Monozu Cloud is a multi-tenant SaaS platform built for Managed Service Providers (MSP/MSSP). It provides CMDB, ITSM, Security SOC, VPN, and Backup capabilities through a cohesive web application backed by Go APIs and Azure SQL.
flowchart LR
SPA[Cloud SPA] -->|REST /api/v1| API[Cloud Backend API]
SPA -->|WebSocket /api/ws| API
MgmtSPA[Management SPA] -->|REST /api/v1| MgmtAPI[Management Backend]
Edge[Edge Appliance] -->|POST /v1/ingest| Ingestor[Ingestor Service]
Edge -->|GET /api/v1/commands| API
API -->|SQL + RLS| SQL[(Azure SQL Server)]
API -->|M2M Bearer| MgmtAPI
MgmtAPI -->|HMAC webhook| API
MgmtAPI --> SQL
Ingestor --> SQL
API -->|OIDC| Entra[Microsoft Entra ID]
MgmtAPI -->|OIDC| Entra
API -->|email| Resend[Resend]
API -->|CVE feeds| NVD[NVD / CISA / MITRE]
API -->|OTel OTLP| AppInsights[Application Insights]
CF[Cloudflare Pages] --> SPA
KV[Azure Key Vault] -->|secrets| API
KV -->|secrets| MgmtAPI
ACR[Azure Container Registry] -->|Docker pull| API
ACR -->|Docker pull| MgmtAPI
| Decision | Choice | Rationale |
|---|
| Multi-tenancy | Row-Level Security (Azure SQL) | Isolation without separate databases per tenant |
| Backend pattern | Domain-Driven Design, ~35 bounded contexts | Clear ownership, testability |
| Auth | JWT (access) + HttpOnly cookie (refresh) | Secure stateless auth with CSRF protection |
| Real-time | WebSocket (/api/ws/security, /api/ws/vpn) | Push-based updates for SOC and VPN sessions |
| Frontend state | TanStack Query (server) + Zustand (client) | Clear separation of server and UI state |
| Optional features | Environment-variable feature flags | Same codebase, different deployments |
| CI/CD | Azure DevOps → Docker → ACR → App Service | Containerized, reproducible deployments |
flowchart LR
A[Browser / Edge Device] --> B[Cloudflare CDN/Workers]
B --> C[Go API - Fiber v3]
C --> D[Domain handlers]
D --> E[Azure SQL - sqlx]
D --> F[Background jobs]
F --> G[External APIs - NVD / CISA / Resend]
C --> H[OpenTelemetry - App Insights]
- Browser sends
Authorization: Bearer <access_token> to /api/v1/*
auth middleware validates JWT, extracts tenant_id and user_id- RBAC middleware checks required permission against user’s groups
- Domain handler runs business logic via
sqlx queries on Azure SQL
- Azure SQL enforces RLS using
SESSION_CONTEXT('tenant_id') set at connection time
- Response returned; audit log written for mutating operations
- Browser opens
ws://api/ws/security?token=<access_token> or ws://api/ws/vpn?token=<access_token>
- Backend validates token on upgrade, registers connection in WebSocket hub
- Events (security alerts, VPN session updates) are broadcast to matching connections
| Layer | Technology |
|---|
| Cloud Backend | Go 1.26, Fiber v3, sqlx, zerolog, OpenTelemetry |
| Management Backend | Go 1.26, Fiber v3, sqlx |
| Cloud Frontend | React 18, Vite 8, TypeScript, React Router 6, TanStack Query v5, Zustand, shadcn/Radix UI, Tailwind CSS |
| Management Frontend | React 18, Vite 8, TypeScript |
| Database | Azure SQL Server, Flyway migrations (V1–V28) |
| Auth | JWT (HS256), bcrypt, TOTP, OIDC (Microsoft Entra ID) |
| Hosting | Azure App Service (backends), Cloudflare Pages (SPAs), Cloudflare Workers (contact form) |
| Observability | OpenTelemetry → Azure Application Insights |
| Secrets | Azure Key Vault (production), .env files (local dev) |
