Relay Service Deployment Guide

Introduction

The Relay Service is a mandatory component of every [Ai]levate deployment — SaaS or On-Premise. It acts as a secure bridge between a customer’s on-premise EHR datastore and the Cloud Services Layer hosted in the cloud.

By enforcing an outbound-only traffic model, the Relay eliminates the need for inbound firewall changes, reducing the attack surface while still allowing [Ai]levate services to access the EHR datastore as if it were local.

This guide describes how to connect a local NextGen EHR instance to the [Ai]levate Platform using the [Ai]levate Relay Service.

This document provides:

The technical prerequisites customers must prepare.
The step-by-step installation process, including the onsite or remote work performed by [Ai]levate engineers.

General Approach

The Relay Service is deployed as a dedicated Linux VM inside the customer’s network, on the same LAN as the EHR datastore. It initiates an outbound TLS 1.2+ connection (port 443) to [Ai]levate Cloud Services. Once connected, [Ai]levate can securely query the EHR through the Relay as if the database were local, while the database itself remains private.

For both SaaS and On-Prem deployments, the Relay is mandatory. In SaaS, it is the only component the customer hosts. In On-Prem, it complements customer-managed storage and compute. In both cases, the Relay enforces encryption, authentication, and strict isolation.

What the Relay VM does

Initiates an encrypted outbound connection to your dedicated [Ai]levate Platform endpoint on the Internet (TCP 443).
Bridges that connection back to your SQL Server over your LAN (typically TCP 1433).
Presents a stable, private endpoint to your [Ai]levate Platform so our services can use SQL as if it were local — while your database remains private.

Deployment overview

sequenceDiagram
    participant C as Customer SysAdmin
    participant E as "[Ai]levate Engineer"
    participant R as Relay VM
    participant SQL as EHR Datastore
    participant CS as "[Ai]levate Cloud Services"

    %% Preparation
    Note over C: Preparation
    C->>R: Provision Relay VM, validate SQL connectivity (1433)

    %% Deployment
    Note over E,R: Deployment
    E->>R: Install Azure Arc agent
    R->>CS: Register as Connected Machine (443 TLS)

    %% Registration
    Note over C,CS: Registration
    C->>CS: Register EHR endpoint in console

    %% Validation
    Note over E,C: Validation
    CS->>SQL: Test query through Relay
    CS->>C: Confirm tunnel + logs healthy
    E->>C: Provide runbook + ops docs

The installation of the Relay Service follows a clear sequence

Step	Description	Owner
Preparation	The customer system administration team gathers and validates all prerequisites listed in this guide.	Customer
Deployment	An [Ai]levate Engineer (or registered partner) installs and registers the Relay Service during an onsite visit (or secure remote session). Step-by-step deployment guide for [Ai]levate Engineers is available [HERE].	Joint
Registration	The customer accesses the [Ai]levate console and registers the NextGen instance.	Joint
Validation	An [Ai]levate Engineer verifies that the Relay Service and platform integration are fully operational.	Joint

Technical Prerequisites

The customer must prepare the following before the onsite installation.

Relay VM Requirements

Requirement	Specification	Notes
Server	1 dedicated Linux VM (“relay VM”)	Same subnet/routed network as SQL Server
Operating System	Ubuntu Server LTS (recommended)	Any modern Linux distribution is acceptable
Sizing	2 vCPU, 4 GB RAM, 20 GB free disk	Ext4 filesystem recommended
Time sync	NTP enabled	Accurate system time required for TLS
Access	Local user with sudo privileges	Required for [Ai]levate engineers during install
Placement	Must reach SQL Server over LAN (TCP 1433)	Verify SQL port accessibility

TLS requirements

The Relay is a mode of data using Transport Layer Security (TLS) instead of a VPN.

To use TLS 1.2, your Relay server must support at least one of the following cipher suites as of 24 January 2024:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

The Relay also supports HTTP proxy with or without authentication if your network requires a proxy server to reach the internet

Important: The customer is responsible for patch management of the relay VM, including OS and security updates. Root/sudo privileges are mandatory during installation.

