Enterprise Deployment Guide - Energent.ai
Energent.ai provides AI-powered virtual desktop agents that automate complex multi-application workflows for enterprise users. This guide outlines enterprise-grade deployment requirements, security configurations, and best practices to ensure SOC 2 compliant, scalable, and secure installations.
- Document Classification: Public
- Version: 2.0
- Last Updated: 2025-05-28
- SOC 2 Alignment: Security, Availability, Processing Integrity
Table of Contents
- Deployment Options
- Infrastructure Requirements
- Network & Security Architecture
- Access Control & Integration
- Security & Compliance
- Monitoring & Observability
- Deployment Timeline & Process
- Post-Deployment Operations
- Support & Escalation
1. Deployment Options
1.1 Energent Cloud (SaaS) - Recommended
Best for: Quick deployment, minimal infrastructure overhead
- Hosting: AWS cloud infrastructure managed by Energent.ai
- Security: SOC 2 Type II compliant with enterprise-grade encryption
- Data Processing: Customer data processed under strict privacy controls
- Setup Time: < 1 hour
- SLA: 99.9% uptime guarantee
1.2 Private Cloud Deployment
Best for: Data residency requirements, regulatory compliance
- Platform: Customer-managed Kubernetes cluster
- Isolation: Dedicated namespace with RBAC controls
- Scalability: Auto-scaling based on workload demands
- Compliance: Full SOC 2 control inheritance
2. Infrastructure Requirements
2.1 Kubernetes Deployment Specifications
2.1.1 Cluster Requirements
| Component | Minimum | Recommended | Production |
|---|
| Kubernetes Version | 1.30+ | 1.30+ | 1.30+ |
| Node Configuration | 1 vCPU, 2GB RAM | 2 vCPU, 4GB RAM | 4 vCPU, 8GB RAM |
| Storage Class | gp2 (AWS), Standard (GCP), Standard_LRS (Azure) | gp3 (AWS), SSD (GCP), Premium_LRS (Azure) | io1/io2 (AWS), SSD (GCP), UltraSSD_LRS (Azure) |
| Persistent Volume | 100GB | 250GB | 500GB+ |
| Network Policy Support | Required | Required | Required |
2.1.2 Required Kubernetes Resources
# Namespace Configuration
apiVersion: v1
kind: Namespace
metadata:
name: energent-ai
labels:
security.policy: restricted
monitoring: enabled
---
# Storage Class Example
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: energent-storage
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp3
encrypted: 'true'
2.1.3 Helm Chart Deployment
# Add Energent.ai Helm repository
helm repo add energent https://charts.energent.ai
helm repo update
# Install with enterprise configuration
helm install energent-ai energent/energent-platform \
--namespace energent-ai \
--create-namespace \
--values enterprise-values.yaml
3. Network & Security Architecture
3.1 Domain & DNS Configuration
- Primary Domain:
*.energent.ai for SaaS deployments
- Customer Subdomain:
{customer}.energent.ai or custom domain
- TLS Requirements: TLS 1.3 minimum, certificate management via Let's Encrypt or customer CA
- DNS Records: A/AAAA records for primary endpoints, CNAME for subdomains
3.2 Firewall & Network Security
3.2.1 Required Firewall Rules
| Direction | Protocol | Port | Source/Destination | Purpose |
|---|
| Inbound | HTTPS | 443 | Customer networks | Admin UI, API access |
| Inbound | HTTPS | 8443 | energent.ai monitoring | Health checks |
3.2.2 Network Security Best Practices
# Network Policy Example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: energent-network-policy
namespace: energent-ai
spec:
podSelector:
matchLabels:
app: energent-platform
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
- to: []
ports:
- protocol: TCP
port: 443
3.3 VPC & Network Architecture
3.3.1 AWS VPC Configuration
- VPC CIDR: /16 or larger for scalability
- Subnets: Private subnets for workloads, public for load balancers
- Security Groups: Least privilege access patterns
- VPC Endpoints: For AWS services (S3, ECR, CloudWatch)
3.3.2 Network Connectivity Options
| Option | Use Case | Implementation |
|---|
| VPC Peering | AWS-to-AWS connectivity | Cross-VPC resource access |
| VPN Gateway | On-premises integration | Site-to-site VPN tunnel |
| Direct Connect | High-bandwidth requirements | Dedicated network connection |
| Private Link | Service-to-service connectivity | AWS PrivateLink endpoints |
4. Access Control & Integration
4.1 Authentication & Authorization
4.1.1 Single Sign-On (SSO) Integration
| Provider | Protocol | Configuration |
