Networking Overview

Microtec ERP uses a hub-less, per-environment VNet topology. Each environment is completely isolated with its own /16 VNet, NSG rules, private DNS zones, and private endpoints. There is no VNet peering between environments.

VNet Topology

Internet
    │
    ▼
Azure Front Door (Premium + WAF)
    │
    │  HTTPS (443)
    ▼
Public CAE Subnet (10.{env}.0.0/24)
  ┌─────────────────────────────────┐
  │  Gateway.API      (port 80)     │
  │  Keycloak         (port 8080)   │
  └────────────┬────────────────────┘
               │ Private VNet traffic only
               ▼
Private CAE Subnet (10.{env}.1.0/24)
  ┌─────────────────────────────────────────────────────────┐
  │  Accounting API        Notification       Workflow      │
  │  BusinessOwners        Attachment         Import        │
  │  Zatca                 Reporting          Integration   │
  │  HR    Finance    Sales    Purchase    Inventory        │
  └───────────────────┬─────────────────────────────────────┘
                      │ Private Endpoints
                      ▼
Private Endpoints Subnet (10.{env}.2.0/24)
  ┌─────────────────────────────────────────────────────────┐
  │  SQL (10.{env}.2.4)      Redis (10.{env}.2.5)           │
  │  Service Bus (10.{env}.2.6)  Key Vault (10.{env}.2.7)   │
  │  ACR (10.{env}.2.8)      Blob Storage (10.{env}.2.9)    │
  └─────────────────────────────────────────────────────────┘

VNet CIDRs by Environment

Environment	VNet CIDR	Public Subnet	Private Subnet	PE Subnet
dev	10.0.0.0/16	10.0.0.0/24	10.0.1.0/24	10.0.2.0/24
stage	10.1.0.0/16	10.1.0.0/24	10.1.1.0/24	10.1.2.0/24
preprod	10.6.0.0/16	10.6.0.0/24	10.6.1.0/24	10.6.2.0/24
uat	10.5.0.0/16	10.5.0.0/24	10.5.1.0/24	10.5.2.0/24
production	10.2.0.0/16	10.2.0.0/24	10.2.1.0/24	10.2.2.0/24
shared-sql	10.100.0.0/16	N/A	N/A	N/A

Preprod note: 10.6.0.0/16 — not 10.3 (old docs may show 10.3 incorrectly).

Azure Container Apps — Two-CAE Pattern

Each environment has exactly two Container Apps Environments:

Public CAE

Property	Value
Subnet	public-apps (/24)
Internet-facing	Yes
Services	Gateway.API, Keycloak
Custom domain	Yes (via Azure Front Door)
mTLS between services	No (only 2 services)

Private CAE

Property	Value
Subnet	private-apps (/24)
Internet-facing	No — VNet-internal only
Services	All other 12+ microservices
Custom domain	No (internal DNS only)
mTLS between services	Yes (enforced by CAE)

Gateway.API in the public CAE acts as the reverse proxy / API gateway. All external calls go through Gateway → private services. No private service has a public IP.

NSG Profiles

Public Apps NSG

Inbound rules:
  100: Allow HTTPS (443) from Internet → Allow
  110: Allow HTTP (80) from Internet → Allow (Front Door redirect)
  900: Deny all inbound → Deny

Outbound rules:
  100: Allow HTTPS to private-apps subnet → Allow
  110: Allow HTTPS to private-endpoints subnet → Allow
  900: Deny all → Deny

Private Apps NSG

Inbound rules:
  100: Allow all from public-apps subnet → Allow
  110: Allow all from private-apps subnet (service-to-service) → Allow
  900: Deny all inbound (blocks internet) → Deny

Outbound rules:
  100: Allow HTTPS to private-endpoints subnet → Allow
  110: Allow DNS (53) to AzureDNS → Allow
  900: Deny all → Deny

Private Endpoints NSG

Inbound rules:
  100: Allow from private-apps subnet → Allow
  110: Allow from public-apps subnet → Allow
  900: Deny all → Deny

Outbound rules:
  Deny all → Deny

Azure Front Door

Azure Front Door Premium with WAF handles all public ingress:

Client HTTPS request
    │
    ▼
Azure Front Door Premium
  ├── WAF Policy: OWASP 3.2 rule set
  ├── TLS termination (TLS 1.2 minimum)
  ├── Custom domain: onlinemicrotec.com.sa
  ├── Origin group: Public CAE (Gateway.API)
  └── Health probe: /health every 30s

Front Door is configured in Devops/azure/infrastructure/modules/frontdoor.bicep.

Private DNS Zones

12 private DNS zones are deployed per environment and linked to the environment VNet. See private-dns.md for the full list.

No Cross-Environment Connectivity

Security policy: There is no VNet peering, VPN, or ExpressRoute connection between any two environment VNets.

If a service in staging needs to test against a production database replica, it must use a replica within its own environment — it cannot reach across to the production VNet.

This isolation prevents:

A misconfigured staging pipeline from writing to production databases
Security incidents in dev/stage from pivoting to production
Noisy neighbor effects between environments

Shared SQL Network

The SQL Server VM RG (mic-backend-shared-sql-rg) uses a separate VNet: 10.100.0.0/16.

Each environment's private CAE has a private endpoint to the shared SQL server, routed through the private-endpoints subnet. This is the only cross-environment network resource.

10.{env}.2.X  ──► private endpoint ──► SQL VM (10.100.X.X)

Networking Overview ​

VNet Topology ​

VNet CIDRs by Environment ​

Azure Container Apps — Two-CAE Pattern ​

Public CAE ​

Private CAE ​

NSG Profiles ​

Public Apps NSG ​

Private Apps NSG ​

Private Endpoints NSG ​

Azure Front Door ​

Private DNS Zones ​

No Cross-Environment Connectivity ​

Shared SQL Network ​

Related Pages ​