Network & DNS Requirements

Connectivity	Requirement	Notes
Outbound Internet	Relay VM must connect to [Ai]levate tunnel endpoint (`*.ailevate.com`) on TCP 443	No inbound rules required
Azure dependencies	Access to: `management.azure.com`, `login.microsoftonline.com`, `.his.arc.azure.com`, `.guestconfiguration.azure.com`, `guestnotificationservice.azure.com`, `.guestnotificationservice.azure.com`, `.servicebus.windows.net`, `http://packages.microsoft.com`, `*.blob.core.windows.net`	Needed for Azure Arc onboarding & ongoing management
Internal LAN	Relay VM must reach SQL Server over TCP 1433 (or configured port)	Ensure SQL hostname/IP is resolvable
DNS resolution	Relay VM must resolve both public FQDNs and the internal SQL hostname	Verify forward and reverse lookups

Administration

Need	Requirement	Notes
Install	A short, approved window for us to install the Microsoft Azure Arc Connected Machine agent on the relay VM and register it to [Ai]leavte Azure tenant.	Operations conducted by an [Ai]levate Engineer (or registered partner)

Registration phase

Once all prerequisites are in place, a meeting with an [Ai]levate engineer (or a certified partner) must be scheduled to finalize the deployment of the [Ai]levate Relay Service and the registration service. This session can be conducted either on-site or via remote access and is expected to take no longer than three hours.

During this session, the [Ai]levate engineer remotely register the [Ai]levate Relay Service using its secured administrative access. The focus of this activity is to configure the relay VM so it becomes the trusted network bridge between your local SQL Server datastore and the [Ai]levate Platform.

The process unfolds in several phases described below.

Step	Description
1. Secure Access to the Relay VM	The engineer authenticates to the relay VM using the sudo account previously provided by your team. Root privileges are required because the installation touches system-level networking and package management. No changes are made to your SQL Server host itself — all operations are isolated to the relay VM.
2. Azure Arc Registration	The engineer installs the Microsoft Azure Arc Connected Machine Agent on the relay VM. This agent securely registers the machine with your [Ai]levate Azure tenant. This step is essential because Azure Arc provides the control channel through which the relay VM is later configured and maintained.
3. Verification in Azure Portal	After registration, the engineer immediately validates that the relay VM is listed as a Connected Machine in the Azure portal. This confirmation ensures that the machine is correctly associated with your tenant and that remote lifecycle operations can be applied by [Ai]levate operations.
4. Environment Validation	Before closing the change window, the engineer confirms: 1. The relay VM can reach the SQL Server over the LAN (port 1433). 2. Outbound HTTPS (443) connectivity from the relay VM to the [Ai]levate tunnel endpoint and Azure Arc services is functional. 3. DNS resolution works for both public FQDNs (e.g., `management.azure.com`) and the internal SQL hostname. This change window is deliberately designed to be short, controlled, and minimally disruptive. All sensitive networking (SQL connections, outbound HTTPS) is verified under your supervision. Importantly, no modification or agent installation is ever performed on your SQL Server host; all integration logic remains on the relay VM.
5. Handover to Remote Operations	Once these verifications are completed, the relay VM is considered “onboarded.” At this point, the engineer transitions responsibility to the [Ai]levate remote operations team, who will complete the deployment by installing the secure tunnel and TCP proxy services.

Networking

Bandwidth Requirements

The Relay Service is lightweight from a compute perspective but network bandwidth is critical to ensure consistent performance. Bandwidth needs vary depending on the volume of claims processed per minute, since every denied claim transmitted between the EHR datastore and [Ai]levate must flow through the Relay.

flowchart LR
    subgraph Customer["Customer Environment"]
        EHR["EHR Datastore"]
        Relay["Relay VM (Outbound-only)"]
    end

    subgraph Ailevate["[Ai]levate Cloud Services (Azure)"]
        Services["Cloud Services Layer"]
    end

    EHR --> Relay
    Relay -->|1–30 Mbps depending on claims| Services

The table below provides minimum and recommended bandwidth values based on typical workloads. These requirements apply to both SaaS and On-Prem deployments, as the Relay is mandatory in each case.