|---|
| Azure AD | SAML 2.0, OAuth 2.0, OIDC | Microsoft Azure Portal |
| AWS Cognito | SAML 2.0, OAuth 2.0, OIDC | AWS Cognito Console |
| Google Workspace | SAML 2.0, OAuth 2.0, OIDC | Google Admin Console |
| Okta | SAML 2.0, OAuth 2.0, OIDC | Okta Admin Dashboard |
| Custom Identity Provider | SAML 2.0, OAuth 2.0, OIDC | SAML metadata exchange |
4.1.2 Role-Based Access Control (RBAC)
# Example RBAC Configuration
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: energent-ai
name: energent-operator
rules:
- apiGroups: ['']
resources: ['pods', 'services', 'configmaps']
verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
- apiGroups: ['apps']
resources: ['deployments', 'replicasets']
verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
4.2 API Access & Integration
4.2.1 API Authentication
- Method: Bearer token authentication with JWT
- Token Lifecycle: 24-hour expiration with refresh capability
- Rate Limiting: 1000 requests/minute per API key
- IP Allowlisting: Optional IP-based access control
4.2.2 Webhook Integration
# Webhook endpoint configuration
curl -X POST https://api.energent.ai/v1/webhooks \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"url": "https://customer.internal/energent-webhook",
"events": ["workflow.completed", "workflow.failed"],
"secret": "webhook-secret-key"
}'
5. Security & Compliance
5.1 SOC 2 Compliance Framework
5.1.1 Security Controls Implementation
| Control Category | Implementation | Evidence |
|---|
| Access Controls (CC6) | RBAC, MFA, SSO integration | Access logs, authentication logs |
| Data Protection (CC6.7) | TLS 1.3, AES-256 encryption | Encryption configuration, certificates |
| System Operations (CC7) | Automated monitoring, backup procedures | Monitoring dashboards, backup tests |
| Change Management (CC8) | GitOps deployment, approval workflows | Change logs, deployment artifacts |
5.1.2 Data Encryption Standards
| Data State | Encryption Method | Key Management |
|---|
| At Rest | AES-256-GCM | Customer-managed keys (CMK) |
| In Transit | TLS 1.3 with PFS | Certificate rotation every 90 days |
| In Memory | Application-level encryption | Hardware security modules (HSM) |
5.2 Security Hardening
5.2.1 Container Security
# Security-hardened container configuration
FROM alpine:3.18
RUN addgroup -g 1001 energent && \
adduser -D -u 1001 -G energent energent
USER 1001:1001
COPY --chown=1001:1001 app /app
WORKDIR /app
EXPOSE 8080
CMD ["./energent-agent"]
5.2.2 Kubernetes Security Policies
# Pod Security Policy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: energent-psp
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
6. Monitoring & Observability
6.1 Metrics & Monitoring
6.1.1 Prometheus Integration
# ServiceMonitor for Prometheus
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: energent-metrics
namespace: energent-ai
spec:
selector:
matchLabels:
app: energent-platform
endpoints:
- port: metrics
interval: 30s
path: /metrics
6.1.2 Key Performance Indicators (KPIs)
| Metric | Target | Alert Threshold |
|---|
| System Availability | 99.9% | < 99.5% |
| Response Time (P95) | < 2 seconds | > 5 seconds |
| Error Rate | < 0.1% | > 1% |
| Resource Utilization | < 80% | > 90% |
6.2 Logging & Audit
6.2.1 Centralized Logging
# Fluentd configuration for log forwarding
apiVersion: v1
kind: ConfigMap
metadata:
name: fluentd-config
data:
fluent.conf: |
<source>
@type tail
path /var/log/containers/energent-*.log
pos_file /var/log/fluentd-containers.log.pos
tag kubernetes.*
format json
</source>
<match kubernetes.**>
@type forward
<server>
name customer-siem
host siem.customer.com
port 24224
</server>
</match>
6.2.2 Audit Logging Requirements
- Authentication Events: All login attempts, SSO assertions
- Authorization Events: Permission grants, access denials
- Data Access: Customer data queries, modifications
- Administrative Actions: Configuration changes, user management
- Retention Period: 7 years for SOC 2 compliance
7. Deployment Timeline & Process
7.1 Pre-Deployment Checklist
7.1.1 Infrastructure Readiness
7.1.2 Security Configuration
7.2 Deployment Process
| Phase | Duration | Activities | Stakeholders |
|---|
| Planning | 1-2 days | Requirements gathering, architecture review | Customer IT, Energent.ai Solutions |
