This guide covers recommendations for running Prism in a production environment.
The default password-based authentication is suitable for demos but not production. Consider:
-
Microsoft Entra ID (Azure AD)
- Integrate with your organization's identity provider
- Use MSAL for frontend authentication
- Validate tokens in the backend
-
Managed Identity for Azure Services
- Prism uses
DefaultAzureCredentialfor Azure OpenAI and Storage authentication - Container Apps use system-assigned managed identity (no API keys required)
- Required RBAC roles are automatically assigned during deployment:
Cognitive Services OpenAI Useron AI Services accountStorage Blob Data Contributoron Storage account
- Benefits: No secrets to manage, automatic credential rotation, audit trail
- Prism uses
-
Secret Management
- Use Azure Key Vault for any remaining secrets
- Container Apps secrets for environment-specific values
- Never commit secrets to source control
-
Role-Based Access Control
- Implement project-level permissions
- Separate admin and user roles
- Audit access logs
-
Enable HTTPS
- Container Apps provides automatic HTTPS
- For custom domains, configure TLS certificates
-
Private Endpoints
- Use Azure Private Link for Azure OpenAI
- Use Private Endpoints for Azure AI Search
- Deploy in a Virtual Network
-
Firewall Rules
- Restrict inbound traffic to known IPs
- Use Azure Front Door or Application Gateway
-
Encryption
- Data at rest: Azure Storage encryption (enabled by default)
- Data in transit: HTTPS/TLS
- Consider customer-managed keys (CMK)
-
Data Residency
- Deploy in regions that meet compliance requirements
- Understand data flows to Azure AI services
-
Content Filtering
- Azure OpenAI includes content filtering
- Review and configure filters for your use case
- Implement additional input validation
-
Container Apps
- Configure minimum replicas > 1
- Use multiple availability zones
- Set appropriate CPU/memory limits
// In container-apps.bicep minReplicas: 2 maxReplicas: 10
-
Azure AI Search
- Use Standard tier or higher for SLA
- Configure replicas for high availability
- Consider geo-replication for DR
-
Azure OpenAI
- Deploy to multiple regions
- Implement failover logic
- Monitor quota and throttling
-
Project Data
- Back up the
projects/directory regularly - Consider Azure Blob Storage for document storage
- Implement versioning
- Back up the
-
Search Index
- Index can be rebuilt from source documents
- Document the rebuild process
- Test recovery procedures
-
Configuration
- Version control all configuration
- Use Infrastructure as Code (Bicep)
- Automate deployments with CI/CD
-
Horizontal Scaling
- Container Apps auto-scales based on HTTP traffic
- Configure scale rules for CPU/memory
- Set appropriate max replicas
-
Vertical Scaling
- Increase container CPU/memory for large documents
- Upgrade Azure AI Search tier for more capacity
- Request higher Azure OpenAI quotas
-
Caching
- Cache frequently accessed project configs
- Consider Redis for session/query caching
- Use CDN for static frontend assets
-
Async Processing
- Large documents process asynchronously
- Consider Azure Queue Storage for job queuing
- Implement progress tracking
-
Database
- For production, consider moving from file-based storage to:
- Azure Cosmos DB for project metadata
- Azure Blob Storage for documents
- This enables better scaling and querying
- For production, consider moving from file-based storage to:
-
Enable Tracing
- Distributed tracing across frontend/backend
- Track Azure OpenAI API calls
- Monitor search query performance
-
Alerts
- Set up alerts for error rates
- Monitor latency thresholds
- Alert on Azure service issues
-
Dashboards
- Create operational dashboards
- Track usage metrics
- Monitor costs
-
Structured Logging
- Use JSON format for logs
- Include correlation IDs
- Log at appropriate levels
-
Log Retention
- Configure Log Analytics retention
- Export to long-term storage if needed
- Comply with data retention policies
-
Azure OpenAI
- Use GPT-4o-mini for simpler tasks
- Optimize prompt length
- Cache responses where appropriate
-
Azure AI Search
- Right-size the tier for your index size
- Use Basic tier for development
- Monitor and optimize query patterns
-
Container Apps
- Use consumption plan for variable workloads
- Set appropriate min/max replicas
- Schedule scale-down during off-hours
-
Azure Cost Management
- Set up budgets and alerts
- Review cost breakdown by service
- Identify optimization opportunities
-
Resource Tags
- Tag resources by environment/project
- Enable cost allocation reporting
-
Data Classification
- Understand what data will be processed
- Implement appropriate controls
- Document data flows
-
Regulatory Requirements
- GDPR, HIPAA, SOC 2, etc.
- Azure compliance certifications
- Customer data handling
-
Audit Trail
- Log all user actions
- Track document access
- Retain logs per policy
-
Automated Testing
- Unit tests for backend
- Integration tests for API
- E2E tests for critical flows
-
Staged Rollout
- Deploy to dev/staging first
- Use deployment slots or blue-green
- Implement rollback procedures
-
Infrastructure as Code
- All infrastructure in Bicep
- Version control changes
- Review infrastructure changes
-
Separate Environments
- Development, Staging, Production
- Isolated Azure subscriptions/resource groups
- Different credentials per environment
-
Configuration Management
- Use Azure App Configuration
- Environment-specific settings
- Feature flags for gradual rollout
Before going to production, verify:
- Authentication integrated with corporate identity
- Managed identity enabled with proper RBAC roles assigned
- HTTPS enabled with valid certificates
- Private endpoints configured for Azure services
- Minimum 2 replicas for high availability
- Application Insights configured with alerts
- Backup procedures documented and tested
- Cost alerts and budgets configured
- Security review completed
- Load testing performed
- Runbook created for common operations
- Incident response plan documented