DEPLOYMENT_TOPOLOGY — bff-consumer-service
Sibling: DATA_MODEL · SECURITY_MODEL · LOCAL_DEV_SETUP
Cross-cutting: 02 Enterprise Architecture · §4 GCP Reference Architecture
1. Runtime
| Property | Value |
|---|---|
| Compute | Google Cloud Run (managed) |
| Region (primary) | asia-south1 (Mumbai) |
| Region (DR-warm) | europe-west4 (Eemshaven) — search-aggregation cache replica + Memorystore standby |
| Container | Distroless Node 20, multi-stage build, non-root node user, read-only root FS |
| Min instances | 2 (per region) |
| Max instances | 30 (per region; raised to 80 in campaign_mode) |
| Concurrency per instance | 80 |
| CPU | 2 vCPU, always-allocated |
| Memory | 1 GiB |
| Startup latency budget | < 800 ms (Node + Nest bootstrap) |
| Request timeout | 25 s (well below Cloud Run 60 s default; safer for circuit-broken upstream) |
| VPC connector | bff-connector-asia-south1 (private egress to Memorystore + Cloud SQL + internal upstreams) |
2. Ingress
Client (browser / mobile)
│
▼
Cloud DNS (api.melmastoon.ghasi.io → GCLB)
│
▼
Global HTTPS Load Balancer (anycast)
│
├── Cloud Armor (WAF + bot rules + geo-blocks)
├── Cloud CDN (cache for documented public GETs)
│
▼
Serverless NEG → Cloud Run (bff-consumer-service)
3. Egress (upstream connections)
All upstream services are reached over internal Cloud Run-to-Cloud Run IDs via the VPC connector. Service-to-service auth uses Google ID tokens minted from the bff-consumer-sa service account.
| Upstream | Hostname | Auth | Timeout | Retries |
|---|---|---|---|---|
search-aggregation-service | search-agg.melmastoon.internal | Google ID token | 1500 ms | 1 (idempotent) |
pricing-service | pricing.melmastoon.internal | Google ID token | 800 ms | 1 |
property-service | property.melmastoon.internal | Google ID token | 1000 ms | 1 |
theme-config-service | theme.melmastoon.internal | Google ID token | 600 ms | 1 |
tenant-service | tenant.melmastoon.internal | Google ID token | 400 ms | 0 (cached aggressively) |
bff-tenant-booking-service | bff-tenant.melmastoon.internal | Google ID token + shared HMAC handoff secret | 800 ms | 0 (effects depend on outcome) |
4. Stateful dependencies
| Dependency | Type | Region | HA |
|---|---|---|---|
| Memorystore (Redis 7) | bff-consumer-cache-asia-south1, 5 GiB, standard tier | asia-south1 | Standby replica + auto-failover |
| Cloud SQL (Postgres 16) | bff-consumer-db-asia-south1, db-custom-2-8192 | asia-south1 | Regional HA + cross-region read replica in europe-west4 for DR |
| Pub/Sub topics | melmastoon.bff.consumer.* | global | n/a |
| Secret Manager | bff-consumer-handoff-hmac, bff-consumer-pepper, bff-consumer-recaptcha-secret | global | Replicated automatically |
5. CI/CD pipeline
GitHub PR → GitHub Actions
├── Lint + typecheck + unit + integration + contract tests
├── Build container (Cloud Build)
├── Trivy scan (block high/critical CVE)
├── Cosign sign with Fulcio identity
├── Push to Artifact Registry: asia-south1-docker.pkg.dev/melmastoon-prod/bff/consumer
│
├── Deploy to dev Cloud Run (via gcloud run deploy --no-traffic + smoke test → traffic shift 100%)
│
├── Manual approval → stage
│
└── Manual approval → prod (canary 5% → 25% → 100% over 30 min, with metric guardrail)
Binary authorization policy on the prod cluster requires Cosign signature from the platform's Fulcio identity.
6. Traffic management
- Client SDK (consumer web + mobile) targets
api.melmastoon.ghasi.io/bff/consumer/v1/*. - Multi-region routing: GCLB picks closest healthy region.
- During regional incident: GCLB drains traffic from impaired region; runbook covers Memorystore + Postgres failover and DNS TTL considerations.
- Canary control: Cloud Deploy + Cloud Run revisions; rollback budget 5 minutes if SLO burn detected.
7. Configuration
Configuration is loaded from:
| Source | What |
|---|---|
| Cloud Run env vars | Non-secret toggles (region, env name, log level) |
| Secret Manager (mounted as files) | All secrets per SECURITY_MODEL §9 |
| Cloud Run Service YAML | Resource sizing, concurrency, min/max instances, VPC connector |
Feature flags (e.g., enableLLMBotJudge, campaignMode) are read from a single bff-consumer-flags Memorystore key refreshed every 30 s and managed by ops via a small admin tool. We do not use a third-party feature-flag SaaS.
8. Networking
- VPC:
melmastoon-prod-vpc. - Subnet (Cloud Run connector):
bff-consumer-connector-asia-south1(10.20.4.0/28). - Private Service Access for Cloud SQL.
- Memorystore reached via VPC connector private IP.
- Egress NAT not required (no outbound public internet calls in steady state).
9. Cost posture
| Item | Estimated monthly @ 200 RPS steady |
|---|---|
| Cloud Run | ~$320 |
| Memorystore (5 GiB standard HA) | ~$170 |
| Cloud SQL (db-custom-2-8192 + HA) | ~$240 |
| Pub/Sub | ~$60 (telemetry volume; sampled) |
| Cloud CDN | ~$40 |
| Cloud Armor | ~$30 |
| Logging + Trace + Monitoring | ~$80 |
| Total | ~$940 / month / region |
10. Disaster recovery
- RPO: 5 min (Cloud SQL PITR; Memorystore is volatile and treated as cache only).
- RTO: 30 min (regional failover via DNS + Cloud Run redeploy in DR region).
- Quarterly DR drill: cut traffic to
europe-west4; verify search returns correct results via the replicated cross-tenant index.