diff --git a/prod/constellations-backbase.tf b/prod/constellations-backbase.tf
new file mode 100644
index 0000000..4de73f9
--- /dev/null
+++ b/prod/constellations-backbase.tf
@@ -0,0 +1,53 @@
+# Base-layer infrastructure for the Constellations backend services.
+#
+# Because the MongoDB is isolated on a private network, the usual Azure admin
+# systems do not work. However, with the bastion host setup defined in
+# `constellations-bastion.tf`, it is possible to administer the database
+# locally.
+#
+# 1. First, set up the bastion and SSH into it.
+# 2. Forward a port to the DB:
+#    ```
+#    ssh -O forward -L 10255:wwtprod-cxbe-server.mongo.cosmos.azure.com:10255 wwt@wwtprodcxb.westus.cloudapp.azure.com
+#    ```
+# 3. Make a temporary connection string, replacing the `...cosmos.azure.com` hostname
+#    with `localhost`. You can get the connection string from the database's admin
+#    page in the Azure Portal.
+# 4. Connect using pymongo with some special settings:
+#     ```
+#     conn = pymongo.MongoClient(cs, tlsAllowInvalidCertificates=True, directConnection=True)
+#     ```
+#     where `cs` is the temporary connection string.
+
+resource "azurerm_resource_group" "cx_backend" {
+  name     = "${var.prefix}-cxbackend"
+  location = var.location
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+#resource "azurerm_service_plan" "cx_backend" {
+#  name                = "${var.prefix}cxbackend"
+#  resource_group_name = azurerm_resource_group.cx_backend.name
+#  location            = azurerm_resource_group.cx_backend.location
+#  os_type             = "Linux"
+#  sku_name            = "P1v2"
+#}
+
+# The backend virtual network
+
+resource "azurerm_virtual_network" "cx_backend" {
+  name                = "${var.prefix}-cxbeVnet"
+  location            = azurerm_resource_group.cx_backend.location
+  resource_group_name = azurerm_resource_group.cx_backend.name
+  address_space       = ["10.0.0.0/16"]
+}
+
+resource "azurerm_subnet" "cx_backend_main" {
+  name                 = "${var.prefix}-cxbeSubnet"
+  resource_group_name  = azurerm_resource_group.cx_backend.name
+  virtual_network_name = azurerm_virtual_network.cx_backend.name
+  address_prefixes     = ["10.0.0.0/24"]
+}
diff --git a/prod/constellations-keycloak-sql.tf b/prod/constellations-keycloak-sql.tf
new file mode 100644
index 0000000..9d2f8ce
--- /dev/null
+++ b/prod/constellations-keycloak-sql.tf
@@ -0,0 +1,89 @@
+# The backing database for the Constellations Keycloak service
+#
+# See remarks in `constellations-backbase.tf` for some information that can
+# hopefully be used to directly connect to this server, if ever needed.
+
+resource "azurerm_postgresql_server" "cxsql" {
+  name                = "${var.prefix}-cxsql"
+  location            = azurerm_resource_group.cx_backend.location
+  resource_group_name = azurerm_resource_group.cx_backend.name
+
+  sku_name                     = "GP_Gen5_2"
+  version                      = "11"
+  storage_mb                   = 16384
+  backup_retention_days        = 35
+  geo_redundant_backup_enabled = true
+  auto_grow_enabled            = true
+
+  public_network_access_enabled     = false
+  ssl_enforcement_enabled           = true
+  ssl_minimal_tls_version_enforced  = "TLS1_2"
+  infrastructure_encryption_enabled = false
+
+  administrator_login          = "psqladmin"
+  administrator_login_password = var.cxsqlAdminPassword
+}
+
+resource "azurerm_postgresql_database" "keycloak" {
+  name                = "keycloak"
+  resource_group_name = azurerm_resource_group.cx_backend.name
+  server_name         = azurerm_postgresql_server.cxsql.name
+  charset             = "UTF8"
+  collation           = "English_United States.1252"
+}
+
+# Supporting vnet/private-endpoint stuff
+
+resource "azurerm_subnet" "cx_backend_sql" {
+  name                 = "${var.prefix}-cxbeSqlSubnet"
+  resource_group_name  = azurerm_resource_group.cx_backend.name
+  virtual_network_name = azurerm_virtual_network.cx_backend.name
+  address_prefixes     = ["10.0.4.0/24"]
+}
+
+resource "azurerm_private_dns_zone" "cx_sql" {
+  name                = "privatelink.postgres.database.azure.com"
+  resource_group_name = azurerm_resource_group.cx_backend.name
+}
+
+resource "azurerm_private_endpoint" "cx_backend_sql" {
+  name                = "${var.prefix}-cxbeSqlEndpoint"
+  location            = azurerm_resource_group.cx_backend.location
+  resource_group_name = azurerm_resource_group.cx_backend.name
+  subnet_id           = azurerm_subnet.cx_backend_sql.id
+
+  private_dns_zone_group {
+    name                 = "default"
+    private_dns_zone_ids = [azurerm_private_dns_zone.cx_sql.id]
+  }
+
+  private_service_connection {
+    name                           = "${var.prefix}-cxbeSqlEndpoint"
+    private_connection_resource_id = azurerm_postgresql_server.cxsql.id
+    is_manual_connection           = false
+    subresource_names              = ["postgresqlServer"]
+  }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "cx_sql" {
+  name                  = "privatelink.postgres.database.azure.com-sqllink"
+  resource_group_name   = azurerm_resource_group.cx_backend.name
+  private_dns_zone_name = azurerm_private_dns_zone.cx_sql.name
+  virtual_network_id    = azurerm_virtual_network.cx_backend.id
+}
+
+resource "azurerm_private_dns_a_record" "cx_backend_sql" {
+  name                = "${var.prefix}-cxsql"
+  zone_name           = azurerm_private_dns_zone.cx_sql.name
+  resource_group_name = azurerm_resource_group.cx_backend.name
+  ttl                 = 10
+  records             = ["10.0.4.4"]
+}
+
+resource "azurerm_private_dns_a_record" "cx_backend_sql_loc" {
+  name                = "${var.prefix}-cxsql-${azurerm_resource_group.cx_backend.location}"
+  zone_name           = azurerm_private_dns_zone.cx_sql.name
+  resource_group_name = azurerm_resource_group.cx_backend.name
+  ttl                 = 10
+  records             = ["10.0.4.5"]
+}