Appearance
Fooj Azure Infrastructure
Section: 17 — Fooj
Last Updated: 2026-05-30
Scope: Fooj Azure subscription, resource groups, ACA setup, shared VNet egress
Overview
Fooj runs in a completely separate Azure subscription from the Microtec ERP platform. The two systems share nothing at the subscription level — billing, IAM, networking policies, and quotas are all independent.
Fooj Subscription ID
f2340b90-2a00-4551-aabc-6e1776e82077
Subscription Separation Rationale
| Concern | ERP Subscription | Fooj Subscription |
|---|---|---|
| Billing | Microtec ERP budget | Fooj project budget |
| IAM | ERP team engineers | Fooj team engineers |
| Network CIDR space | 10.0–10.6/16 range | Separate CIDR range |
| ACR | micerpbe{env}acr | Fooj-specific ACR |
| Service principal | ERP pipeline SP | Fooj pipeline SP |
Resource Groups
Fooj uses a clean two-tier RG structure per environment:
| Resource Group | Contains |
|---|---|
fooj-{env}-network-rg | VNet, subnets, NAT Gateway |
fooj-{env}-containers-rg | ACA environment, container apps |
fooj-{env}-storage-rg | Storage accounts, CDN |
fooj-{env}-shared-rg | ACR, Key Vault, shared resources |
Environments: stg (staging), prod (production).
Networking Architecture
Shared VNet Egress
The NAT Gateway IP 20.26.0.39 is shared with ERP stage and production environments. This means:
- Fooj outbound traffic appears as
20.26.0.39to external services - ERP stage and production outbound traffic also appears as
20.26.0.39 - Any external IP allowlist (e.g., payment gateway, ZATCA sandbox) must include this single IP for all three environments
Egress IP is shared
If a third-party service only allows a single IP, adding 20.26.0.39 covers Fooj staging, Fooj production, ERP staging, and ERP production simultaneously. Confirm with the third-party vendor that this is acceptable before configuring their allowlist.
Azure Container Apps Configuration
ACA Environment
Each environment has one ACA environment:
| Property | Staging | Production |
|---|---|---|
| Name | fooj-stg-cae | fooj-prod-cae |
| Resource Group | fooj-stg-containers-rg | fooj-prod-containers-rg |
| VNet integration | fooj-stg-vnet/aca-subnet | fooj-prod-vnet/aca-subnet |
| Internal only | No (public ingress) | No (public ingress) |
| Zone redundancy | No | Yes |
Container Apps
| App Name | Purpose | Min Replicas | Max Replicas |
|---|---|---|---|
fooj-ssr | Angular 18 SSR (Node.js) | 1 | 10 |
fooj-api | Backend API | 1 | 10 |
Ingress
Fooj container apps use external ingress — they are publicly reachable via the ACA environment's ingress controller. TLS termination happens at the ACA ingress level using Azure-managed certificates.
Container Registry
Fooj uses a dedicated ACR in the shared resource group:
| Property | Staging | Production |
|---|---|---|
| ACR Name | foojstgacr | foojprodacr |
| SKU | Standard | Premium (geo-replication) |
| Auth | User-assigned managed identity | User-assigned managed identity |
Pull authentication uses the same managed-identity pattern as ERP:
bicep
resource acaPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(acr.id, containerApp.id, 'acrpull')
scope: acr
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
principalId: containerApp.identity.principalId
principalType: 'ServicePrincipal'
}
}Key Vault
Each environment has a dedicated Key Vault:
| Property | Staging | Production |
|---|---|---|
| Name | fooj-stg-kv | fooj-prod-kv |
| Resource Group | fooj-stg-shared-rg | fooj-prod-shared-rg |
| Access model | RBAC | RBAC |
Container apps reference secrets using keyvaultref: in environment variables — the same pattern as ERP.
Bicep Infrastructure
Fooj infrastructure is defined in Bicep under Devops/azure/fooj/:
Devops/azure/fooj/
├── main.bicep ← Subscription-scoped entry point
├── modules/
│ ├── network.bicep ← VNet, subnets, NAT GW
│ ├── containerApps.bicep ← ACA environment + apps
│ ├── acr.bicep ← Container registry
│ └── keyVault.bicep ← Key Vault + RBAC
└── parameters/
├── stg.bicepparam
└── prod.bicepparamDeploy:
bash
az deployment sub create \
--location uksouth \
--template-file Devops/azure/fooj/main.bicep \
--parameters Devops/azure/fooj/parameters/stg.bicepparamCost Considerations
The shared NAT Gateway was chosen to reduce egress costs. A dedicated NAT GW per environment costs approximately £25–30/month per gateway. By sharing a single gateway across Fooj staging, Fooj production, ERP staging, and ERP production, three gateway instances are avoided.
The trade-off is operational coupling: if the shared NAT GW has a fault, all four environments lose deterministic egress. Mitigated by Azure's 99.99% SLA on NAT Gateway.