Appearance
Stage Environment
The stage environment is the primary integration and QA environment. It is the first environment that requires all DevSecOps pipeline stages to pass before deployment and is the target for OWASP ZAP DAST scanning.
Environment Snapshot
| Property | Value |
|---|---|
| Environment name | stage |
| VNet CIDR | 10.1.0.0/16 |
| Domain | microtecstage.com |
| Key Vault | mic-erp-stg-kv |
| ACR | micerpbestageacr |
| Branch trigger | stage or staging |
| Approval gate | None (auto-deploys on branch push) |
| SLA | Business hours (8 AM – 8 PM GST) |
Subnets
| Subnet | CIDR | Hosts |
|---|---|---|
| Public (CAE) | 10.1.1.0/24 | Gateway, Keycloak |
| Private (CAE) | 10.1.2.0/23 | All backend microservices |
| App Service | 10.1.4.0/24 | App Service integration |
| Function Apps | 10.1.5.0/24 | Function App integration |
| Private Endpoints | 10.1.6.0/24 | PaaS private endpoints (SQL, Redis, etc.) |
Key Infrastructure Resources
Container App Environments
| CAE | Name | Apps |
|---|---|---|
| Public | mic-erp-be-stage-cae-public | Gateway, Keycloak |
| Private | mic-erp-be-stage-cae-private | All other microservices |
Redis
Stage uses a dedicated Azure Managed Redis instance with SSL enforced:
| Property | Value |
|---|---|
| Hostname | mic-erp-be-stage-redis.uksouth.redis.azure.net |
| Port | 10000 (SSL) |
| TLS | Required (ssl=True) |
| SKU | Balanced_B0 |
| Password | KV secret: mic-erp-stg-kv → RedisConfiguration--Password |
Connection string format used in app configuration:
mic-erp-be-stage-redis.uksouth.redis.azure.net:10000,password=<from-kv>,ssl=True,abortConnect=FalseRedis Port 10000 Not 6379
Azure Managed Redis uses port 10000 (not the default 6379) for SSL connections. Ensure ssl=True and port 10000 are set in all configuration. Connections on port 6380 (non-SSL) are blocked by NSG.
SQL
Stage microservices connect to the shared SQL VM (20.50.120.95) using a separate stage login. Each tenant database is prefixed to avoid collision with dev databases.
Configuration
Key Vault Secrets
Key Vault name: mic-erp-stg-kv
| KV Secret Name | Description |
|---|---|
ConnectionStrings--DefaultConnection | Admin DB connection string |
RedisConfiguration--Password | Redis SSL password |
AzureServiceBus--ConnectionString | Azure Service Bus connection string |
Jwt--Secret | JWT signing key |
XApiKey | Internal service-to-service API key |
Attachment--StorageAccountKey | Blob storage for file attachments |
Domain and TLS
| Service | URL |
|---|---|
| API Gateway | https://gateway.microtecstage.com |
| Keycloak | https://auth.microtecstage.com |
| Business Owner Portal | https://bo.microtecstage.com |
| ERP Frontend | https://erp.microtecstage.com |
Who Uses Stage
| Role | Usage |
|---|---|
| QA engineers | Full regression testing, test case execution |
| Product owners | Feature acceptance and sprint demos |
| Security team | DAST scan target, penetration testing |
| Integration partners | Third-party integration testing (Zatca, payment gateways) |
| DevOps engineers | Pre-production infrastructure validation |
Pipeline Stages Required
Stage is the first environment where all 16 DevSecOps pipeline stages must pass:
Dev deployments skip stages E through N.
DAST Target
Stage is the only environment where automated OWASP ZAP scanning runs as part of the CI/CD pipeline:
- Passive scan: Runs on every stage deployment (all branches deploying to stage)
- Active scan: Runs only on
stagebranch deployments
See ZAP DAST documentation for configuration details.
Monitoring
| Tool | Details |
|---|---|
| Application Insights | mic-erp-be-stage-ai |
| OpenTelemetry | OTLP http://otel.microtecstage.com:4317 |
Log level is Information (same as production). Debug logging can be temporarily enabled per-service via the Container App environment variable override in the Azure Portal.
Seq Not Available in Stage
Seq structured log streaming is only available in the local dev environment. Stage and above send telemetry to Application Insights via OpenTelemetry.
Reset Procedures
Restart All Services
bash
az containerapp list \
--resource-group mic-erp-be-stage-apps-private-rg \
--query "[].name" -o tsv | \
xargs -I{} az containerapp restart \
--name {} \
--resource-group mic-erp-be-stage-apps-private-rgFlush Stage Redis (with caution)
bash
REDIS_PWD=$(az keyvault secret show \
--vault-name mic-erp-stg-kv \
--name "RedisConfiguration--Password" \
--query value -o tsv)
redis-cli \
-h mic-erp-be-stage-redis.uksouth.redis.azure.net \
-p 10000 \
-a "${REDIS_PWD}" \
--tls FLUSHALLCoordinate Redis Flushes
Stage may have active QA sessions running. Coordinate with the QA team before flushing Redis to avoid disrupting regression test runs.