πŸš€ SPY Options Trading - Hybrid Cloud Architecture

Infrastructure as Code with Terraform | Azure Cloud + On-Premises Edge Infrastructure

⚑ TERRAFORM - Infrastructure as Code Layer
πŸ“ Terraform Modules
β€’ networking/ (VPN, NSG, VNet)
β€’ app-service/ (Backend API)
β€’ static-web/ (Dashboard)
β€’ signalr/ (Real-time messaging)
β€’ monitoring/ (App Insights)
β€’ acr/ (Container Registry)
β€’ container-instances/ (Optional)
HCL, Azure Provider
πŸ”„ CI/CD Pipeline
β€’ GitHub Actions workflow
β€’ Terraform plan on PR
β€’ Auto-apply on merge to main
β€’ Remote state in Azure Storage
β€’ Automated rollback
GitHub Actions, Azure Backend
🌍 Multi-Environment
β€’ Dev environment (low-cost)
β€’ Prod environment (HA)
β€’ Environment-specific variables
β€’ Identical infrastructure
β€’ Parallel deployment
Workspaces, tfvars
πŸ” Secrets Management
β€’ Azure Key Vault integration
β€’ Rotatable IBKR API keys
β€’ VPN pre-shared keys
β€’ Connection strings
β€’ GitHub Secrets
Key Vault, GitHub Secrets
🐳 CONTAINER & ORCHESTRATION LAYER
πŸ‹ Docker Images
β€’ spy-backend:v1.2 (Backend API)
β€’ spy-trading-bot:v1.2 (Trading engine)
β€’ spy-detector:v1.0 (Anomaly detection)
β€’ ibkr-gateway:stable (TWS headless)
β€’ fluentd:v1.16 (Log forwarder)
Multi-stage Dockerfiles | Alpine base
☸️ Kubernetes Resources
β€’ Deployments: 3 replicas per service
β€’ Services: ClusterIP + LoadBalancer
β€’ StatefulSets: For IBKR gateway
β€’ DaemonSets: For monitoring agents
β€’ CronJobs: Daily cleanup tasks
kubectl | K8s API v1.28
πŸŽ›οΈ Container Orchestration
β€’ Auto-scaling: HPA based on CPU/Memory
β€’ Self-healing: Restart on failure
β€’ Rolling updates: Zero downtime
β€’ Resource quotas: Per namespace
β€’ Network policies: Pod isolation
K8s Controllers | HPA | Network Policies
πŸ”„ CI/CD for Containers
β€’ Build: Docker build on PR merge
β€’ Test: Container security scanning
β€’ Push: Tag & push to ACR
β€’ Deploy: Helm upgrade via GitHub Actions
β€’ Rollback: Automatic on failure
GitHub Actions | Docker | Helm
πŸ“¦ Container Deployment Flow:
1️⃣ Code Push: Developer pushes to GitHub main branch
2️⃣ CI Trigger: GitHub Actions workflow starts automatically
3️⃣ Build: Docker multi-stage build creates optimized images
4️⃣ Scan: Security vulnerability scanning (Trivy/Snyk)
5️⃣ Push: Tagged images pushed to Azure Container Registry
6️⃣ Deploy: Helm chart upgrade on edge K8s cluster
7️⃣ Rollout: Rolling update with zero downtime (3 replicas)
8️⃣ Verify: Health checks validate deployment success
9️⃣ Monitor: Prometheus collects metrics from new pods
☁️ AZURE CLOUD ~$53/mo TF managed
🌐 VPN Gateway
Site-to-Site VPN to On-Premises Edge
IPsec encrypted tunnel
Static routing configured
azurerm_virtual_network_gateway
Bidirectional | Latency: ~15-30ms
🐳 Azure Container Registry (ACR)
Private Docker image repository
Multi-architecture support (amd64/arm64)
Geo-replication enabled
Automated vulnerability scanning
azurerm_container_registry
Push/Pull: CI/CD + Edge K8s cluster
πŸ“¦ Container Instances (Optional)
Serverless container deployment
Backend API containers
Auto-scaling based on load
Pay-per-second billing
azurerm_container_group
πŸ”’ Network Security Group
Dynamic firewall rule management
Whitelist on-premises public IP
Connection audit logging enabled
DDoS protection tier integrated
azurerm_network_security_group
βš™οΈ App Service (Backend API)
Python Flask/FastAPI REST API
IBKR TWS API integration layer
Real-time strike data processing
Anomaly detection algorithms
azurerm_linux_web_app | Python 3.11
Publishes signals β†’ SignalR Hub
πŸ“‘ SignalR Service
Real-time WebSocket infrastructure
Alert broadcast to edge subscribers
Persistent connection management
Auto-scaling enabled
azurerm_signalr_service
Stream β†’ On-Premises Trading Engine
🌐 Static Web App (Dashboard)
HTML5 Canvas + JavaScript SPA
Public-facing analytics dashboard
Azure CDN global distribution
SSL/TLS encryption enabled
azurerm_static_site
πŸ“Š Application Insights
