Infrastructure Requirements

What you need to provision before installing the Align Helm chart. All requirements are cloud-agnostic - Align runs on any Kubernetes platform.

Quick Checklist

• Kubernetes cluster (1.25+)
• PostgreSQL database (15+) with pgvector extension
• Redis-compatible service (6+)
• Ingress controller with TLS
• DNS records for app and API domains
• Container registry access (pull Align images)
• (Optional) GPU node for local LLM inference

Kubernetes Cluster

Any Kubernetes 1.25+ cluster works. Align has been tested on:

Platform	Type	Notes
AWS EKS	Managed	Tested in production
Google GKE	Managed	Standard or Autopilot
Azure AKS	Managed	With Workload Identity
k3s / k3d	Lightweight	Good for POC/dev
On-premises	Self-managed	kubeadm, Rancher, OpenShift

Compute Requirements

Tier	Nodes	CPU	Memory	Use Case
Minimal	1	4 vCPU	8 GB	POC, evaluation
Standard	2-3	8 vCPU total	16 GB total	Small team (< 50 users)
Production	3+	16 vCPU total	32 GB total	Enterprise (50+ users, concurrent scans)

These are totals across all nodes, including Kubernetes system overhead. Align services themselves use approximately 4 GB RAM and 2 vCPU at idle, scaling up during Discover scans.

Pod Resource Summary

Service	Requests (CPU/Mem)	Limits (CPU/Mem)	Replicas
Gateway	100m / 256Mi	500m / 512Mi	2
Brain	200m / 512Mi	1000m / 1Gi	2
UI	50m / 128Mi	200m / 256Mi	2
Connectors (each)	50m / 128Mi	200m / 256Mi	1
Migrations (job)	50m / 64Mi	500m / 256Mi	1 (runs once)

PostgreSQL Database

Required: PostgreSQL 15+ with the pgvector extension.

pgvector is used for semantic search across decisions (embedding similarity). Most managed PostgreSQL services include pgvector:

Provider	Service	pgvector Support
AWS	RDS PostgreSQL, Aurora PostgreSQL	Built-in (enable extension)
GCP	Cloud SQL for PostgreSQL	Built-in
Azure	Azure Database for PostgreSQL Flexible Server	Built-in
Self-hosted	PostgreSQL + pgvector	Install via apt/yum or build from source

Sizing

Tier	Instance Size	RAM	Storage	Max Connections	Notes
Minimal	1 vCPU / 2 GB	2 GB	20 GB	~100	Single-replica gateway
Standard	2 vCPU / 4 GB	4 GB	50 GB	~150	Concurrent Discover scans with 3-5 connectors
Production	4 vCPU / 8 GB	8 GB	100 GB+	~300	High concurrency, multiple tenants

Important: Discover scans use parallel workers that consume database connections. See Connection Pooling for tuning guidance. For standard deployments, PgBouncer (included as an optional Helm sidecar) handles connection multiplexing at no extra cost.

Setup

1. Create a database named align (or your preferred name)
2. Enable the pgvector extension: CREATE EXTENSION IF NOT EXISTS vector;
3. Create a Kubernetes secret with connection details:

kubectl create secret generic align-database \
  --namespace align \
  --from-literal=url="postgresql://user:password@host:5432/align" \
  --from-literal=host="your-db-host" \
  --from-literal=port="5432" \
  --from-literal=username="align" \
  --from-literal=password="your-password"

Align runs migrations automatically on install/upgrade.

Redis

Required for Kubernetes deployments. Any Redis 6+ compatible service works.

Redis provides:

• Job state - Track progress of Discover scans and bulk operations
• Pub/Sub - Real-time progress streaming (SSE) across gateway pods

Provider	Service	Notes
AWS	ElastiCache Redis	Single-node is fine pre-production
GCP	Memorystore for Redis	Basic tier sufficient
Azure	Azure Cache for Redis	Basic C0 for small teams
Self-hosted	Redis, Dragonfly, KeyDB	Any Redis-compatible server

Sizing

Tier	Size	Memory	Notes
Minimal	Smallest available	0.5 GB	Sufficient for job state + pub/sub
Standard	Small	1-3 GB	Handles concurrent scans across connectors
Production	Medium + replica	3+ GB	Multi-AZ for high availability

Redis usage is lightweight - Align stores job state (small JSON blobs) and uses pub/sub for SSE streaming. A single small node handles most workloads.

Configuration

Provide the Redis URL via secret or direct value:

gateway:
  redis:
    url: "redis://your-redis:6379"
    # Or via Kubernetes secret:
    secretName: "align-redis"
    secretKey: "url"

Message Queue (Optional)

For most deployments, Align's in-memory queue works well (default, no configuration needed). For high-volume multi-pod deployments processing thousands of decisions per day, you can optionally add a dedicated message queue:

Backend	Best For	Configuration
In-memory (default)	Most deployments, single-pod	No config needed
AWS SQS	AWS deployments, high volume	Set queue URLs in Helm values

The queue backend is pluggable. See Configuration Reference for SQS setup.

