Saif Ali

Posted on Apr 25 • Originally published at nexusai.run

Serverless deployment with NEXUS AI

#ai #productivity #devops #infrastructure

Serverless deployment with NEXUS AI: custom domains, scaling, rollback, and more

Published: April 25, 2026

Category: Platform · DevOps

Reading time: 16 minutes

Author: NEXUS AI Team

Serverless means different things to different teams. For most, it means: don't manage servers, don't think about capacity until it matters, and pay for what you actually run. That premise is right. The implementation — tangled cloud console configurations, provider-specific YAML, and per-cloud IAM policies — is where the promise breaks down.

NEXUS AI deploys containerized applications to AWS App Runner, Google Cloud Run, and Azure Container Apps from a single CLI command. No cloud console. No provider-specific configuration files. Custom domains, replica scaling, one-click rollback, and health checks work the same way across all three.

This post covers every production feature in detail: how it works, what it costs, and the exact CLI commands to run it.

How NEXUS AI serverless works

NEXUS AI acts as a deployment orchestration layer on top of the three major serverless container runtimes:

Provider	Runtime	What runs your container
`GCP_CLOUD_RUN`	Google Cloud Run	Google's fully managed serverless container platform
`AWS_APP_RUNNER`	AWS App Runner	AWS's fully managed container runtime
`AZURE_CONTAINER_APPS`	Azure Container Apps	Azure's serverless container service
`LOCAL_DOCKER`	NEXUS AI managed	NEXUS AI's own managed Docker infrastructure

You choose the provider at deploy time. NEXUS AI handles the cloud-side provisioning — service creation, IAM, registry, networking — and gives you a live URL within minutes. Switching providers is a single flag change on the next redeploy.

Your container runs on your cloud account (Pro and above), not on shared NEXUS AI infrastructure. The data and workload stay in your AWS, Google Cloud, or Azure environment.

Your first serverless deployment

Deploy from a Git repository in one command:

nexus deploy source \
  --name api-prod \
  --repo https://github.com/your-org/your-api \
  --branch main \
  --provider GCP_CLOUD_RUN \
  --region us-central1 \
  --port 3000

Or deploy a pre-built container image:

nexus deploy create \
  --name api-prod \
  --image ghcr.io/your-org/api:latest \
  --provider AWS_APP_RUNNER \
  --region us-east-1 \
  --port 3000

Within 3–5 minutes, your deployment is live at a *.nexusai.run subdomain:

✓ Deployment api-prod created
  URL:      https://api-prod.nexusai.run
  Provider: AWS_APP_RUNNER (us-east-1)
  Status:   RUNNING
  Replicas: 1

No Dockerfile required if you deploy from source — NEXUS AI detects your runtime and generates one. No registry setup, no IAM policy documents, no VPC configuration.

Environments

Every deployment belongs to an environment: DEVELOPMENT, STAGING, or PRODUCTION. Environments affect:

Which secrets are injected (secrets are scoped per environment)
Which team members can deploy (RBAC enforces environment-level permissions)
Which providers are available (controlled by your org's provider config)

# Deploy the same app to staging and production as separate deployments
nexus deploy source --name api-staging --env staging --provider GCP_CLOUD_RUN ...
nexus deploy source --name api-prod    --env production --provider AWS_APP_RUNNER ...

Staging and production run independently — different secrets, different provider configs, same codebase. A bad deploy to staging never touches production.

Custom domains

Every deployment gets a *.nexusai.run subdomain automatically. For production workloads, attach your own domain.

Add a custom domain

nexus domain add api-prod app.yourcompany.com

Output:

✓ Domain app.yourcompany.com added to api-prod
  Verification: PENDING

  Add this DNS record at your registrar:

  Type:  CNAME
  Name:  app
  Value: api-prod.nexusai.run

Verify DNS

Once you've added the CNAME record at your registrar, trigger verification:

nexus domain verify api-prod <domain-id>

NEXUS AI checks DNS propagation and issues a TLS certificate automatically. Verification typically completes within 2–10 minutes of DNS propagation, which depends on your TTL settings.

