API Free Tiers & Complete Deployment Timing Guide
Security.DugganUSA.com - From Commit to Production
📊 Executive Summary
Total Time: Commit → Production: ~10-15 minutes Monthly Cost (All Free Tiers): $0 (Azure infrastructure only) API Rate Limits: Sufficient for <1,000 req/day platform
🆓 Free Tier APIs - Current Stack
1. Cloudflare (CDN + WAF + Analytics)
Plan: FREE Forever What We Use:
- CDN caching
- WAF (Web Application Firewall)
- Analytics API (GraphQL)
- IP blocking
Rate Limits:
- Unlimited bandwidth (within reason)
- Analytics API: 3,600 req/hour
- GraphQL API: 300 req/min
Setup:
# Already configured
Zone ID: c90e4b21b5381ce61545f90f5c680d2a (dugganusa.com)
Account ID: 6a88c1dc2bef510ffb0c0393ce5c6248
API Token: Stored in Azure Key Vault
Cost: $0/month
2. VirusTotal (Threat Intelligence)
Plan: Community (FREE) What We Use:
- IP reputation lookups
- Malware analysis
- Threat actor correlation
Rate Limits:
- 4 requests/minute
- 500 requests/day
- 15,500 requests/month
Upgrade Path (if needed):
- Premium: $0 (academic/nonprofit)
- Standard: $490/month (overkill for our scale)
Setup:
API Key: Stored in Azure Key Vault (secret: virustotal-api-key)
Endpoint: https://www.virustotal.com/api/v3/
Cache Strategy:
- Local file cache (compliance/evidence/threat-intelligence/virustotal-cache/)
- Azure File Share backup
- 7-day TTL
Cost: $0/month (staying within free tier)
3. AbuseIPDB (IP Reputation)
Plan: FREE What We Use:
- IP abuse confidence scores
- Historical abuse reports
- Geolocation data
Rate Limits:
- 1,000 requests/day (FREE tier)
- No monthly limit
Upgrade Path (if needed):
- Supporter: $19.99/month (10K req/day)
- Pro: $49.99/month (100K req/day)
Setup:
API Key: Stored in Azure Key Vault (secret: abuseipdb-api-key)
Endpoint: https://api.abuseipdb.com/api/v2/check
Cache Strategy:
- Local file cache (compliance/evidence/threat-intelligence/abuseipdb-cache/)
- 7-day TTL
- Cache hit rate: ~85%
Cost: $0/month
4. ThreatFox (Malware IOCs)
Plan: FREE (abuse.ch project) What We Use:
- Malware indicators of compromise (IOCs)
- C2 server IPs
- Threat actor infrastructure
Rate Limits:
- None specified (reasonable use)
- Recommended: <1,000 req/day
Setup:
API Key: Stored in Azure Key Vault (secret: threatfox-auth-key)
Endpoint: https://threatfox-api.abuse.ch/api/v1/
Cache Strategy:
- Local file cache (compliance/evidence/threat-intelligence/threatfox-cache/)
- 7-day TTL
Cost: $0/month
5. Google Analytics 4 (GA4)
Plan: FREE What We Use:
- Blog pageview analytics (Wix blog)
- Traffic source analysis
- Visitor demographics
Rate Limits:
- 10M events/month (FREE)
- Unlimited properties
Setup:
Credentials: Stored in Azure Key Vault
- analytics-dashboard-username
- analytics-dashboard-password
Cost: $0/month