Ingress and TLS

Align needs two public endpoints:

Domain	Service	Purpose
app.yourdomain.com	UI	Web application
api.yourdomain.com	Gateway	API server, OAuth callbacks, webhooks
mcp.yourdomain.com (optional)	MCP Connector	AI assistant integration

Ingress Controller

Any Kubernetes ingress controller works:

Controller	Notes
nginx-ingress	Most common, well-documented
Traefik	Built into k3s, lightweight
AWS ALB	Native AWS integration
GCP Ingress	Native GCP integration
Azure Application Gateway	Native Azure integration
Istio Gateway	Service mesh environments

TLS Certificates

Align requires TLS for all endpoints (OAuth callbacks mandate HTTPS). Options:

• cert-manager (recommended) - Automatic Let's Encrypt certificates
• Cloud-managed - ACM (AWS), Google-managed certs, Azure App Gateway
• Manual - Bring your own certificates as Kubernetes TLS secrets

DNS

Create DNS records pointing to your ingress controller's external IP or load balancer:

Record	Type	Target
app.yourdomain.com	A/CNAME	Ingress LB
api.yourdomain.com	A/CNAME	Ingress LB
mcp.yourdomain.com (optional)	A/CNAME	Ingress LB

Container Registry Access

Align distributes container images via a private OCI registry. During onboarding, you receive registry credentials gated by your license JWT.

Options:

1. Pull directly from registry.align.tech (simplest)
2. Mirror to your registry (recommended for production and air-gapped environments)

See Installation - Mirror to Your Registry for mirroring instructions.

GPU Node (Optional)

For local LLM inference instead of cloud API calls. This eliminates per-token costs and keeps all data in your infrastructure.

When to Add GPU

• You want full data sovereignty (no data sent to OpenAI/Anthropic)
• You're running high-volume Discover scans (GPU pays for itself vs API costs)
• You want flat-rate inference costs instead of per-token billing

Hardware Requirements

GPU	VRAM	Fits Models	Approx. Cost	Notes
NVIDIA T4	16 GB	Llama 8B, Mistral 7B	~$380/mo (cloud)	Best value, sufficient for most deployments
NVIDIA A10G	24 GB	Llama 13B, Mixtral 8x7B	~$660/mo (cloud)	Higher throughput
NVIDIA L4	24 GB	Same as A10G	~$500/mo (cloud)	Newer, more efficient
NVIDIA A100	40-80 GB	Llama 70B	~$7,000/mo (cloud)	Large models only

A single NVIDIA T4 running Llama 3.1 8B handles most workloads. You can start without GPU and add it later with no downtime.

Node Setup

GPU nodes need:

1. NVIDIA drivers installed (GPU-optimized OS images simplify this)
2. NVIDIA container toolkit (for GPU access from containers)
3. Node label: node-type: gpu
4. Taint: nvidia.com/gpu=true:NoSchedule (prevents non-GPU pods from scheduling)

Cloud providers offer GPU-ready node images:

• AWS: al2023-nvidia AMI family
• GCP: Container-Optimized OS with GPU, or Ubuntu with NVIDIA drivers
• Azure: NC-series VMs with NVIDIA drivers pre-installed
• On-premises: Install NVIDIA drivers + container toolkit manually

See LLM Configuration - GPU Inference for Helm configuration after provisioning GPU nodes.

Network Requirements

Outbound Access

Align services need outbound HTTPS access to:

Destination	Purpose	Required?
Connector APIs (Slack, GitHub, Jira, Teams, etc.)	Fetch data from connected platforms	Yes (per enabled connector)
Cloud LLM APIs (OpenAI, Anthropic)	AI inference (if using cloud providers)	Only if using cloud LLM
registry.align.tech	Pull container images (if not mirrored)	Only if pulling directly
HuggingFace Hub	Download model weights (GPU inference)	Only on first GPU pod start

For air-gapped deployments, mirror container images and pre-download model weights. See Network Configuration for proxy and firewall details.

Internal Connectivity

All Align services communicate within the cluster:

UI (3000) ─────► Gateway (8080) ─────► Brain (8090)
                      │                      │
                      ├── Connectors (808x)   ├── vLLM (8001, optional)
                      ├── PostgreSQL (5432)
                      └── Redis (6379)

No special network policies are required by default. Enable networkPolicies.enabled: true in Helm values for restricted environments.

Example: Minimal Infrastructure

The smallest viable self-hosted deployment:

Component	Choice	Approximate Cost
Kubernetes	k3s on a single VM (4 vCPU, 16 GB)	$40-80/mo
PostgreSQL	In-cluster (Helm sub-chart)	Included
Redis	In-cluster (single pod)	Included
TLS	cert-manager + Let's Encrypt	Free
LLM	Cloud API (OpenAI)	Pay per use

Total: ~$40-80/mo + LLM API costs

Example: Production Infrastructure

A production-grade deployment for an enterprise team:

Component	Choice	Approximate Cost
Kubernetes	Managed (EKS/GKE/AKS), 3 nodes	$200-400/mo
PostgreSQL	Managed, 4 GB RAM, multi-AZ	$100-200/mo
Redis	Managed, small instance	$30-60/mo
GPU Node	NVIDIA T4 (optional)	$380/mo
TLS	cert-manager + Let's Encrypt	Free
LLM	Local GPU (scans) + Cloud API (synthesis)	~$50/mo API

Total: ~$380-700/mo without GPU, ~$760-1080/mo with GPU

Next Steps

Once your infrastructure is provisioned:

1. Install Align - Helm chart deployment
2. Configure secrets - Database credentials, API keys
3. Set up OAuth apps - Connector authentication
4. Configure LLM - AI provider setup