Appearance
Network Topology
Full network architecture of the Microtec ERP Azure infrastructure — per-environment VNets, subnets, Container Apps Environments, private endpoints, NAT Gateway, and Azure Front Door.
High-Level Topology
Environment-Specific CIDR Table
| Environment | VNet CIDR | Public Subnet | Private Subnet | PE Subnet | NAT GW Egress IP |
|---|---|---|---|---|---|
| dev | 10.0.0.0/16 | 10.0.0.0/24 | 10.0.1.0/24 | 10.0.2.0/24 | dynamic |
| stage | 10.1.0.0/16 | 10.1.0.0/24 | 10.1.1.0/24 | 10.1.2.0/24 | dynamic |
| preprod | 10.6.0.0/16 | 10.6.0.0/24 | 10.6.1.0/24 | 10.6.2.0/24 | dynamic |
| uat | 10.5.0.0/16 | 10.5.0.0/24 | 10.5.1.0/24 | 10.5.2.0/24 | dynamic |
| production | 10.2.0.0/16 | 10.2.0.0/24 | 10.2.1.0/24 | 10.2.2.0/24 | static |
| shared-sql | 10.100.0.0/16 | N/A | N/A | N/A | N/A |
Preprod CIDR
Preprod uses 10.6.0.0/16 — not 10.3. Older documentation may reference 10.3 incorrectly. Always use 10.6 for preprod.
No VNet Peering
Each environment VNet is completely isolated. There is no VNet peering between environments. Cross-environment communication does not occur by design.
Subnet Detail: Private Endpoints
All PaaS services are accessed exclusively via private endpoints. No PaaS service has a public IP visible to Container Apps.
| Private Endpoint | Azure Resource | Private IP | DNS Zone |
|---|---|---|---|
| SQL PE | mic-backend-shared-sql-rg SQL Server | 10.{env}.2.4 | privatelink.database.windows.net |
| Redis PE | mic-erp-be-{env}-redis | 10.{env}.2.5 | privatelink.redis.cache.windows.net |
| Service Bus PE | mic-erp-be-{env}-asb namespace | 10.{env}.2.6 | privatelink.servicebus.windows.net |
| Key Vault PE | KV name (see security docs) | 10.{env}.2.7 | privatelink.vaultcore.azure.net |
| ACR PE | micerpbe{env}acr | 10.{env}.2.8 | privatelink.azurecr.io |
| Blob Storage PE | micerpbe{env}sa | 10.{env}.2.9 | privatelink.blob.core.windows.net |
Two-CAE Architecture per Environment
Public CAE Properties
| Property | Value |
|---|---|
| Subnet | public-apps (/24) |
| Internet-facing | Yes |
| Services | Gateway.API, Keycloak |
| mTLS | No (only 2 services; mTLS between identical apps N/A) |
| Custom domains | Yes — via Azure Front Door |
| Health probe | AFD → /health/live every 30 s |
Private CAE Properties
| Property | Value |
|---|---|
| Subnet | private-apps (/24) |
| Internet-facing | No — VNet-internal only |
| Services | All other 12+ microservices |
| mTLS | Yes — enforced by CAE at sidecar level |
| Custom domains | No — internal DNS only |
| Internal FQDN pattern | {app-name}.internal.{unique-id}.{region}.azurecontainerapps.io |
NAT Gateway
Each environment has a NAT Gateway attached to both CAE subnets for predictable outbound egress. All outbound traffic from Container Apps — including calls to external APIs (e-invoicing, payment gateways, email providers) — exits through the NAT Gateway's static IP.
Production egress IP: Static IP — whitelist this IP on external partner firewalls.
Fooj Shared NAT Gateway
The Fooj project (separate subscription) uses a shared NAT Gateway (20.26.0.39) consolidated for both stage and production CAEs in a single VNet. This is a separate architecture from the main ERP.
Network Security Groups (NSG)
Public Apps NSG
| Priority | Direction | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | Inbound | TCP 443 | Internet | Public subnet | Allow |
| 110 | Inbound | TCP 80 | Internet | Public subnet | Allow (AFD redirect) |
| 900 | Inbound | Any | Any | Any | Deny |
| 100 | Outbound | TCP 443/80 | Public subnet | