--- title: "Overview" description: "Deploy Bifrost Enterprise in your cloud environment with secure, private container image distribution" icon: "info-circle" --- Bifrost Enterprise provides private container image distribution through dedicated registries, enabling secure deployments in AWS, GCP, Azure, and on-premise environments. ## Architecture Bifrost uses a hub-and-spoke model with two container registries optimized for each cloud platform: ```mermaid flowchart TB subgraph BifrostInfra[Bifrost Infrastructure] CICD[CI/CD Pipeline] GCR[GCP Artifact Registry] ECR[AWS ECR] end subgraph Customers[Customer Environments] subgraph AWSCustomer[AWS Customers] EKS[EKS Cluster] ECS[ECS Service] end subgraph GCPCustomer[GCP Customers] GKE[GKE Cluster] end subgraph AzureCustomer[Azure Customers] AKS[AKS Cluster] end subgraph OnPrem[On-Premise] K8S[Kubernetes] Docker[Docker] end end CICD -->|Push| GCR CICD -->|Push| ECR ECR -->|IRSA| EKS ECR -->|Task Role| ECS GCR -->|Workload Identity| GKE GCR -->|Azure WIF| AKS GCR -->|Basic Auth| OnPrem ``` ### Registry Distribution | Customer Cloud | Registry Source | Why | |----------------|-----------------|-----| | AWS | AWS ECR | Native IAM integration, lowest latency within AWS | | GCP | GCP Artifact Registry | Native Workload Identity, lowest latency within GCP | | Azure | GCP Artifact Registry | Workload Identity Federation from Azure to GCP | | On-Premise | GCP Artifact Registry | Basic auth with username/password credentials | ## Authentication Methods Choose the authentication method based on your deployment environment: | Environment | Method | Security Level | Setup Complexity | |-------------|--------|----------------|------------------| | AWS EKS | [IRSA](/deployment-guides/enterprise/aws#irsa-recommended) | High | Medium | | AWS ECS | [IAM Task Roles](/deployment-guides/enterprise/aws#ecs-task-roles) | High | Low | | GCP GKE | [Workload Identity](/deployment-guides/enterprise/gcp#workload-identity-recommended) | High | Low | | Azure AKS | [Azure WIF](/deployment-guides/enterprise/azure) | High | Medium | | On-Premise | [Basic Auth](/deployment-guides/enterprise/on-premise) | Medium | Low | Cloud-native identity federation (IRSA, Workload Identity, Azure WIF) is recommended over static credentials for production deployments. ## Security Features ### Encryption - **In-Transit**: All registry communication uses TLS 1.3 - **At-Rest**: Images encrypted using cloud-native encryption (AWS KMS, GCP CMEK) ### Access Control - **IAM-based**: Fine-grained permissions using cloud IAM policies - **Audit Logging**: All image pull operations are logged for compliance - **IP Restrictions**: Optional VPC Service Controls (GCP) or VPC endpoints (AWS) ### Image Security - **Vulnerability Scanning**: Automatic scanning on push - **Immutable Tags**: Optional tag immutability to prevent overwrites - **Signed Images**: Container image signatures for verification ## Prerequisites Before deploying Bifrost Enterprise, ensure you have: - AWS account with ECR access - EKS cluster (v1.23+) or ECS cluster - IAM permissions to create roles and policies - `kubectl` and `aws` CLI configured - GCP project with Artifact Registry API enabled - GKE cluster (v1.24+) with Workload Identity enabled - IAM permissions for service account management - `kubectl` and `gcloud` CLI configured - Azure subscription with AKS - AKS cluster (v1.24+) with Workload Identity enabled - Permissions to create Managed Identities - `kubectl` and `az` CLI configured - Kubernetes cluster (v1.23+) or Docker runtime - Network access to `us-central1-docker.pkg.dev` - Docker credentials provided by Bifrost team ## Getting Started Deploy on EKS or ECS with IRSA authentication Deploy on GKE with Workload Identity Deploy on AKS with Azure Workload Identity Federation Deploy anywhere with Docker credentials ## Support For enterprise deployment assistance: - **Email**: [contact@getmaxim.ai](mailto:contact@getmaxim.ai) - **Slack**: Connect via Slack Connect for real-time support - **Documentation**: Platform-specific guides linked above