Distributed tracing across hybrid infrastructure
Edge telemetry aggregation
Automated alert rules configured
Custom KPI dashboards
azurerm_application_insights
Ingests telemetry from edge nodes
πŸ’Ύ Table Storage
Anomaly event history retention
Trade execution audit log
Daily metrics aggregation
azurerm_storage_account
πŸ”‘ Key Vault
IBKR API credentials
VPN pre-shared key
Connection strings
Automated key rotation
azurerm_key_vault
πŸ” VPN S2S
IPsec Tunnel
IKEv2 Protocol
⟷
Latency: 15-30ms RTT
Throughput: 100Mbps
Route Tables:
10.0.0.0/16 (Azure VNet) ↔ 192.168.1.0/24 (On-Prem)
Ports: UDP 500, 4500 (IKEv2/IPsec)
Data Flow Architecture
🟒 Azure β†’ Edge: Trading signals (WebSocket)
πŸ”΄ Edge β†’ Azure: Telemetry + metrics
🟑 Bidirectional: Keepalive heartbeat
πŸ–₯️ ON-PREMISES EDGE INFRASTRUCTURE $5/mo OpEx
πŸ›‘οΈ Edge Gateway / Firewall
VPN client endpoint configured
NAT traversal enabled
Port forwarding for VPN ingress
DDoS protection at edge
pfSense / Enterprise Firewall
☸️ Kubernetes Cluster (minikube/k3s)
Single-node K8s cluster on edge
3 namespaces: trading-bots, monitoring, system
Persistent volume provisioning
LoadBalancer via MetalLB
Kubernetes v1.28+ | Docker runtime
Pulls images from ACR
🎩 Helm Charts & Releases
Chart: spy-trading-bot (v1.2.0)
Values: dev.yaml / prod.yaml
Release management with rollback
Templated configurations
Helm 3 | Chart versioning
🐳 Trading Bot Pods (Deployment)
Replicas: 3 (High Availability)
Image: acr.azurecr.io/spy-bot:v1.2
Resource limits: 512Mi RAM, 500m CPU
Rolling update strategy
Pod: spy-trading-bot | Python 3.11
Ingests: Real-time anomaly signals
πŸ” Liveness & Readiness Probes
HTTP health checks every 10s
Auto-restart on failure
Graceful shutdown (30s timeout)
Zero-downtime deployments
K8s Health Checks
πŸ“ˆ IBKR TWS Gateway (Containerized)
Docker image: ibkr-gateway:stable
StatefulSet for persistent connection
Paper trading account endpoint
Ultra-low latency local processing
K8s StatefulSet | TWS API 9.81+
Executes orders on IBKR infrastructure
βš™οΈ ConfigMaps & Secrets
ConfigMap: Trading strategies, bot config
Secrets: IBKR credentials, Azure keys
Environment-specific configurations
Hot-reload without pod restart
K8s ConfigMaps & Secrets
πŸ’Ύ Persistent Volumes
PV: 10GB for SQLite database
PV: 5GB for trade logs
PV: 2GB for cache
Local storage class provisioner
K8s PV/PVC | Local storage
πŸ“Š Monitoring Stack (Namespace: monitoring)
Prometheus for metrics collection
Grafana dashboards (K8s + Trading)
AlertManager for notifications
Node Exporter for host metrics
Prometheus + Grafana + AlertManager
πŸ“ Telemetry Agent
Forwards logs to Azure Monitor
Performance metrics collection
Connection health monitoring
Local alerting system
Azure Monitor Agent / Fluentd
Telemetry β†’ Application Insights
πŸ’Ύ Edge Data Store
Local signal cache and backup
Trade execution history
Strategy configuration cache
Failover data persistence
SQLite3 / Redis
πŸ”” Watchdog Service
VPN connection health monitoring
Auto-restart on trading engine failure
Health checks every 30s
Email/Telegram alert integration
systemd / Windows Service Manager
🌍 EXTERNAL SERVICE INTEGRATIONS
πŸ“Š Interactive Brokers API
Real-time market data feed
Order execution gateway
Paper trading sandbox environment
TWS API integration
IBKR TWS API | $4.50/mo data subscription
πŸ™ GitHub Enterprise
Source code repository
Terraform state versioning
CI/CD pipeline automation
Security vulnerability scanning
GitHub Actions | Free tier
πŸ“§ Email Gateway
Alert notification delivery
Trade execution confirmations
System health reports
SLA monitoring alerts
SendGrid API | Free tier (100/day)
πŸ“± Telegram Bot API (Optional)
Mobile push notifications
Trade execution alerts
Remote command interface
Real-time status queries
Telegram Bot API | Free
Azure Cloud Resources
Containers & Orchestration
On-Premises Edge Infrastructure
Terraform Managed (IaC)
Site-to-Site VPN
Data Flow / Telemetry

