforce runtime policies.

Both clusters run on AMD SEV-SNP–enabled node pools, ensuring memory encryption and hardware-backed runtime integrity.

Networking, secrets management, and certificate configuration are automated through Terraform and Helm.

All traffic is secured through OPAQUE’s attested TLS (aTLS) mesh, which verifies the identity and integrity of every service before communication is established.

Info

By default, OPAQUE deploys AKS using public clusters, where the Kubernetes API server (control plane) is reachable over the internet using Azure-managed endpoints secured with TLS. If you select private AKS during deployment, the API server is accessible only from within your virtual network, adding an extra layer of isolation. Regardless of this choice, the client and data plane clusters always communicate securely over paired VNets through OPAQUE's aTLS mesh.

This configuration supports autoscaling (if set during deployment) and is typically chosen for workloads with dynamic compute requirements.

DNS zones and private connectivity

During deployment, OPAQUE automatically provisions private DNS zones that handle secure name resolution and routing between customer-hosted and OPAQUE-managed components.

The following zones ensure all communication remains within private, secure network boundaries.

DNS Zone Purpose
controlplane.opaque-int.com Hosts endpoints for coordination, attestation, and key management services (mp, notifications, audit-logger, vault-client, vault-dataplane).
servicebus.windows.net Resolves Azure Service Bus endpoints used for secure message transport and signaling across both agentic AI and analytics workflows.
privatelink.blob.core.windows.net Provides private connectivity to Azure Blob Storage resources used for agentic AI and analytics workloads.
privatelink.dfs.core.windows.net Enables private data-plane access to the same Blob Storage resources for distributed file operations.

All zones are provisioned and linked automatically during deployment. No manual configuration is required, but they can be useful reference points when validating private connectivity or diagnosing DNS resolution issues.

aTLS mesh

To protect all data throughout its lifecycle, OPAQUE uses an attested TLS (aTLS) service mesh to secure communication between all deployed components. This mesh ensures that no service communicates with another unless both parties have cryptographically verified each other's identity and runtime integrity through remote attestation. This mechanism, know as mutual aTLS (maTLS), enforces:

  • Strong cryptographic verification before any connection is established, including validation of each service's attestation evidence—covering the hardware root of trust (e.g., AMD SEV-SNP, TPM, or NVIDIA NRAS), firmware, kernel, and measured workload image—against trusted baselines maintained by OAS.
  • End-to-end encryption for all traffic between services.
  • Hardware-rooted trust boundaries at the network layer.

All necessary components to enforce this mesh—such as proxies, policy engines, and certificate managers—are automatically injected into workloads that handle confidential data. These protections are applied transparently and do not require user configuration. (A more detailed overview of the aTLS mesh design is available upon request.)

Control plane integration

OPAQUE’s control plane, hosted in a separate Azure subscription, integrates securely via:

  • Azure Service Bus, which transports job coordination signals and heartbeats.
  • Private Link, which establishes a secure, private connection between your deployment and OPAQUE’s control plane over Azure’s internal network.

Summary

Deploying OPAQUE provisions a full confidential AI stack. All components are created and configured using automated infrastructure-as-code workflows.

The deployment uses confidential compute and hardware-backed attestation to protect data and workloads, while enabling secure, scalable execution of agentic AI and analytics workloads.