Requirements

Why this tech stack? PostgreSQL is the application’s source of truth. Redis provides fast caching and manages background job queues. Kubernetes enables reliable, scalable container orchestration. External Secrets keeps credentials in Key Vault (your security team’s preferred location) while making them available to pods.

Technology approval processes: Many enterprises have technology review boards or approved software lists. If PostgreSQL, Kubernetes, or Terraform aren’t already approved in your environment, initiate that process early—it can take weeks.

Which service is most resource-intensive? The evaluations service (confident-evals) consumes the most CPU during evaluation runs—it processes LLM outputs and computes metrics. If evaluations are slow, scale this service first before adding nodes.

Azure vCPU quotas can block deployment. Azure subscriptions have default limits on vCPUs per VM family. A typical deployment needs ~40 vCPUs for the Dv5 family (2×4 system + 4×8 worker).

Check your quotas before starting:

• Azure Portal → Subscriptions → Usage + quotas → Filter by “Standard Dv5 Family”

If your limit is low, request an increase—this can take hours to days.

Some organizations restrict which Azure services can be used. Azure Policy or management group policies may prohibit certain services. Verify the services above are allowed in your subscription before proceeding.

Common restrictions that cause issues:

• NAT Gateway (some orgs require shared NAT infrastructure)
• Key Vault (some orgs require centrally managed vaults)
• Managed Identity creation (some orgs require pre-provisioned identities)
• Public IP allocation (some orgs restrict public IPs)

Corporate proxies and firewalls: If your organization routes traffic through a proxy or inspects HTTPS, you may need to:

• Allowlist the domains above
• Configure proxy settings in the deployment
• Get certificate exceptions for HTTPS inspection

Network restrictions are a common cause of deployment failures that appear as timeouts or SSL errors.

Permissions are a common cause of deployment failures. Most organizations don’t grant broad permissions by default.

Options:

1. Use Contributor + User Access Administrator temporarily — Simplest for initial deployment. Restrict after success.
2. Request specific permissions — Work with your cloud security team to create a deployment service principal with the permissions above.
3. Have a platform team deploy — If you can’t get permissions, have someone who does run Terraform.

These are estimates. Actual costs depend on:

• Region (East US 2 is typically cost-effective)
• Usage (more evaluations = more compute = higher cost)
• Data volume (PostgreSQL storage, blob objects)
• Reserved instances (can reduce VM costs 30-50%)

Use Azure Cost Management after deployment to track actual spending.