Apex domains

Both subdomain (app.yourcompany.com) and apex (yourcompany.com) are supported. For apex domains, use your registrar's ALIAS or ANAME record (or CNAME flattening if your registrar supports it) pointing to api-prod.nexusai.run.

List and remove domains

# List all domains for a deployment
nexus domain list api-prod

# Remove a domain
nexus domain remove api-prod <domain-id>

Custom domains are available on Starter ($29/mo) and above. The Free plan uses *.nexusai.run subdomains only.

Scaling

Scale a running deployment between 1 and 10 replicas with a single command. No redeploy required — scaling applies to the live deployment immediately.

# Scale up before a high-traffic event
nexus deploy scale api-prod --replicas 5

# Scale back down after
nexus deploy scale api-prod --replicas 2

Output:

✓ api-prod scaled to 5 replica(s)
  Previous: 2
  Current:  5
  Provider: GCP_CLOUD_RUN

On Google Cloud Run, AWS App Runner, and Azure Container Apps, scaling is applied directly to the underlying service — NEXUS AI calls the provider's API to set the replica count and the change takes effect within 30–60 seconds.

Replica limits

The maximum is 10 replicas per deployment across all plans. For workloads requiring more than 10 replicas, use the provider's native auto-scaling configuration directly on the cloud console alongside NEXUS AI's managed deployment.

Scaling and cost

Replicas run continuously on App Runner and Cloud Run until you scale back down. They are not auto-scaled to zero. If you need scale-to-zero, configure minimum instances on the underlying provider or use the nexus deploy stop command to halt a deployment entirely during off-hours.

# Stop during off-hours
nexus deploy stop api-staging

# Restart when needed
nexus deploy start api-staging

Health checks

NEXUS AI configures health checks on every deployment. A deployment that fails health checks is automatically flagged — and if it stays unhealthy past the retry threshold, it surfaces in both the dashboard and your audit log.

Configuration

Health checks are configured at deploy time:

nexus deploy source \
  --name api-prod \
  --health-check-type http \
  --health-check-url /health \
  --health-check-interval 30 \
  --health-check-timeout 3 \
  --health-check-retries 3 \
  --health-check-start-period 40 \
  ...

Parameter	Default	What it does
`--health-check-type`	`http`	`http`, `tcp`, or `none`
`--health-check-url`	`/health`	Endpoint checked for HTTP type
`--health-check-interval`	30s	Seconds between checks
`--health-check-timeout`	3s	Max wait per check
`--health-check-retries`	3	Failures before marking unhealthy
`--health-check-start-period`	40s	Grace period before checks begin

The 40-second start period is the most important default to understand. It gives your container time to initialize before health checks begin — a Node.js app loading large models or a Java app with a slow JVM startup won't be marked unhealthy before it's ready.

Check current health status

nexus deploy status api-prod

NAME       STATUS   HEALTH    REPLICAS  RESTARTS  PROVIDER         UPTIME
api-prod   RUNNING  healthy   2         0         AWS_APP_RUNNER   14h ago

Rollback

Redeploy to a previous known-good state with one command. No rebuilding, no config archaeology.

nexus deploy rollback api-prod

Rollback is available on Pro ($149/mo) and above. On Free and Starter plans, rollback is not available — the recovery path is a new deployment from the previous image tag or branch.

How rollback works

NEXUS AI stores the previous deployment configuration — image, environment variables, secrets references, provider, region, and replica count. When you rollback, it provisions a new deployment using that configuration. The original deployment record is preserved in your history.

# Check deployment history before rolling back
nexus deploy list --json | jq '.[] | select(.name | startswith("api-prod"))'

[
  { "name": "api-prod",          "status": "FAILED",  "createdAt": "2026-04-25T14:22:00Z" },
  { "name": "rollback-k3x9ab2",  "status": "RUNNING", "createdAt": "2026-04-25T14:30:00Z" }
]

The rollback deployment gets a generated name (rollback-{timestamp}) and runs at the same replica count as the original.