πŸ’° MONTHLY OPERATING COST BREAKDOWN

Azure Cloud
VPN Gateway: $27
App Service B1: $13
Static Web App: $0
SignalR Free: $0
Storage: $1
App Insights: $5
Container Registry (Basic): $5
Bandwidth: $2
TOTAL AZURE: ~$53/mo
On-Premises Infrastructure
Compute node: $0 (existing asset)
Power consumption: ~$5
Network connectivity: $0 (existing)
Software licenses: $0 (OSS stack)
TOTAL ON-PREMISES: ~$5/mo OpEx
External Services
IBKR Market Data: $4.50
GitHub: $0 (free tier)
SendGrid: $0 (free tier)
Telegram: $0
TOTAL EXTERNAL SERVICES: ~$4.50/mo
πŸ’΅ TOTAL MONTHLY OPERATING COST: ~$62.50
Enterprise-grade hybrid cloud infrastructure with container orchestration | Fully scalable | 99.9% SLA uptime

πŸ› οΈ COMPLETE TECHNOLOGY STACK

Infrastructure as Code
β€’ Terraform 1.6+
β€’ Azure Provider
β€’ GitHub Actions
β€’ Git version control
Containers & Orchestration
β€’ Docker 24+
β€’ Kubernetes 1.28+
β€’ Helm 3
β€’ minikube / k3s
β€’ kubectl CLI
Cloud Platform
β€’ Azure App Service
β€’ Azure VPN Gateway
β€’ Azure SignalR
β€’ Azure Monitor
β€’ Azure Key Vault
β€’ Azure Container Registry
Backend
β€’ Python 3.11
β€’ Flask / FastAPI
β€’ asyncio / WebSockets
β€’ IBKR TWS API
β€’ pandas, numpy
Frontend
β€’ HTML5 + CSS3
β€’ JavaScript (Vanilla)
β€’ Canvas API
β€’ WebSocket client
Networking
β€’ IPsec VPN
β€’ Site-to-Site
β€’ NSG rules
β€’ Static routing
β€’ MetalLB (K8s)
Monitoring
β€’ Application Insights
β€’ Log Analytics
β€’ Prometheus
β€’ Grafana
β€’ AlertManager
Storage & Data
β€’ Azure Table Storage
β€’ SQLite (edge)
β€’ Redis (cache)
β€’ K8s Persistent Volumes