Microtec DevOps

Appearance

Resource Groups

Each Microtec ERP environment is organized into 8–9 dedicated resource groups. This isolation enables granular RBAC, cost tracking per concern, and safe teardown of individual tiers without affecting others.

Resource Group Map (Dev Example)

The table below shows the standard RGs for the dev environment. Substitute dev with stage, preprod, uat, or production for other environments.

#Resource Group NamePurposeKey Resources
1mic-erp-be-dev-network-rgNetwork infrastructureVNet, subnets, NSGs, VNet peerings
2mic-erp-be-dev-security-rgSecurity & identityManaged Identity, RBAC assignments
3mic-erp-be-dev-sql-rgSQL configurationSQL-related configs (shared SQL server is in shared RG)
4mic-erp-be-dev-utils-rgUtility servicesService Bus namespace, private endpoints
5mic-erp-be-dev-apps-public-rgPublic container workloadsPublic CAE (mic-erp-be-dev-cae-public), Gateway + Keycloak
6mic-erp-be-dev-apps-private-rgPrivate container workloadsPrivate CAE (mic-erp-be-dev-cae-private), all 11 internal services
7mic-erp-be-dev-monitoring-rgObservabilityLog Analytics Workspace, Application Insights
8mic-erp-be-dev-global-rgGlobal / shared resourcesACR (micerpbedevacr), Key Vault (mic-erp-be-dev-skv)
9mic-erp-be-dev-storage-rgBackend blob storageBackend Blob Storage (micerpbedevsa) (optional)

Shared Resource Groups (All Environments)

Resource GroupScopePurpose
mic-backend-shared-sql-rgCross-environmentSQL Server VM, all tenant databases

mic-backend-shared-sql-rg — Do NOT Delete or Rename

This RG is shared across dev, stage, preprod, uat, and production. It hosts the SQL Server VM at 20.50.120.95. All environment-specific SQL databases live on this shared server. Deleting or renaming this RG would destroy all tenant and admin databases.

Complete Environment Matrix

Resource Group Detail: *-network-rg

Contains all network infrastructure. Must be deployed first as other RGs depend on subnet IDs.

Resources:

  • VNet: mic-erp-be-{env}-vnet (10.x.0.0/16)
  • Subnets:
    • public-apps (10.x.0.0/24) — Public CAE
    • private-apps (10.x.1.0/24) — Private CAE
    • data (10.x.2.0/24) — Redis, Service Bus private endpoints
    • keyvault (10.x.3.0/24) — Key Vault private endpoint
    • sql-peering (10.x.4.0/24) — VNet peering to shared SQL VNet
  • NSGs: One per subnet with deny-all default + explicit allow rules
  • VNet peering to mic-backend-shared-sql-rg VNet (10.100.0.0/16)

Resource Group Detail: *-apps-public-rg

Contains the Public Container Apps Environment and the internet-facing services.

Resources:

  • mic-erp-be-{env}-cae-public — Public CAE (Gateway + Keycloak)
  • Container Apps: Gateway.API, Keycloak

Resource Group Detail: *-apps-private-rg

Contains the Private Container Apps Environment and all internal microservices.

Resources:

  • mic-erp-be-{env}-cae-private — Private CAE (all 11 internal services)
  • Container Apps: AppsPortal.Apis, Inventory.Apis, BusinessOwners.Apis, BusinessOwners.AdminPortal, Integration.Apis, Attachment.Apis, Notification.Apis, Workflows.Apis, Hr.Personnel.Apis, Template.Blazor, Platforms.Worker
  • User-assigned managed identity: mic-erp-be-{env}-mi

Resource Group Detail: *-utils-rg

Contains utility data services (excluding SQL which lives in shared RG).

Resources:

  • Redis: mic-erp-be-{env}-redis
    • Product: Azure Managed Redis
    • SKU: Balanced_B0 (non-prod) / Balanced_B1 (default all environments)
  • Service Bus Namespace: mic-erp-be-{env}-asb
    • SKU: Standard (dev/stage), Premium (preprod/uat/prod)
    • Queues: notifications, workflow-events, audit-events
    • Private endpoint: mic-erp-be-{env}-asb-pe

Resource Group Detail: *-global-rg

Contains global/shared resources per environment including the image registry and Key Vault.

Resources:

  • ACR: micerpbe{env}acr
    • SKU: Basic (dev), Standard (stage), Premium (preprod/uat/prod)
    • Geo-replication: prod only (secondary in West Europe)
    • Private endpoint: prod only
  • Key Vault (see Key Vault for actual names per environment)
  • RBAC assignments:
    • Key Vault Secrets Usermic-erp-be-{env}-mi (runtime access)
    • Key Vault Secrets Officer → Pipeline service principal (provisioning)

Resource Group Detail: *-storage-rg

Contains backend blob storage (optional, may be part of global-rg).

Resources:

  • Backend Blob Storage: micerpbe{env}sa
    • Used by Attachment service for file uploads
    • Container: attachments
    • CORS: configured per environment

Resource Group Detail: *-monitoring-rg

Contains all observability infrastructure.

Resources:

  • Log Analytics Workspace: mic-erp-be-{env}-law
    • Retention: 30 days (dev/stage), 90 days (prod)
    • Daily cap: 5GB (dev), 20GB (prod)
  • Application Insights: mic-erp-be-{env}-ai
    • Connected to Log Analytics workspace
    • Sampling rate: 100% (dev), 20% (prod)

Resource Group Detail: mic-erp-fr-*-storage-rg

Contains the frontend SPA static file storage.

Resources:

  • Frontend Blob Storage: micerpfr{env}sa
    • Static website hosting enabled
    • Container $web for SPA files
    • CORS: origin https://{env-domain}, all HTTP methods
    • CDN origin for Azure Front Door (frontend)

MFE Storage Accounts

The frontend storage account (micerpfr{env}sa) is separate from the backend storage account (micerpbe{env}sa). This separation came from the frontend storage refactor (Session 13, 2026-03-31) which moved AzureBlobStorage secrets to the frontend MFE storage account.

Resource Group Detail: mic-erp-fr-*-swa-rg

Contains Azure Static Web Apps instances.

Resources:

  • One or more Static Web Apps for Angular MFE deployments
  • Custom domain assignments per SWA
  • Authentication providers (linked to Keycloak)

AFD Profiles (Global, not per-environment)

All Azure Front Door profiles live in the shared mic-erp-global-rg (not per-environment RGs):

AFD ProfileEnvironmentsResource Group
mic-erp-fddev, stagemic-erp-global-rg
mic-erp-fd-2preprod, uatmic-erp-global-rg
mic-erp-prod-fdproductionmic-erp-global-rg
  • Custom domains: gateway.{domain} and auth.{domain} for all environments
  • WAF policy: Standard_AzureFrontDoor SKU
  • DDoS protection: disabled (enableDdosProtection: false)

Deprovision Safety

When tearing down an environment using the deprovision pipeline:

  1. *-apps-public-rg and *-apps-private-rg are deleted first (no data, safe)
  2. *-utils-rg is deleted second (check backups first)
  3. *-global-rg is deleted third (ACR images are gone, KV enters soft-delete)
  4. *-storage-rg is deleted fourth (if separate from global-rg)
  5. *-monitoring-rg is deleted fifth
  6. *-network-rg is deleted last

Soft Delete on Key Vault

Key Vaults are protected by Azure's soft-delete policy for 90 days after deletion. If you need to re-create a KV with the same name, you must first purge the soft-deleted vault:

bash
az keyvault purge --name mic-erp-be-dev-skv --location uksouth

Internal Documentation — Microtec Platform Team