Multi-cloud blockchain DLT

This architecture combines the open-source Blockchain Automation Framework (BAF) and Azure Arc-enabled Kubernetes to work with multiparty DLTs and to build a cross-cloud blockchain solution.

Architecture

This solution provides a heterogeneous, multiparty, cloud-agnostic DLT network. Parties can host their nodes anywhere and still be part of the network.

Workflow

• Kubernetes is the standard infrastructure that hosts both the ledger and the application. This example assumes three managed Kubernetes clusters.

  • Party A uses Azure Kubernetes Service (AKS).
  • Party B uses GCP Google Kubernetes Engine (GKE).
  • Party C uses Amazon Elastic Kubernetes Service (EKS).

  Each party hosts their nodes in a different location.

• BAF deploys the distributed network across the three cloud services.

• Azure Arc-enabled Kubernetes centrally manages and monitors all the Kubernetes clusters, with:

  • GitOps-based cluster configuration deployment and management.
  • Azure Monitor Container insights monitoring.
  • Azure Policy for Kubernetes policy management.

• Azure DevOps provides application and infrastructure lifecycle management. An Ansible Controller on an Azure Linux virtual machine (VM) is the custom Azure DevOps continuous integration and continuous delivery (CI/CD) agent.

• Azure Container Registry stores and shares private, application-related container images. Docker Registry pulls ledger-specific images.

Components

• Kubernetes is the container-based infrastructure that hosts both the ledger and applications. This example assumes three managed Kubernetes clusters, one each in AKS, Amazon EKS, and GCP GKE. You can host your Kubernetes clusters in almost any public or private locations.

• The open-source Blockchain Automation Framework (BAF) is a way to deliver consistent, production-ready DLT networks on public and private cloud-based infrastructures. BAF supports Quorum, Corda, and Hyperledger DLTs.

• Azure Arc standardizes visibility, operations, and compliance across resources and locations by extending the Azure control plane.

• Azure Arc-enabled Kubernetes centrally manages Kubernetes clusters in any location. Azure Arc-enabled Kubernetes works with any Cloud Native Computing Foundation (CNCF)-certified Kubernetes cluster, including:

  • AKS engine on Azure
  • AKS engine on Azure Stack Hub
  • Amazon EKS
  • GCP GKE
  • VMware vSphere

• Azure Monitor is a comprehensive solution for collecting, analyzing, and acting on telemetry. Azure Monitor Container insights monitors the performance of container workloads deployed to Azure Arc-enabled Kubernetes clusters.

• Azure Policy helps enforce organizational standards and assess compliance at scale. Azure Policy for Kubernetes can manage and report on the compliance state of all Azure Arc-enabled Kubernetes clusters.

• Azure Container Registry can build, store, and manage container images and artifacts for all types of container deployments.

• Azure DevOps is a set of developer services providing comprehensive application and infrastructure lifecycle management. Azure DevOps includes work tracking, source control, build and CI/CD, package management, and testing solutions.

Alternatives

• Ambassador API Gateway manages cross-node communications, but you can use a cloud native API Gateway like Azure API Management over the internet. For more information, see Deploy to Azure Kubernetes Service.

• You can also use ExternalDNS with Azure DNS service.

• You can get Internet Protocol Security (IPSec) private connections with tools like Submariner.

Scenario details

Blockchain and distributed ledger technology (DLT) networks are multiparty systems. Each party can have its own tools, methodology, and cloud provider. Some providers' public or private blockchain networks might have limited region availability, scalability, or network segregation.

The open-source Blockchain Automation Framework (BAF) is a consistent way to deploy production-ready DLTs across different public and private clouds. But while BAF can manage deployments, it doesn't provide central infrastructure management and monitoring. Although some cloud providers' blockchain services provide infrastructure management, they might require all parties to be in the same cloud or infrastructure.

To join forces and build a blockchain network, parties that use different cloud providers and infrastructures need a common management platform. This platform should offer standard visibility, operations, and compliance across a wide range of resources and locations, regardless of hosting infrastructure.

This article explores how the BAF and Azure Arc-enabled Kubernetes can build a cross-cloud blockchain solution that focuses on portability and control.

Potential use cases

This approach supports:

• Heterogeneous DLT deployments where separate organizations own and manage each node.

• Centralized DevOps, monitoring, and compliance management across multiparty networks.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

For AKS best practices, see Baseline architecture for an Azure Kubernetes Service (AKS) cluster. You can find similar guidance for other cloud providers.

Availability and scalability

Although Azure Arc can manage and monitor Kubernetes clusters, each cluster must independently implement scalability, high availability, and disaster recovery capabilities.

Security

Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

BAF uses HashiCorp Vault for certificate and key storage. To use BAF, you need at least one Vault server. BAF recommends one Vault per organization for production-ready projects.

Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

To estimate Azure resource costs, use the Azure pricing calculator.

Deploy this scenario

1. For this example, create managed Kubernetes clusters in AKS, GKE, and EKS, and onboard the clusters to Azure Arc.
   • Connect an existing Kubernetes cluster to Azure Arc.
   • Deploy EKS cluster and connect it to Azure Arc.
   • Deploy GKE cluster and connect it to Azure Arc.
2. Follow steps for installing and configuring BAF prerequisites.
3. (Optional) Create an Azure DevOps organization and project, and clone the BAF repo into the new Azure DevOps project.
4. (Optional) Create an Ansible Controller VM in Azure as the custom build agent to deploy BAF components.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

• Safi Ali | Senior Cloud Solution Architect

To see non-public LinkedIn profiles, sign in to LinkedIn.

Next steps

• Azure Arc Jumpstart
• Deploy Hyperledger Fabric consortium on Azure Kubernetes Service
• CI/CD workflow using GitOps - Azure Arc-enabled Kubernetes

Related resources

• Baseline architecture for an Azure Kubernetes Service (AKS) cluster
• Blockchain workflow application
• Azure Arc hybrid management and deployment for Kubernetes clusters
• Containers and container orchestrators for AWS professionals
• Containers and container orchestrators for GCP professionals