6. Application Insights (Azure)
Plan: FREE tier (generous limits) What We Use:
- Request/response tracking
- Exception logging
- Custom metrics (threat blocks, API queries)
Rate Limits (FREE tier):
- 5GB ingestion/month (FREE)
- 90-day retention
Upgrade Path (if needed):
- Pay-as-you-go: $2.30/GB after 5GB
Setup:
App ID: 9657ac80-c379-490c-abd4-3962fc22ef72
Resource: cleansheet-2x4-insights
Connection: DefaultAzureCredential (Managed Identity)
Current Usage: ~200MB/month (well under free tier)
Cost: $0/month
💰 Total Monthly API Costs
| Service | Plan | Rate Limit | Current Usage | Cost |
|---|---|---|---|---|
| Cloudflare | FREE | 3,600 req/hr | ~500 req/day | $0 |
| VirusTotal | Community | 500 req/day | ~50 req/day (cache: 90%) | $0 |
| AbuseIPDB | FREE | 1,000 req/day | ~100 req/day (cache: 85%) | $0 |
| ThreatFox | FREE | Unlimited | ~20 req/day | $0 |
| Google Analytics 4 | FREE | 10M events/mo | ~1K events/day | $0 |
| Application Insights | FREE | 5GB/month | ~200MB/month | $0 |
| TOTAL | $0/month |
Azure Infrastructure Cost (separate):
- Container Apps: ~$10-20/month
- Storage Account: ~$1-2/month
- Key Vault: ~$1/month
- Total Azure: ~$12-23/month
⏱️ Complete Deployment Timing Breakdown
From Commit to Production: Step-by-Step
Step 1: Judge Dredd Pre-Flight Review ⏱️ ~30 seconds
# Manual trigger
node scripts/judge-dredd.js 10
# What happens:
# - Analyzes last 10 commits
# - Pattern detection (security, compliance, professionalism)
# - Generates judgment report
# - Saves evidence (compliance/evidence/judge-dredd-latest.json)
Output:
- ✅ COMPLIANT (proceed) or ❌ VIOLATIONS (block)
- Commendations logged
- Learning data saved
Time: ~30 seconds (local), ~45 seconds (GitHub Actions)
Step 2: Git Push ⏱️ ~5-10 seconds
git push origin main
What happens:
- Code pushed to GitHub
- Triggers GitHub Actions workflow
- Judge Dredd workflow runs in parallel
Time: ~5-10 seconds (depends on network)
Step 3: GitHub Actions - Judge Dredd Review ⏱️ ~1-2 minutes
Workflow: .github/workflows/judge-dredd.yml
Steps:
- Checkout code (10s)
- Setup Node.js (15s)
- Install Judge Dredd dependencies (30s)
- Run Judge Dredd review (30s)
- Upload evidence artifact (10s)
Total: ~1-2 minutes
Parallel Execution: Runs concurrently with build job
Step 4: GitHub Actions - Build & Deploy ⏱️ ~8-12 minutes
Workflow: .github/workflows/deploy-security-dashboard.yml
Sub-Step 4a: Azure Login ⏱️ ~15 seconds
az login --service-principal
az acr login --name cleansheet2x4
Sub-Step 4b: Docker Build ⏱️ ~3-5 minutes
cd security-dashboard
docker buildx build --platform linux/amd64 \
-t cleansheet2x4.azurecr.io/security-dashboard:latest \
-t cleansheet2x4.azurecr.io/security-dashboard:v1.0.0 \
-t cleansheet2x4.azurecr.io/security-dashboard:74db440 \
--push .