Claims Processed per Minute	Average Number of Objects Received (per minute)	Minimum Bandwidth	Recommended Bandwidth
1 – 500	~10	1 Mbps	2 Mbps
501 – 7,50	~150	5 Mbps	10 Mbps
7,51 – 4,000	~700	15 Mbps	30 Mbps

Network Flow Matrix

The Relay Service requires a set of well-defined network flows to operate correctly. The table below summarizes all flows, including source, destination, protocol/port, encryption, and who is responsible for configuration. This matrix applies to both SaaS and On-Prem deployments since the Relay is mandatory in all cases.

flowchart TD
    subgraph Customer["Customer Environment"]
        EHR["EHR SQL Datastore"]
        Relay["Relay VM (Outbound-only)"]
        DNS["DNS Resolver"]
    end

    subgraph Ailevate["[Ai]levate Cloud (Azure)"]
        Cloud["Cloud Services Layer"]
        Arc["Azure Arc Services"]
    end

    Relay -->|443 TLS| Cloud
    Relay -->|443 TLS| Arc
    Relay -->|1433 TCP| EHR
    Relay -->|53 UDP/TCP| DNS
    Cloud --> Relay

Source	Destination	Protocol / Port	Direction	Encryption	Responsibility
Relay VM	[Ai]levate Cloud Services	HTTPS / 443	Outbound only	TLS 1.2+	Customer (firewall rules)
Relay VM	Azure Arc Services	HTTPS / 443	Outbound only	TLS 1.2+	Customer (firewall rules)
Relay VM	EHR Datastore (SQL-based)	TCP / 1433 (or configured port)	LAN	TLS / LAN	Customer
DNS Resolver (Customer)	Public DNS & internal DNS	UDP/TCP 53	Outbound	—	Customer
[Ai]levate Cloud	Relay VM	— (established tunnel session)	Return traffic	TLS 1.2+	[Ai]levate (tunnel), Customer (network)

Security Responsibilities

[Ailevate] Responsibilities

The purpose of this section provide guarantees to system administrators and security teams that the [Ai]levate Relay Service is designed with a minimal attack surface and follows industry best practices. By keeping the SQL Server datastore private, restricting connections to outbound-only, and installing only lightweight components on the relay VM, the integration balances operational functionality with strong security controls.

Control	Description
Outbound-only	Relay VM initiates all connections (TLS 1.2+). No inbound firewall changes needed.
Database privacy	SQL Server never exposed to the Internet.
Minimal footprint	Only 2 lightweight services installed on relay VM (non-root).
Separation of duties	SQL Server host remains untouched.

Customer Responsibilities

To maintain the same level of protection after deployment, the customer’s security and sysadmin teams are responsible for the following tasks:

Responsibility	Description	Frequency
Patch Management	Apply security updates and OS patches to the relay VM (kernel, packages).	Monthly or per corporate policy
User Access Control	Maintain and audit the local sudo account provided for installation. Rotate passwords regularly.	Quarterly
SQL Credential Security	Ensure SQL credentials used by the Relay Service are stored securely and rotated per internal policies.	Per credential policy
Firewall & Network Monitoring	Monitor outbound traffic from relay VM (TCP 443) and LAN connections to SQL Server (TCP 1433).	Continuous
Log Review	Periodically review relay VM logs (provided by [Ai]levate ops team) for anomalies.	Weekly or per SOC process
Decommissioning	Properly decommission the relay VM when the service is no longer required.	On service retirement

Checklist (summary)

Area	Customer	[Ai]levate
Provide Ubuntu 24.04 LTS relay VM (2 vCPU / 8 GB RAM recommended / 20 GB free)	✅	—
Provide local sudo access for the onsite engineer	✅	—
Ensure outbound TCP 443 from the VM to the listed Azure services and the [Ai]levate tunnel FQDN	✅	—
Ensure the VM can reach SQL Server over the LAN (TCP 1433)	✅	—
Onboard the VM to Azure Arc (performed during onsite visit)	—	✅
Deploy the secure tunnel and local proxy (remotely)	—	✅
Validate end-to-end connectivity and provide ops details	—	✅

Appendix – Relay VM Runbook

This appendix provides operational procedures for system administrators. These tasks allow the customer to verify, monitor, and manage the [Ai]levate Relay Service without requiring escalation.