Secrets and environment variables

Secrets are injected at runtime — never baked into the container image. Set them once; they're available across redeployments.

# Store secrets in the vault
nexus secret set DATABASE_URL "postgres://..." --environment production
nexus secret set STRIPE_SECRET_KEY "sk_live_..." --environment production
nexus secret set OPENAI_API_KEY "sk-..." --environment production

# Deploy — secrets are automatically injected
nexus deploy source --name api-prod --env production ...

Your application reads them as standard environment variables:

const db = new Pool({ connectionString: process.env.DATABASE_URL });

No SDK. No fetch-on-startup. No cold-start penalty from secret retrieval. Secrets are decrypted in the NEXUS AI control plane and injected into the container spec before the first process starts.

Environment variables that aren't secrets can be passed inline at deploy time:

nexus deploy source \
  --name api-prod \
  --env-var NODE_ENV=production \
  --env-var LOG_LEVEL=info \
  --env-var PORT=3000 \
  ...

Multi-service deployments

NEXUS AI supports Docker Compose deployments for applications that require multiple services running together — an API, a background worker, and a Redis sidecar, for example.

nexus deploy source \
  --name platform-prod \
  --repo https://github.com/your-org/platform \
  --compose \
  ...

When --compose is specified, NEXUS AI reads your docker-compose.yml, provisions each service as a deployment, and wires them together within the same project. Services can reference each other by name on the internal network.

Redeploy

Push a new image or rebuild from source without changing any configuration:

# Redeploy from the same source (pulls latest from the branch)
nexus deploy redeploy api-prod

# Or from CI/CD using an Access Token
NEXUS_API_KEY=nxk_... nexus deploy redeploy api-prod

Redeployments on cloud providers (AWS App Runner, Google Cloud Run, Azure Container Apps) complete in 60–90 seconds. The old revision stays running until the new one passes health checks — zero-downtime by default.

CI/CD integration

A typical GitHub Actions pipeline with NEXUS AI:

name: Deploy to production

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build and push image
        run: |
          docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
          docker push ghcr.io/${{ github.repository }}:${{ github.sha }}

      - name: Deploy to NEXUS AI
        env:
          NEXUS_API_KEY: ${{ secrets.NEXUS_API_KEY }}
        run: |
          npx nexus-cli deploy redeploy api-prod

The pipeline token uses deploy:write scope only — it cannot read secrets, change configuration, or touch other deployments. One compromised pipeline token is one redeployment trigger, nothing more.

Auto-destroy

Temporary deployments — review apps, QA environments, demo instances — can be set to self-destruct after a fixed window:

# Spin up a review deployment that destroys itself after 24 hours
nexus deploy source \
  --name pr-1234-review \
  --auto-destroy 24h \
  ...

The deployment runs normally until the deadline, then stops and cleans up its cloud resources automatically. No manual teardown required, no forgotten review apps billing at end of month.

Real-time logs

Stream build and runtime logs for any deployment:

# Follow runtime logs
nexus deploy logs api-prod --follow

# Get last 200 lines
nexus deploy logs api-prod --tail 200

# Filter by keyword
nexus deploy logs api-prod --follow | grep ERROR

Logs are available within seconds of a container writing to stdout/stderr. Build logs (the image build, Dockerfile execution, dependency installation) are also accessible via the same command with --build.

Plan comparison

Feature	Free	Starter ($29/mo)	Pro ($149/mo)	Enterprise
Deployments	1	2	5	Unlimited
Providers	Managed Docker	Docker + Google Cloud	All 4 providers	All 4 providers
Custom domains	—	✓	✓	✓
Rollback	—	—	✓	✓
Secrets	3	20	100	Unlimited
Team members	0	3	10	Unlimited
AI generations/day	1	10	Unlimited	Unlimited
Your cloud account	—	✓	✓	✓
Replica scaling (1–10)	✓	✓	✓	✓
Health checks	✓	✓	✓	✓
Audit logs	✓	✓	✓	✓

