Appearance
Fooj Architecture
Section: 17 — Fooj
Last Updated: 2026-05-30
Scope: System components, ACA layout, networking, data layer
Component Overview
Services
Fooj.Apis (.NET 8)
The single backend API service for all Fooj operations.
| Property | Value |
|---|---|
| Technology | .NET 8, Clean Architecture, CQRS with MediatR |
| Pattern | Same as ERP microservices — just one service |
| Auth | JWT from Keycloak (standard, no ERP dual-token complexity) |
| Database | Azure SQL PaaS via EF Core |
| Cache | Azure Redis |
| Swagger | /swagger (disabled in production) |
| Port | 8080 (internal) |
Since Fooj is not multi-tenant, there is no ITenantProvider or tenant connection string resolution. The single Azure SQL database serves all users.
Angular 18 SSR (Customer-Facing Site)
| Property | Value |
|---|---|
| Technology | Angular 18 with Server-Side Rendering |
| Hosting | Azure Container Apps (Node.js/Nginx container) |
| Domain | www.fooj.sa (prod), staging.fooj.sa (stage) |
| Purpose | Customer-facing website with SEO-optimized SSR |
SSR is critical for Fooj because the customer-facing pages need to be indexable by search engines.
Angular 18 Admin
| Property | Value |
|---|---|
| Technology | Angular 18 (standard SPA, no SSR) |
| Hosting | Azure Container Apps (Nginx static) |
| Domain | admin.fooj.sa (prod), admin-staging.fooj.sa (stage) |
| Purpose | Internal management portal for Fooj operations team |
Keycloak
| Property | Value |
|---|---|
| Version | 24.x |
| Deployment | Azure Container Apps |
| Realm | fooj (single realm, no multi-realm complexity) |
| Domain | auth.fooj.sa (prod), auth-staging.fooj.sa (stage) |
| Database | Azure SQL (same PaaS instance, separate database) |
Azure Container Apps Layout
Unlike ERP (which has separate public/private CAEs), Fooj uses a single shared CAE per environment.
Fooj Stage CAE: fooj-stage-cae
├── fooj-apis (backend)
├── fooj-keycloak (auth)
├── fooj-ssr (customer site)
└── fooj-admin (admin portal)
Fooj Prod CAE: fooj-prod-cae
├── fooj-apis
├── fooj-keycloak
├── fooj-ssr
└── fooj-adminAll services in the CAE communicate via internal DNS (VNet-integrated CAE):
fooj-apis.fooj-stage-cae.internal
fooj-keycloak.fooj-stage-cae.internalScaling Configuration
| Service | Min Replicas | Max Replicas | Scale Trigger |
|---|---|---|---|
fooj-apis | 0 (stage), 1 (prod) | 5 | HTTP queue depth |
fooj-keycloak | 1 | 2 | HTTP |
fooj-ssr | 0 (stage), 1 (prod) | 3 | HTTP |
fooj-admin | 0 | 1 | HTTP |
Stage scales to zero when idle — contributes to the lower ~$40/mo cost.
Networking
VNet
| Property | Value |
|---|---|
| VNet CIDR | 10.20.0.0/16 |
| Stage subnet | 10.20.1.0/24 |
| Production subnet | 10.20.2.0/24 |
| NAT Gateway IP | 20.26.0.39 (shared, see shared-egress.md) |
DNS Resolution
All fooj.sa DNS is managed in Azure DNS:
| Record | Type | Value |
|---|---|---|
www.fooj.sa | CNAME | ACA ingress FQDN |
api.fooj.sa | CNAME | ACA ingress FQDN |
auth.fooj.sa | CNAME | ACA ingress FQDN |
admin.fooj.sa | CNAME | ACA ingress FQDN |
| (stage equivalents) | CNAME | Stage ACA FQDN |
Data Layer
Azure SQL PaaS
Unlike ERP (which uses a SQL Server VM), Fooj uses Azure SQL Database PaaS.
| Property | Stage | Production |
|---|---|---|
| Tier | Basic / S0 | General Purpose |
| vCores | — (DTU-based) | 2 |
| Storage | 2 GB | 32 GB |
| Backup | 7-day LTR | 35-day LTR |
| HA | LRS | Geo-redundant |
Benefits over VM:
- Automatic patching and updates
- Built-in HA and failover
- No SSH/VM management
- Automated backups
Azure Cache for Redis
| Property | Stage | Production |
|---|---|---|
| Tier | C0 Basic | C1 Standard |
| Memory | 250 MB | 1 GB |
| SSL | Required | Required |
| HA | No | Yes (replicated) |
Used for:
- Session caching
- API response caching
- Distributed locks
Authentication Architecture
Fooj uses a simplified auth model compared to ERP — no dual-token, no multi-realm, no company/branch selection.
Keycloak Realm Configuration
| Realm | fooj |
|---|---|
| Clients | fooj-web (SSR), fooj-admin |
| Token lifetime | 30 minutes |
| Refresh token | 8 hours |
| Custom claims | fooj_role (customer / operator / admin) |
| No custom SPIs | Standard Keycloak only |
CI/CD
Fooj uses the same Azure DevOps organization but a separate pipeline:
Pipeline: Devops/fooj/azure-pipelines.yml
Trigger: Changes to Fooj.* projects
Environments: stage → prod (manual approval for prod)
ACR: foojstageacr / foojprodacrResource Naming Convention
Fooj follows a simplified naming (not the ERP mic-erp-be / mic-erp-fr pattern):
| Resource | Stage | Production |
|---|---|---|
| Resource Group | fooj-stage-rg | fooj-prod-rg |
| Container Apps Env | fooj-stage-cae | fooj-prod-cae |
| SQL Server | fooj-stage-sql | fooj-prod-sql |
| Redis | fooj-stage-redis | fooj-prod-redis |
| Key Vault | fooj-stage-kv | fooj-prod-kv |
| ACR | foojstageacr | foojprodacr |