Patient Portal Service — Deployment Topology
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 03 platform-services · 02 DDD
1. Runtime
| Attribute | Value |
|---|---|
| Runtime | NestJS 11 / Node.js 22 |
| Language | TypeScript 5.x |
| Container | Docker (linux/amd64 + linux/arm64) |
| Orchestration | Kubernetes (production), Docker Compose (local dev) |
| Base image | node:22-alpine |
2. Kubernetes Deployment
| Parameter | Value |
|---|---|
| Namespace | ehealth-portal |
| Deployment name | patient-portal-service |
| Min replicas | 2 |
| Max replicas | 8 (HPA on CPU + request rate) |
| CPU request / limit | 250m / 1000m |
| Memory request / limit | 256Mi / 512Mi |
| Pod disruption budget | min 1 available |
| Rollout strategy | RollingUpdate — maxUnavailable 1, maxSurge 1 |
3. Networking
| Concern | Config |
|---|---|
| Ingress | Kong Edge (/v1/portal/*, /fhir/R4/* — patient routes) |
| Internal service address | patient-portal-service.ehealth-portal.svc.cluster.local:3000 |
| Health check | GET /health — liveness + readiness |
| TLS | Terminated at Kong; mTLS optional in mesh (Linkerd) |
4. Dependencies (Runtime)
| Dependency | Type | Notes |
|---|---|---|
| PostgreSQL 16 | Primary store | PHI data — tenant-region deployment |
| Redis 7 | Cache + push token store | BFF response caching, 30–120s TTL |
| NATS JetStream | Event bus | Outbox relay + event consumption |
| Keycloak | Auth | Patient realm JWT issuance + introspection |
| registration-service | HTTP | Patient demographics |
| scheduling-service | HTTP | Appointment data |
| laboratory-service | HTTP | Lab results (policy-filtered) |
| radiology-service | HTTP | Imaging reports (policy-filtered) |
| medication-service | HTTP | MedicationRequest resources |
| claims-service | HTTP | Coverage + EOB |
| immunizations-service | HTTP | Immunization records |
| patient-chart-service | HTTP | Problem list + allergy + vitals |
| ai-gateway-service | HTTP | Patient navigation assistant (optional) |
| audit-service | NATS consumer | Portal access event audit trail |
| FCM / APNs | HTTP | Mobile push notifications |
5. Multi-Region Topology
PHI data does not leave the AFG region. Redis cache and object-store export URLs are also region-bound. Additional country deployments (UAE, etc.) use separate regional stacks.
6. Scaling Triggers
| Metric | Scale-out threshold |
|---|---|
| CPU utilization | > 70% for 2 min |
| Request rate (RPM) | > 500 RPM per pod |
| Memory utilization | > 80% for 5 min |
7. Environment Variables
| Variable | Description |
|---|---|
DATABASE_URL | PostgreSQL connection string |
REDIS_URL | Redis connection string |
NATS_URL | NATS JetStream URL |
KEYCLOAK_REALM_URL | Keycloak issuer URL for patient realm |
MODULE_LICENSE_KEY | ehr.portal entitlement key |
AI_GATEWAY_URL | ai-gateway-service base URL |
PUSH_FCM_KEY | Firebase Cloud Messaging server key |
PUSH_APNS_KEY_ID | APNs key ID for iOS push |
EXPORT_STORAGE_BUCKET | Object storage bucket for export downloads |