What happens:
- Multi-stage build (Node 20 base)
- Install production dependencies (~30s)
- Copy application code (~10s)
- Copy threat intel cache files (~20s)
- Tag with version, git SHA, latest (~5s)
- Push to Azure Container Registry (~2-3 min)
Breakdown:
- Base image pull: 30s (cached after first run)
- npm install: 30s
- File copy: 30s
- Build layers: 60s
- Push to ACR: 2-3 min
- Total: ~3-5 minutes
Sub-Step 4c: Container App Update ⏱️ ~2-4 minutes
az containerapp update \
--name security-dashboard \
--resource-group cleansheet-2x4 \
--image cleansheet2x4.azurecr.io/security-dashboard:74db440
What happens:
- Azure pulls new image from ACR (~30s)
- Spins up new container instance (~60s)
- Health check probe (
/healthendpoint) (~30s) - Traffic cutover (rolling update) (~30s)
- Terminate old container (~30s)
Breakdown:
- Image pull: 30s
- Container start: 60s
- Health checks: 30-60s
- Traffic switch: 30s
- Total: ~2-4 minutes
Sub-Step 4d: Health Check Verification ⏱️ ~30 seconds
sleep 30
curl -f https://security.dugganusa.com/health
Expected Response:
{
"status": "healthy",
"service": "analytics-dashboard"
}
Sub-Step 4e: Compliance Logging ⏱️ ~10 seconds
# Save deployment evidence
cat > compliance/evidence/deployments/deploy-$(date +%Y%m%d-%H%M%S).json <<EOF
{
"timestamp": "2025-10-27T05:30:00Z",
"service": "security-dashboard",
"commit": "74db440",
"soc2Controls": { "CC8.1": "tracked" }
}
EOF
# Upload artifact (365-day retention)
Total Deployment Timeline
| Phase | Duration | Description |
|---|---|---|
| 1. Judge Dredd Pre-Flight | 30s | Local pattern detection |
| 2. Git Push | 5-10s | Push to GitHub |
| 3. Judge Dredd Workflow | 1-2 min | Parallel GitHub Actions review |
| 4a. Azure Login | 15s | ACR authentication |
| 4b. Docker Build & Push | 3-5 min | Multi-stage build + ACR push |
| 4c. Container App Update | 2-4 min | Image pull + rolling update |
| 4d. Health Check | 30s | Verify deployment success |
| 4e. Compliance Logging | 10s | Save SOC2 evidence |
| TOTAL | ~8-13 minutes | Commit → Production |
🚀 Optimization Opportunities
Current: ~8-13 minutes
Potential Improvements:
- Docker Layer Caching (save ~1-2 min on builds)
- GitHub Actions cache for Node modules
- Separate base image layer
- New time: ~6-11 minutes
- Parallel Health Checks (save ~15s)
- Run health check during traffic cutover
- New time: ~6-10 minutes
- Pre-warmed Container Instances (save ~1-2 min)
- Azure Container Apps scale-to-zero optimization
- Keep 1 instance always warm
- New time: ~5-8 minutes
Best Case (Fully Optimized): ~5-8 minutes
📦 Package Requirements
Production Dependencies (package.json)
{
"dependencies": {
"express": "^4.18.2",
"express-session": "^1.17.3",
"@google-analytics/data": "^4.0.0",
"@azure/keyvault-secrets": "^4.7.0",
"@azure/identity": "^4.0.0",
"@azure/monitor-query": "^1.2.0",
"@azure/storage-file-share": "^12.17.0",
"@azure/data-tables": "^13.2.2",
"node-cron": "^3.0.3"
}
}
Total Size: ~45MB (node_modules) Install Time: ~30 seconds (Docker build)
Judge Dredd Agent Dependencies (scripts/judge-dredd-agent/package.json)
{
"dependencies": {
"axios": "^1.7.9",
"chokidar": "^3.5.3",
"commander": "^11.1.0",
"chalk": "^4.1.2",
"node-notifier": "^10.0.1"
}
}
Total Size: ~12MB (node_modules) Install Time: ~15 seconds
🎯 Deployment Checklist
Pre-Deployment:
- Judge Dredd review passed (0 CRITICAL violations)
- All tests passing (if applicable)
- API keys in Azure Key Vault
- Managed Identity configured
During Deployment:
- GitHub Actions workflow triggered
- Docker build successful
- Image pushed to ACR (3 tags: version, SHA, latest)
- Container App update initiated
Post-Deployment:
- Health check returns 200 OK
- Application Insights logging
- Cloudflare CDN cache cleared (if needed)
- Deployment evidence saved (365-day retention)
📞 Support & Troubleshooting
Deployment Failures:
- Check GitHub Actions logs
- Review Judge Dredd artifacts
- Verify Azure Container Apps status
API Rate Limit Issues:
- Check cache hit rates
- Review Application Insights metrics
- Consider upgrading tier (if needed)
Contact: patrick@dugganusa.com
📋 Last Updated: 2025-10-27 🛡️ Security.DugganUSA.com - Zero-Cost API Stack with Enterprise Deployment