Deployment command reference

# Deploy from source
nexus deploy source --name <name> --repo <url> --branch <branch> --provider <provider> --port <port>

# Deploy from image
nexus deploy create --name <name> --image <image> --provider <provider> --port <port>

# Redeploy (same config, new build)
nexus deploy redeploy <name>

# Scale replicas (1–10)
nexus deploy scale <name> --replicas <n>

# Rollback to previous version (Pro+)
nexus deploy rollback <name>

# Stop / start
nexus deploy stop <name>
nexus deploy start <name>

# View status
nexus deploy status <name>

# Stream logs
nexus deploy logs <name> --follow

# List deployments
nexus deploy list

# Delete deployment
nexus deploy delete <name>

# Custom domains
nexus domain add <deployment> <domain>
nexus domain verify <deployment> <domain-id>
nexus domain list <deployment>
nexus domain remove <deployment> <domain-id>

Checklist: production-ready serverless deployment

[ ] Set all secrets via nexus secret set before first deploy — zero plaintext env vars
[ ] Configure --health-check-url to match your app's actual health endpoint
[ ] Set --health-check-start-period to at least your app's cold-start time
[ ] Create a scoped deploy:write token for CI/CD — never use your personal token in pipelines
[ ] Add your custom domain and verify DNS before announcing the URL
[ ] Run nexus deploy status <name> --watch on the first production deploy to catch health check failures early
[ ] Set --auto-destroy on review and QA deployments — prevent billing surprises
[ ] Scale to at least 2 replicas for production — single-replica deployments have no redundancy

Frequently asked questions

Which cloud provider should I use?

For most workloads: Google Cloud Run (GCP_CLOUD_RUN) for its zero-to-running speed and global network, AWS App Runner (AWS_APP_RUNNER) if your team already runs on AWS and wants everything in one account, Azure Container Apps (AZURE_CONTAINER_APPS) for Microsoft-stack integrations. All three behave identically from the NEXUS AI CLI perspective.

Does NEXUS AI support scale-to-zero?

Not natively managed from the CLI — replicas run continuously at whatever count you set. The underlying providers (Cloud Run, Container Apps) support scale-to-zero natively; you can configure it on the cloud console alongside NEXUS AI's deployment. nexus deploy stop halts the deployment entirely, which achieves zero cost during idle periods for non-production environments.

Can I bring my own Dockerfile?

Yes. If your repository includes a Dockerfile, NEXUS AI uses it. If not, it generates one based on detected runtime (Node.js, Python, Go, Java, etc.). You can also pass a Dockerfile path explicitly with --dockerfile.

How does rollback work on Cloud Run and App Runner?

NEXUS AI stores your previous deployment configuration and provisions a new deployment from it — it does not use the provider's native revision rollback. This means rollback works identically across all four providers and preserves a clean audit trail of every state the deployment has been in.

What happens if a deployment fails health checks?

The deployment status changes to FAILED or UNHEALTHY. For cloud providers, the previous revision stays running (Cloud Run and Container Apps keep the last healthy revision active). You'll see a DEPLOYMENT_FAILED event in your audit log with the exit code and error message. Run nexus deploy logs <name> to see what went wrong, then redeploy or rollback.

Can I run multiple services (API + worker + DB) in one deployment?

Use --compose to deploy a Docker Compose file. Each service in the compose file becomes a tracked service under the same deployment, connected on an internal network. External database connections should use NEXUS AI secrets rather than running a database container — ephemeral containers are not a reliable database host.

What's next

Start with a single command. If your app is already containerized:

nexus deploy create \
  --name my-app \
  --image your-registry/your-app:latest \
  --provider GCP_CLOUD_RUN \
  --port 3000

You'll have a live URL in under 5 minutes. Add your custom domain, wire up secrets, and set up your CI/CD pipeline — the entire production setup takes under an hour.

NEXUS AI starts at $29/mo on the Starter plan. Custom domains, Google Cloud Run deployments, and up to 3 team members are included. Start at nexusai.run.

Related reading:

No cloud console. No YAML. One command from prompt to production.

DEV Community