| Infrastructure Setup | 0.5-1 day | Cluster provisioning, network configuration | Customer DevOps, Energent.ai Support |
| Security Configuration | 0.5 day | RBAC, policies, certificates | Customer Security, Energent.ai Security |
| Application Deployment | < 1 hour | Helm chart installation, configuration | Energent.ai Support |
| Integration Testing | 1-2 days | SSO, API, workflow validation | Customer QA, Energent.ai Support |
| Go-Live | 0.5 day | Production cutover, monitoring validation | All stakeholders |
7.3 Deployment Commands
7.3.1 Kubernetes Deployment
# Create namespace and apply security policies
kubectl create namespace energent-ai
kubectl apply -f security-policies/
# Deploy Energent.ai platform
helm install energent-ai energent/energent-platform \
--namespace energent-ai \
--values production-values.yaml \
--wait --timeout=10m
# Verify deployment
kubectl get pods -n energent-ai
kubectl get ingress -n energent-ai
7.3.2 VM Deployment
# Download and deploy Energent.ai containers
curl -O https://releases.energent.ai/latest/energent-enterprise.tar.gz
tar -xzf energent-enterprise.tar.gz
cd energent-enterprise/
# Configure environment
cp config/production.env.template .env
# Edit .env with customer-specific configuration
# Start services
docker-compose up -d
docker-compose logs -f
8. Post-Deployment Operations
8.1 Health Monitoring
8.1.1 Health Check Endpoints
# Application health
curl https://{customer}.energent.ai/health
# Metrics endpoint
curl https://{customer}.energent.ai/metrics
# Readiness probe
curl https://{customer}.energent.ai/ready
8.1.2 Automated Health Checks
# Kubernetes health checks
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
8.2 Backup & Disaster Recovery
8.2.1 Backup Strategy
| Component | Frequency | Retention | Recovery RTO |
|---|
| Application Data | Daily | 30 days | < 4 hours |
| Configuration | On change | 90 days | < 1 hour |
| Secrets | Daily | 30 days | < 1 hour |
| Audit Logs | Real-time | 7 years | < 24 hours |
8.2.2 Disaster Recovery Procedures
# Database backup
kubectl exec -n energent-ai postgres-0 -- pg_dump -U energent energent_db > backup.sql
# Configuration backup
kubectl get configmap -n energent-ai -o yaml > configmaps-backup.yaml
kubectl get secret -n energent-ai -o yaml > secrets-backup.yaml
# Restore procedures
kubectl apply -f configmaps-backup.yaml
kubectl apply -f secrets-backup.yaml
kubectl exec -n energent-ai postgres-0 -- psql -U energent energent_db < backup.sql
8.3 Update & Maintenance
8.3.1 Rolling Updates
# Update Energent.ai platform
helm upgrade energent-ai energent/energent-platform \
--namespace energent-ai \
--values production-values.yaml \
--wait --timeout=10m
# Rollback if needed
helm rollback energent-ai 1 --namespace energent-ai
8.3.2 Maintenance Windows
- Scheduled Maintenance: First Sunday of each month, 2-6 AM UTC
- Emergency Updates: As needed for security patches
- Customer Notification: 72 hours advance notice for planned maintenance
9. Support & Escalation
9.1 Support Tiers
| Tier | Response Time | Channels | Scope |
|---|
| Tier 1 | < 4 hours | Email, Portal | General issues, questions |
| Tier 2 | < 2 hours | Phone, Email | Technical issues, integration |
| Tier 3 | < 1 hour | Phone, Slack | Critical system issues |
| Emergency | < 30 minutes | Phone, SMS | Production outages |
9.2 Contact Information
Primary Support
9.3 Escalation Matrix
| Severity | Definition | Response | Escalation |
|---|
| P0 - Critical | Complete service outage | < 30 minutes | Immediate C-level notification |
| P1 - High | Significant functionality impacted | < 2 hours | Management team notification |
| P2 - Medium | Minor functionality impacted | < 8 hours | Team lead notification |
| P3 - Low | Cosmetic or documentation issues | < 24 hours | Standard support queue |
Appendices
Appendix A: Configuration Templates
- Kubernetes YAML manifests
- Docker Compose files
- Environment configuration templates
- Security policy examples
Appendix B: Troubleshooting Guide
- Common deployment issues
- Performance optimization
- Security configuration problems
- Network connectivity issues
Appendix C: API Reference
- Authentication endpoints
- Webhook configuration
- Monitoring endpoints
- Administrative APIs
- Document Classification: Public
- Version: 2.0
- Last Updated: 2025-05-28
- Next Review: 2025-08-28
- Contact: support@energent.ai