Service Management

Two lightweight services run on the relay VM:

ailevate-tunnel.service → Handles the secure outbound tunnel to the [Ai]levate Platform.
ailevate-proxy.service → Provides the local TCP proxy from the relay VM to SQL Server.

Task	Command	Notes
Check service status	`sudo systemctl status ailevate-tunnel.service` `sudo systemctl status ailevate-proxy.service`	Look for `active (running)`.
Restart a service	`sudo systemctl restart ailevate-tunnel.service` `sudo systemctl restart ailevate-proxy.service`	Use after config/network changes.
Enable service at boot	`sudo systemctl enable ailevate-tunnel.service` `sudo systemctl enable ailevate-proxy.service`	Ensures auto-start on reboot.
Stop a service	`sudo systemctl stop ailevate-tunnel.service`	Use only during troubleshooting/maintenance.

Log Management

Logs are journaled via systemd.

Task	Command	Notes
Tail tunnel logs (live)	`sudo journalctl -u ailevate-tunnel.service -f`	Useful for troubleshooting connectivity issues.
Tail proxy logs (live)	`sudo journalctl -u ailevate-proxy.service -f`	Confirms SQL traffic relay.
Show last 100 log lines	`sudo journalctl -u ailevate-tunnel.service -n 100`	Adjust `-n` as needed.
Export logs for support	`sudo journalctl -u ailevate-tunnel.service --since "2025-08-01" > tunnel-logs.txt`	Attach to support tickets.

Connectivity Checks

Task	Command	Expected Outcome
Test SQL Server connectivity	`nc -vz <sql-hostname> 1433`	Should report succeeded.
Test outbound HTTPS (tunnel)	`curl -vk https://<relay-endpoint>.ailevate.com`	Should connect successfully.
DNS resolution check	`nslookup management.azure.com`	Confirms external DNS works.
Verify VM time sync	`timedatectl status`	NTP should show as `synchronized: yes`.

System Maintenance

Task	Command	Notes
Update packages	`sudo apt update && sudo apt upgrade -y`	Perform monthly or per corporate policy.
Check disk usage	`df -h`	Ensure ≥ 20% free space.
Check CPU/memory	`top` or `htop`	Monitor performance if issues occur.
Reboot system	`sudo reboot`	Services auto-start if enabled.

Common Issues & Fixes

Symptom	Likely Cause	First Actions
Tunnel service not running (`ailevate-tunnel.service` shows `inactive`)	Service crash or VM reboot without auto-start	Run `sudo systemctl restart ailevate-tunnel.service` and check logs with `journalctl -u ailevate-tunnel.service -n 50`.
Tunnel won’t connect	Firewall blocking outbound TCP 443	Verify `curl -vk https://<relay-endpoint>.ailevate.com`. Check that outbound TCP 443 is open to `*.ailevate.com` and Azure services.
Proxy service fails	SQL Server not reachable	Test with `nc -vz <sql-hostname> 1433`. Ensure SQL Server firewall allows LAN access from relay VM.
Time sync errors in logs	NTP not configured or drifted	Run `timedatectl status`. If unsynchronized, enable NTP with `sudo timedatectl set-ntp true`.
High CPU/memory usage	Other workloads running on relay VM	Check with `top`. Relay VM must be dedicated; stop non-[Ai]levate processes.
DNS resolution failures	Misconfigured DNS resolver on relay VM	Test with `nslookup management.azure.com`. Update `/etc/resolv.conf` or `systemd-resolved` settings.
Persistent issues despite checks	Misconfiguration or deeper network issue	Collect logs (`journalctl`) and contact [Ai]levate support with exported files.