Unique deploys modules developed by own developers, collaborators or partners as https://azure.microsoft.com/en-us/products/container-apps(ACA ff.).

Availability

Hosted SDKs are only available for:

• Co-Development Partners

• Single-Tenant Clients

Other clients or deployment models respectively must close a separate contract or upsell to accommodate the additional consumption cost.

Consulting

Unique offers clients that want to host the SDK by themselves advice at a premium.

Cost

The consumption cost of the deployed modules is directly billed towards the Single Tenant consumption contract.

High-Level Architecture

Unique deploys the hosted versions as described in the diagram below.

GitHub

Each separate hosting has a GitHub repository wherein multiple deployment environments target different environments (where an environment is most often assigned to a Unique tenant).

Classical environment names will be: next (Uniques PaaS), test or ctlq and certainly prod.

Actions

All deployments happen through an audited deploy action. The action (by default after approval from a second pair of eyes) builds the image, pushes it to the client's own registry and initiates a deployment to a specific app.

Azure

Each hosted SDK deployment features its own Azure Container Registry with a dedicated Service Principal for these deployments which uses a custom role that has exactly those permissions to update an app and push a docker image.

Container Apps

Each environment from GitHub maps to one deployed Container App. You can learn more below in the Security section about the measures taken to keep them secure.

Cost-aspect

Unique keeps the Container Apps idle (which means they react faster) which comes at a premium (Microsoft Docs). Since only active CPU cycles really impact cost that is a valid trade-off to have a responsive SDK experience.

Note that the Azure costs are 1:1 billed forward to the client's agreed contract, refer to Cost.

Security

The ACA apps run in customer-specific subscriptions in specific resource groups in isolation (the same subscriptions that are used for the Single Tenants itself. This allows clean access regulations via PIM as well as transparent cost overview and billing.

Code only

For the whole setup described above, only automation and infrastructure as code are used. All changes to these environments are thus automatically also four-eye guarded and every change meticulously audited. This applies also to all environment and branch protection settings.

Encrypted environments

Unique leverages AGE keys and sops to allow developers to pass Environment settings and variables securely to the apps/environments without knowing any Azure credentials themselves.

Least privilege

Least-privilege automation principles are used per tenant in order to just and only update the application in the environment in question.

PIM-protected

All resources used for hosted SDK deployments are PIM protected within Azure, applying the same strong access concept as for the whole tenants, including the app logs. This also includes Azure-hosted, tamper-safe activity and audit logs.

Six-eye principle

Not only code that gets merged into the protected branch, but also deployments underly the four-eye principle which means at least two times four eyes are needed to upgrade one application. Most clients cannot provide enough developers to include three humans in this process but it would technically be available. Currently, the same human that approves the code also can approve a deployment.

Private endpoints

Unique does not leverage private endpoints for this use case. The SDK empowers developers to develop their own module for FinanceGPT and the nature of this is to allow code to be hosted anywhere bringing maximum flexibility and agility in development adopting or even making the AI wave. Using private endpoints for modules complicates matters for clients and their developers with no significant security enhancement:

• The apps are stateless, they have no persistence

• No data can be extracted from them as they receive their input via the webhook payload

• They have no network capability where other resources have an increased attack surface

• They run each in their own Vnet disconnected from any other resources rendering them de facto useless without the input value the attacker could not provide

• The apps use a secure secret authentication method with signed payloads, see Software Development Kit (SDK).

Conclusion

With this lean approach Unique empowers clients to develop more than one tenant model and more than one tenant from one central repository even mixing PaaS and Single Tenant (and potentially also Customer Managed Tenant).