Deploying AgentMesh on Microsoft Azure using AKS, Managed Identity, Key Vault, and Azure Monitor.
See also: Kubernetes Guide for general K8s patterns, AWS and GCP for other clouds.
- Architecture Overview
- Prerequisites
- AKS Cluster Setup
- Managed Identity Integration
- Secrets Management with Key Vault
- Monitoring with Azure Monitor
- High Availability Topology
- Network Security
- Common Patterns
┌──────────────────────────────────────────────────┐
│ Azure Region │
│ ┌────────────────────────────────────────────┐ │
│ │ VNet │ │
│ │ ┌──────────────┐ ┌────────────────────┐ │ │
│ │ │ AKS Cluster │ │ Azure Cache for │ │ │
│ │ │ │ │ Redis │ │ │
│ │ │ ┌──────────┐ │ └────────────────────┘ │ │
│ │ │ │AgentMesh │ │ ┌────────────────────┐ │ │
│ │ │ │ Server │ │ │ Azure Database for │ │ │
│ │ │ ├──────────┤ │ │ PostgreSQL │ │ │
│ │ │ │AgentMesh │ │ └────────────────────┘ │ │
│ │ │ │ Sidecar │ │ │ │
│ │ │ └──────────┘ │ ┌────────────────────┐ │ │
│ │ └──────────────┘ │ Azure Key Vault │ │ │
│ │ └────────────────────┘ │ │
│ │ ┌────────────────────┐ │ │
│ │ │ Azure Monitor / │ │ │
│ │ │ Event Grid │ │ │
│ │ └────────────────────┘ │ │
│ └────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────┘
- Azure CLI (
az) configured with appropriate subscription - kubectl configured for your AKS cluster
- Helm 3.x for chart-based deployment
# Create resource group
az group create \
--name agentmesh-rg \
--location eastus
# Create AKS cluster with managed identity
az aks create \
--resource-group agentmesh-rg \
--name agentmesh-prod \
--node-count 3 \
--node-vm-size Standard_D4s_v5 \
--enable-managed-identity \
--enable-workload-identity \
--enable-oidc-issuer \
--network-plugin azure \
--network-policy calico \
--zones 1 2 3 \
--generate-ssh-keys| Component | VM Size | Min Nodes | Notes |
|---|---|---|---|
| AgentMesh Server | Standard_D4s_v5 | 2 | CPU-bound trust scoring |
| AgentMesh Sidecar | Runs in agent pods | — | ~128 MB RAM per sidecar |
| Redis | Azure Cache Premium P1 | 1 | Zone-redundant |
| PostgreSQL | General Purpose D4s_v3 | 1 | Zone-redundant with HA |
Use AKS Workload Identity to authenticate AgentMesh pods to Azure services without storing credentials.
az identity create \
--resource-group agentmesh-rg \
--name agentmesh-identityAKS_OIDC_ISSUER=$(az aks show \
--resource-group agentmesh-rg \
--name agentmesh-prod \
--query "oidcIssuerProfile.issuerUrl" -o tsv)
az identity federated-credential create \
--name agentmesh-fed-cred \
--identity-name agentmesh-identity \
--resource-group agentmesh-rg \
--issuer "$AKS_OIDC_ISSUER" \
--subject system:serviceaccount:agentmesh:agentmesh-sa \
--audience api://AzureADTokenExchangeapiVersion: v1
kind: ServiceAccount
metadata:
name: agentmesh-sa
namespace: agentmesh
annotations:
azure.workload.identity/client-id: "<MANAGED_IDENTITY_CLIENT_ID>"
labels:
azure.workload.identity/use: "true"IDENTITY_PRINCIPAL_ID=$(az identity show \
--resource-group agentmesh-rg \
--name agentmesh-identity \
--query principalId -o tsv)
# Key Vault access
az role assignment create \
--assignee "$IDENTITY_PRINCIPAL_ID" \
--role "Key Vault Secrets User" \
--scope /subscriptions/SUB_ID/resourceGroups/agentmesh-rg/providers/Microsoft.KeyVault/vaults/agentmesh-kv
# Event Grid publisher
az role assignment create \
--assignee "$IDENTITY_PRINCIPAL_ID" \
--role "EventGrid Data Sender" \
--scope /subscriptions/SUB_ID/resourceGroups/agentmesh-rgaz keyvault create \
--resource-group agentmesh-rg \
--name agentmesh-kv \
--location eastus \
--enable-rbac-authorization# Store Ed25519 private key (base64-encoded)
az keyvault secret set \
--vault-name agentmesh-kv \
--name agent-alpha-private-key \
--value "<base64-encoded-ed25519-key>"# SecretProviderClass for AKS
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: agentmesh-secrets
namespace: agentmesh
spec:
provider: azure
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "false"
clientID: "<MANAGED_IDENTITY_CLIENT_ID>"
keyvaultName: agentmesh-kv
tenantId: "<TENANT_ID>"
objects: |
array:
- |
objectName: agent-alpha-private-key
objectType: secretaz aks enable-addons \
--resource-group agentmesh-rg \
--name agentmesh-prod \
--addons monitoring \
--workspace-resource-id /subscriptions/SUB_ID/resourceGroups/agentmesh-rg/providers/Microsoft.OperationalInsights/workspaces/agentmesh-logsAKS supports managed Prometheus with Azure Monitor workspace.
| Metric | Alert Condition |
|---|---|
agentmesh_trust_score |
Any agent drops below 300 |
agentmesh_policy_violations_total |
> 10 violations/min |
agentmesh_anomaly_detections_total |
Any HIGH severity detection |
agentmesh_credential_rotations_total |
Rotation failure |
agentmesh_handshake_duration_seconds |
p99 > 500 ms |
# AgentMesh config
audit:
export:
type: cloudevents
target: azure_event_grid
topic: /subscriptions/SUB_ID/resourceGroups/agentmesh-rg/providers/Microsoft.EventGrid/topics/agentmesh-audit┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Zone 1 │ │ Zone 2 │ │ Zone 3 │
│ │ │ │ │ │
│ AgentMesh │ │ AgentMesh │ │ AgentMesh │
│ Server (1) │ │ Server (1) │ │ Server (1) │
│ │ │ │ │ │
│ Redis Primary│ │ Redis Replica│ │ │
│ PG Primary │ │ PG Standby │ │ PG Read │
└──────────────┘ └──────────────┘ └──────────────┘
- AgentMesh Server: ≥ 2 replicas with zone-aware pod anti-affinity
- Redis: Azure Cache Premium with zone redundancy
- PostgreSQL: Azure Database for PostgreSQL Flexible Server with zone-redundant HA
replicaCount: 3
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: topology.kubernetes.io/zone
labelSelector:
matchLabels:
app: agentmesh-server
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: "1"
memory: 1Gi- AKS nodes in private subnets with Azure NAT Gateway
- Redis and PostgreSQL in private subnets with Private Endpoints
- Use Private Link for Key Vault, Event Grid, and Azure Monitor
| Component | Inbound | Outbound |
|---|---|---|
| AgentMesh Server | 8080 (API), 9090 (metrics) from VNet | Redis 6380, PostgreSQL 5432, Key Vault 443 |
| AgentMesh Sidecar | 8081 from localhost only | AgentMesh Server 8080 |
| Redis | 6380 from AKS subnet | — |
| PostgreSQL | 5432 from AKS subnet | — |
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: agentmesh-server
namespace: agentmesh
spec:
podSelector:
matchLabels:
app: agentmesh-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
agentmesh-access: "true"
ports:
- port: 8080
- port: 9090
egress:
- to:
- namespaceSelector: {}
ports:
- port: 6380
- port: 5432
- port: 443Use Workload Identity so AgentMesh pods authenticate to Azure services without static credentials:
AgentMesh DID → K8s ServiceAccount → Azure Managed Identity (via Workload Identity)
- Agent private keys: Azure Key Vault + CSI driver mount
- Redis/PostgreSQL credentials: Key Vault with automatic rotation
- TLS certificates: Azure-managed certificates for external; SPIFFE for mesh-internal
- Use Azure Spot VMs for non-critical agent workloads
- Right-size Azure Cache and PostgreSQL based on agent count
- Use Log Analytics data retention tiers for audit log cost management
See also: AWS Deployment · GCP Deployment · Kubernetes Guide