Edge Services (Azure)
This guide walks you through deploying Edge Services (e.g., Redact or AI Guard) on Azure, either as a single container through Azure Container Instances (ACI) or within an AKS cluster. Choose the deployment option that best fits your needs: ACI for simplicity, or AKS for production workloads.
Prerequisites
Before beginning deployment, ensure you have the following:
- An Azure subscription
- Azure CLI installed or access to Azure Cloud Shell
- Docker installed and configured (optional)
- Access to Pangea's private Docker Hub repository (granted by a Pangea representative)
- Set up Vault/Edge services to get below environment variables
Environment configuration
Select a service from the buttons below to configure your Edge Deployment.
AI Guard
Redact
Environment variables
Use values from your Pangea Console to set these environment variables.
PANGEA_CSP=aws # Cloud Service Provider
PANGEA_VAULT_TOKEN=pts_XXX # Vault Token
PANGEA_REGION=us # Deployment Region (e.g., us, eu, apac)
PANGEA_AI_GUARD_TOKEN=XXX # Service Token for AI Guard
These variables can be found in your Pangea Console under the Edge Configuration section:
- Navigate to your Pangea Console.
- Go to "Services" >> Select your service (e.g., "Redact" or "AI Guard") >> and under Settings, you will find "Edge".
- After you complete the preliminary steps for this, you should find the following page (in this case, for Redact):
Copy these directly from the console so you can set these variables in your environment using:
export PANGEA_CSP=aws
export PANGEA_VAULT_TOKEN=pts_XXX
# ... repeat for other variables
Keep these tokens secure and never commit them to version control.
Docker registry access
Access the service image from Pangea's private repository.
docker pull pangeacyber/aiguard-edge:latest
You will need to be granted access via Pangea to follow this step. This will be a good preliminary step to ensure your environment is set up to follow the rest of the guide.
ACI deployment
For testing or lightweight production use, deploy Edge Services using Azure Container Instances. This method provides a quick way to get started with minimal configuration.
- Create a resource group to contain your deployment:
az group create --name pangea-edge --location $REGION
REGION should point to your local region, e.g., us.
- Deploy the container with the necessary configuration.
az container create \
--resource-group pangea-edge \
--name ai-guard-edge-container \
--image pangeacyber/ai-guard:latest \
--ports 8000 \
--dns-name-label <your-dns-label> \
--restart-policy OnFailure \
--registry-login-server index.docker.io \
--registry-username <your-username> \
--registry-password '<your-password>' \
--environment-variables \
PANGEA_REGION=us \
PANGEA_CSP=aws \
PANGEA_VAULT_TOKEN=<your-vault-token> \
--os-type Linux \
--cpu 2 \
--memory 16
- Test your deployment with a sample request.
curl -sSLX POST 'http://<dns-label>.<REGION>.azurecontainer.io:8000/v1beta/text/guard' \
-H 'Authorization: Bearer <your-ai-guard-token>' \
-H 'Content-Type: application/json' \
-d '{"text": "This is test text with sensitive data SSN: 234-56-7890"}'
AKS deployment
For production environments, deploy Edge Services on AKS to take advantage of container orchestration, scaling, and high availability features.
- If you don't have an AKS cluster, create one following Azure's AKS setup guide.
Some requirements for the Cluster:
- Make sure there is an AMD64 node pool available.
- A good reference can be found here: Deploying ARM64 workloads to AKS
- Configure connectivity appropriate for your environment. A reference can be found here. For this deployment, we will use an nginx ingress.
- Configure access to your cluster and create a namespace:
az aks get-credentials --resource-group pangea-edge --name pangea-edge-aks
kubectl create namespace pangea-edge
- Create a Docker pull secret to access the private repository in a file named
pangea_dockerhub_pull_secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: pangea-registry-key
namespace: pangea-edge
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: [base64-encoded-docker-config]
Replace the [base64-encoded-docker-config] section with your encoded Docker config credentials. More information can be found here.
- Save this file and apply it to your namespace:
kubectl apply -f pangea_dockerhub_pull_secret.yaml
- Create a secret for the Vault Token in a file named
pangea_vault_token.yaml:
apiVersion: v1
kind: Secret
metadata:
name: vault-token
namespace: pangea-edge
type: Opaque
data:
PANGEA_VAULT_TOKEN: [base64-encoded-vault-token]
Replace the [base64-encoded-vault-token] with the token that you obtained in the environment configuration.
- Save this file and apply it to your namespace:
kubectl apply -f pangea_vault_token.yaml
- Deploy the Edge service using this deployment configuration. Create a file named
pangea_ai_guard_deployment.yaml.
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: pangea-edge
name: ai-guard-edge
labels:
app: ai-guard-edge
spec:
replicas: 2
selector:
matchLabels:
app: ai-guard-edge
template:
metadata:
labels:
app: ai-guard-edge
spec:
containers:
- name: ai-guard-edge
image: pangeacyber/ai-guard:latest
env:
- name: PANGEA_REGION
value: "us"
- name: PANGEA_CSP
value: "aws"
- name: PANGEA_VAULT_TOKEN
value: "/var/run/secrets/PANGEA_VAULT_TOKEN"
- name: AI_GUARD_CONFIG_DATA_COMMON_CLOUD_ONPREM_BM_RECORD_LOCAL_SUBMISSION_ENABLED
value: "true"
volumeMounts:
- name: ephemeral-storage
mountPath: "/var/pangea/data"
- name: pangea-vault-token
mountPath: /var/run/secrets
ports:
- containerPort: 8000
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 500m # 500 millicores (0.5 CPU)
memory: 4Gi # 4 GiB of memory
volumes:
- name: ephemeral-storage
emptyDir: {}
- name: pangea-vault-token
secret:
secretName: vault-token
imagePullSecrets:
- name: pangea-registry-key
- Save this file and apply it to your namespace:
kubectl apply -f pangea_ai_guard_deployment.yaml
- Create a file for the service to expose the deployment, named
pangea_ai_guard.yaml:
apiVersion: v1
kind: Service
metadata:
namespace: pangea-edge
name: ai-guard-edge-service
spec:
selector:
app: ai-guard-edge
ports:
- protocol: TCP
port: 8000
targetPort: 8000
-
Save this file and apply it to your namespace:
kubectl apply -f pangea_ai_guard.yaml -
Set up ingress to enable external access:
First, enable approuting:
az aks approuting enable --resource-group pangea-edge --name pangea-edge-aksThen create a file named
simple-edge-ingress.yaml:apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ai-guard-edge-ingress
namespace: pangea-edge
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ai-guard-edge-service
port:
number: 8000 -
Save this file and apply it to your namespace:
kubectl apply -f simple-edge-ingress.yaml -
Test your deployment with a sample request.
curl -sSLX POST 'http://<dns-label>.<REGION>.azurecontainer.io:8000/v1beta/text/guard' \
-H 'Authorization: Bearer <your-ai-guard-token>' \
-H 'Content-Type: application/json' \
-d '{"text": "This is test text with sensitive data SSN: 234-56-7890"}'
Monitoring and troubleshooting
When troubleshooting issues, start by checking container logs and pod status:
# View container logs (single container)
az container logs --resource-group pangea-edge --name redact-edge-container
# View pod logs (AKS)
kubectl logs -n pangea-edge -l app=redact-edge
# Check pod status
kubectl get pods -n pangea-edge
If you're not receiving a response, it's often due to a pod restart. You can use the above commands to check the pod logs.
Check logs and pod restarts to diagnose and resolve issues.
Was this article helpful?