Environments & Base URLs
The MaxConf API is deployed to multiple isolated environments, each with its own Azure Function App, API Management instance, and backend Pexip nodes.
Environment topology
Section titled “Environment topology”graph TD
subgraph Test Environment
APIM_T[API Management<br/>api.test.vc.maxconf.ca]
EDGE[Function App<br/>Edge Slot]
TEST[Function App<br/>Test Slot]
PEXIP_T[Pexip Infinity<br/>management.test.vc.maxconf.ca]
end
subgraph Production Environment
APIM_P[API Management<br/>api.vc.maxconf.ca]
STAGING[Function App<br/>Staging Slot]
PROD[Function App<br/>Production Slot]
PEXIP_P[Pexip Infinity<br/>management.vc.maxconf.ca]
end
APIM_T -->|/edge/*| EDGE
APIM_T -->|/*| TEST
EDGE --> PEXIP_T
TEST --> PEXIP_T
APIM_P -->|/*| PROD
STAGING -.->|swap| PROD
PROD --> PEXIP_P
Base URLs
Section titled “Base URLs”| Environment | Base URL | Purpose |
|---|---|---|
| Test | https://api.test.vc.maxconf.ca | Integration testing for IDIM DEV2, SIT, QA, PREPROD, Test |
| Test (Edge) | https://api.test.vc.maxconf.ca/edge | Pre-test surface for Maximus developers |
| Production | https://api.vc.maxconf.ca | Live service for BCSC Production |
All endpoints are routed through Azure API Management, which handles TLS termination, rate limiting, and subscription key validation before forwarding to the underlying Function App.
Connected IAS environments
Section titled “Connected IAS environments”Each MaxConf API environment serves specific IAS (Identity Assurance Services) environments. The IDIM server infrastructure in each IAS environment is the direct consumer of the MaxConf API - it calls POST /room/create to provision rooms, then provides the connection details to the BCSC mobile app.
| MaxConf API | Pexip Infinity | IAS Environments | BCSC Mobile App |
|---|---|---|---|
| Test (Edge) | Test | DEV | None |
| Test | Test | DEV2, SIT, QA, PREPROD, Test | BCSC DEV, QA, Test |
| Production | Production | Production | BCSC Production |
Gateway behaviour
Section titled “Gateway behaviour”API Management applies the following policies:
- TLS 1.2+ enforced on all inbound connections
- Subscription key required via
Ocp-Apim-Subscription-Keyheader (for private endpoints only) - OAuth2.0 token validation - tokens are validated against Microsoft Entra ID before reaching the Function App
- Rate limiting - configurable per subscription
- CORS - restricted to known consumer origins
Security boundaries
Section titled “Security boundaries”graph LR
Consumer[IDIM Server Infrastructure] -->|HTTPS + Bearer Token| APIM[Azure API Management]
APIM -->|Function Key| FA[Azure Function App]
FA -->|OAuth2.0 JWT| PEXIP[Pexip Management API]
FA -->|Managed Identity| KV[Azure Key Vault]
FA -->|Managed Identity| QUEUE[Azure Storage Queue]
The Function App uses its own service-to-service credentials (OAuth2.0 JWT via client credentials) to authenticate with the Pexip Management API. These credentials are separate from those issued to API consumers.