Skip to main content
Doris runs on Microsoft Azure with a cloud-native architecture designed for security, reliability, and data residency compliance.

Cloud Hosting

  • Provider: Microsoft Azure
  • Primary region: UK South (London)
  • Compute: Containerised application workloads with managed service identities
  • Credential handling: Service-to-service access is designed to avoid long-lived embedded credentials

Edge Protection

Inbound traffic passes through managed edge protection before reaching application services:
  • Web Application Firewall (WAF): Used to reduce common web exploit risks
  • Bot protection: Automated bot detection and mitigation at the edge
  • DDoS protection: Upstream network protections help absorb volumetric attacks
  • TLS termination: Supported inbound connections are encrypted with TLS 1.2+ at the edge

Network Isolation

Production data services are designed to minimize direct public exposure and use segmented network paths where practical:
  • Databases — Access is restricted to approved application paths and network boundaries
  • Secrets platforms — Secret and key retrieval is limited to authorized identities and approved connectivity paths
  • Cache layers — Internal cache services are placed behind restricted network controls
  • Storage — Storage services are configured to limit unnecessary public access
  • Application services — Internal service communication uses private or restricted connectivity patterns where supported
Network architecture is designed to reduce the attack surface and keep sensitive service-to-service traffic on controlled paths.

Storage & Encryption

Primary storage services are configured with baseline protections, including:
  • Encryption at rest for managed storage accounts
  • HTTPS-only traffic for supported external access paths

Threat Detection

Managed cloud security tooling provides continuous monitoring and posture review:
  • Vulnerability scanning of compute workloads
  • Container and runtime monitoring for suspicious activity
  • Posture management to detect material misconfigurations
  • Storage activity monitoring for anomalous access patterns

Infrastructure as Code

Infrastructure is managed through version-controlled Infrastructure as Code tooling, providing:
  • Reproducible deployments — Infrastructure changes are versioned and peer-reviewed
  • Drift detection — Configuration changes outside IaC are flagged
  • Audit trail — Full history of infrastructure changes in source control