Containerization, Telemetry, and Execution Architecture Reimagined

With the release of HEDDA.IO 2.0, we have completed a significant rearchitecture of the system’s runtime and deployment model. The primary goal: to reduce operational complexity, increase scalability, and provide a foundation for more secure, resource-efficient deployments — especially in cloud-native environments like Azure.

This article outlines the key changes in our infrastructure design, focusing on containerization, identity management, execution unification, telemetry integration, and database technology.

From WebApps and Azure Functions to Azure Container Apps

In previous versions, HEDDA.IO’s infrastructure was composed of a mix of Azure Web Apps (App Services) and Azure Functions, forming a distributed system with several independently hosted components.

While functional, this model introduced complexity in configuration, performance optimization, cost control, and deployment pipelines.

New Containerized Architecture

As of version 2.0, we have moved to a fully containerized architecture, primarily based on Azure Container Apps, a managed Kubernetes-based service that offers:

• Fully isolated containers with built-in scaling

• Easy environment management via Container Apps Environment

• Integration with user-assigned managed identities

• Native support for secrets and configuration injection

• Secure ingress with support for private endpoints

All core HEDDA.IO services (formerly Frontend, API Server, Execution Services) are now part of a unified container environment, deployed as modular containers.

Unified WebRunner: Execution + Streaming + State

The architectural heart of HEDDA.IO 2.0 is the WebRunner — a consolidated component that replaces both the former External Runner and the Single Row Processor.

It offers:

• Synchronous and asynchronous rule execution

• Native streaming (row-by-row) validation

• Support for background data storage of processed rows

This unification significantly simplifies communication patterns and eliminates startup delays (cold starts) seen in previous function-based implementations.

Identity Management with Managed Identity

All services now rely exclusively on a user-assigned managed identity (Microsoft Docs) for authentication and access management.

This means:

• No shared secrets or stored credentials

• Native integration with Azure Key Vault, Azure SQL, and Azure Storage

• Strong compliance with enterprise security standards (least privilege)

• Consistent identity management across deployments

The managed identity is assigned once per Container App Environment and used transparently across all services.

Network Security: Private Endpoints and Isolation

Network security remains a top priority. HEDDA.IO 2.0 continues to support Private Endpoints.

• Azure SQL Database

• Azure Storage Accounts (used for file-based execution input/output)

• Azure Container App Environment

These endpoints are mapped via Azure VNet integration in the Container Apps Environment, ensuring all communication remains internal and no data egress is exposed to the public internet.

This approach makes HEDDA.IO suitable for secure enterprise environments, including those operating under strict compliance requirements or data residency rules.

Furthermore, HEDDA.IO can be integrated into existing private network topologies, such as:

• Hub-and-Spoke architectures

• ExpressRoute-based hybrid cloud scenarios

• Shared Services VNets with central identity or logging infrastructure

This allows organizations to embed HEDDA.IO into their current network infrastructure without sacrificing security or requiring major redesigns.

Telemetry with OpenTelemetry + Azure Monitor

Another critical enhancement in HEDDA.IO 2.0 is full support for OpenTelemetry — the industry-standard observability framework (OpenTelemetry Docs).

All services now emit structured telemetry via:

• Traces (for workflow diagnostics)

• Metrics (execution count, performance, failure rates)

• Logs (structured, JSON-based, queryable)

By default, telemetry is sent to Azure Monitor / Log Analytics, where users can query, visualize, and alert on all activities inside HEDDA.IO.

Of course, users can reconfigure the telemetry sink to send data to any OpenTelemetry-compatible backend, such as:

• Grafana Tempo

• Prometheus / Loki

• New Relic / Datadog

• Elastic Stack

This opens the door to robust observability, cost tracking, SLA monitoring, and early anomaly detection.

DuckDB Integration for Fast In-Memory Analytics 

Finally, we have also enhanced our internal analytical capabilities with deep integration of DuckDB — a high-performance in-memory engine optimized for embedded analytics. 

DuckDB is now used internally to: 

• Run analytical previews of validation results 

• Aggregate row-level metrics in the Review UI 

• Enable fast post-validation reporting 

Unlike traditional database engines, DuckDB operates directly on files or in-memory structures, enabling sub-second analysis of even large result sets, with minimal compute overhead. 

It fits perfectly into our container-first architecture and opens doors to powerful real-time analytics in future releases. 

HEDDA.IO 2.0 is not just a version upgrade. It’s a new foundation — built with containers, observability, scalability, and developer experience in mind. 

Let us know if you’d like an infrastructure diagram or Terraform/Bicep templates for deploying your own instance.