-
Applications and components
- Developer guide
- IDE support
- Deployment
- .vespaignore files
- Containers
- Components
- Searchers
- Document processors
- Request handlers
- Result renderers
- Dependency injection
- Configuring components
- Chaining
- Inspecting structured data in a Searcher
- Developing web services
- Unit testing
- System testing
- The config system
- Request-response processing
- Bundles
- Using ZooKeeper
- Http servers and filters
- Using pluggable frameworks
- Java config API
-
Querying
- The query api
- The YQL query language
- Grouping and aggregation
- Federation
- Query profiles
- An intro to vector search
- Nearest neighbor search
- Approximate nearest neighbor search
- Nearest neighbor search guide
- Text matching
- Searching multivalue fields
- Geo search
- Document summaries
- Result diversity
- Page templates
-
Ranking and inference
- Ranking introduction
- Ranking expressions and features
- Multivalue query operators
- Tensor user guide
- Tensor examples
- Phased ranking
- Using TensorFlow models
- Using ONNX models
- Using XGBoost models
- Using LightGBM models
- Wand: Accelerated OR search
- The BM25 rank feature
- The nativeRank rank feature
- Cross-encoder transformer ranking
- Searcher re-ranking
- Significance model
- Stateless model evaluation
-
Linguistics and text processing
-
Content and elasticity
-
Performance
- Performance overview
- Practical performance guide
- Serving sizing guide
- Feed sizing guide
- Node resources
- Sizing examples
- Topology and resizing
- Streaming search
- Benchmarking
- Benchmarking using Vespa Cloud
- Memory visualizer
- Profiling
- Container tuning
- Rate-limiting queries
- Graceful degradation
- Caches
- HTTP performance testing
- HTTP/2
- Feature tuning
- Valgrind
-
Operations
- Environments
- Zones
- Production deployment
- Deployment variants
- Automated deployments
- Autoscaling
-
Enclave: Bring your own cloud
- Reindexing
- Data management and backup
- Cloning applications and data
- Monitoring
- Metrics
- Notifications
- Deployment patterns
- Private endpoints
- Endpoint routing
- Access logging
-
Artefact archive
- Deleting applications
-
Self-managed
- Admin procedures
- Multinode Systems
- Files, Processes, Ports, Environment
- Node Setup
- Using Kubernetes
- Build and install
- Monitoring
- Content node recovery
- Configuration Servers
- Live Vespa upgrade procedure
- Config Sentinel
- Config Proxy
- Docker Containers
- Docker Containers GPU setup
- CPU Support
- Service Location Broker
- Change from attribute to index procedure
- Container
- Monitoring
-
Modules
-
E-commerce
-
-
Reference
-
Applications and components
-
Schemas and documents
-
Reading and writing
-
Operations
- Health checks
- Log files
- Tools
-
Self-managed
-
Security
-
Release notes
Architecture
With Vespa Cloud Enclave, all Azure resources associated with your Vespa Cloud applications are in your enclave Azure subscription, as opposed to a shared Vespa Cloud subscription.
Each Vespa Cloud zone has an associated zone resource group (RG) in the enclave subscription, that contains all the resources for that zone. For instance, it has one Virtual Network (VNet aka VPC).
Virtual Machines, Load Balancers, and Blob Storage
Configuration Servers inside the Vespa Cloud subscription make the decision to create or destroy virtual machines ("Vespa Hosts" in diagram) based on the Vespa applications that are deployed. The Configuration Servers also set up the Container Load Balancers needed to communicate with the deployed Vespa application.
Each Vespa Host will periodically sync its logs to a Blob Storage container ("Log Archive") in a Storage Account in the zone RG. This storage account is "local" to the enclave and provisioned by the Terraform module inside your Azure subscription.
Networking
The Zone Virtual Network (VNet aka VPC) is very network restricted. The Vespa Hosts do not have a public IPv4 address. But your application can connect to external IPv4 services using a NAT gateway. Vespa Hosts have public IPv6 addresses and are able to make outbound connections. Inbound connections are not allowed. Outbound IPv6 connections are used to bootstrap communication with the Configuration Servers, and to report operational metrics back to Vespa Cloud.
When a Vespa Host is booted, it will set up an encrypted tunnel back to the Configuration Servers. All communication between Configuration Servers and the Vespa Hosts will be run over this tunnel after it is set up.
Security
The Vespa Cloud operations team does not have any direct access to the
resources in your subscription. The only possible access is
through the management APIs needed to run Vespa itself. In case it is needed
for, e.g. incident debugging, direct access can only be granted to the Vespa
team by you. Enable direct access by setting the
enable_ssh input to true in the enclave module. For further details, see the
documentation for the
enclave module inputs.
All communication between the enclave and the Vespa Cloud Configuration servers is encrypted, authenticated, and authorized using mTLS with identities embedded in the certificate. mTLS communication is facilitated with the Athenz service.
All data stored is encrypted at rest using Encryption At Host. All keys are managed automatically by the Azure platform.
The resources provisioned in your Azure subscription are either provisioned by the Vespa Cloud Enclave Terraform module you apply, or by the orchestration services inside a Vespa Cloud zone.
Resources are provisioned by the Vespa Cloud Configuration servers, using the
id-provisioner
user-assigned managed identity defined in the Terraform module.
Only your Vespa tenant (that registered this Azure subscription) can deploy applications targeting your enclave.
For more general information about security in Vespa Cloud, see the whitepaper.