Azure Infrastructure
Resource map
Section titled “Resource map”flowchart TB
subgraph AppServices [App Services - Linux]
CloudApp[Cloud Backend API]
MgmtApp[Management Backend]
IngestApp[Ingestor Service]
end
subgraph Storage [Data Layer]
SQL[(Azure SQL Server - Cloud DB + Management DB)]
Blob[Azure Blob Storage - snap blobs]
end
subgraph Secrets [Key Vaults]
CloudKV[kv-mz-cloud]
ManageKV[kv-mz-manage]
end
ACR[Azure Container Registry] -->|Docker pull| CloudApp
ACR -->|Docker pull| MgmtApp
CloudKV -->|secrets| CloudApp
ManageKV -->|secrets| MgmtApp
CloudApp --> SQL
MgmtApp --> SQL
IngestApp --> SQL
CloudApp -->|snap blobs| Blob
CloudApp -->|OTel OTLP| AppInsights[Application Insights]
MgmtApp -->|OTel OTLP| AppInsights
Azure SQL Server
Section titled “Azure SQL Server”- Single Azure SQL Server instance with two databases: Cloud (
db-monozu-cloud-{env}) and Management (db-monozu-manage-{env}) - Multi-tenant isolation via Row-Level Security (RLS) — see Multi-Tenancy
- Connection: Managed Identity (production) or SQL auth (
DATABASE_URL) for local dev - Migrations: Flyway runs as a post-deploy step in Azure DevOps pipelines
Azure App Service
Section titled “Azure App Service”Each backend runs as a Linux container pulled from ACR:
| Setting | Value |
|---|---|
| Runtime | Docker (Linux) |
| Plan | At least B2/P1v3 (recommend P2v3 for production) |
| Identity | System-assigned Managed Identity |
| Key Vault access | Key Vault Secrets User role on the service’s KV |
App settings (environment variables) are loaded from Azure Key Vault via App Service Key Vault references (@Microsoft.KeyVault(VaultName=kv-mz-cloud-prd;SecretName=SECRET_KEY)).
Azure Container Registry
Section titled “Azure Container Registry”- Shared ACR instance (
acr-monozu) for all environments - Images tagged by git commit SHA:
acr-monozu.azurecr.io/cloud-backend:<sha> - App Service pulls the latest tagged image on deploy
Azure Key Vault
Section titled “Azure Key Vault”Two separate Key Vaults — one per service — to limit blast radius:
| Vault | Contents |
|---|---|
kv-mz-cloud-{env} | SECRET_KEY, CLOUD_INTERNAL_API_TOKEN, CLOUD_WEBHOOK_HMAC_SECRET, MANAGEMENT_API_URL, MS_CLIENT_ID, MS_CLIENT_SECRET, APPLICATIONINSIGHTS_CONNECTION_STRING, SNAP_PUBLISH_TOKEN |
kv-mz-manage-{env} | SECRET_KEY, CLOUD_INTERNAL_API_TOKEN, CLOUD_WEBHOOK_HMAC_SECRET, CLOUD_API_URL, MS_CLIENT_ID, MS_CLIENT_SECRET, MS_TENANT_ID, APPLICATIONINSIGHTS_CONNECTION_STRING |
CLOUD_INTERNAL_API_TOKEN and CLOUD_WEBHOOK_HMAC_SECRET must have the same value in both vaults. See docs/cloud-management-env.md for the full secret list.
Azure Application Insights
Section titled “Azure Application Insights”All backends export OpenTelemetry traces, metrics, and logs to Application Insights via OTLP HTTP:
APPLICATIONINSIGHTS_CONNECTION_STRING=InstrumentationKey=...;IngestionEndpoint=https://...Dashboards, alerts, and live metrics are available in the Azure Portal under the Application Insights resource.
Managed Identity
Section titled “Managed Identity”Production App Services use system-assigned Managed Identity for:
- Azure Key Vault access (no credentials in app settings)
- Azure SQL connection (no password — uses
azidentity.ManagedIdentityCredential) - Azure Blob Storage (snap binaries)
Grant the App Service MI the following roles:
- Key Vault Secrets User on its Key Vault
- SQL db_datareader / db_datawriter on its database (via
CREATE USER ... FROM EXTERNAL PROVIDERin SQL) - Storage Blob Data Reader on the snap blob container (Cloud Backend only)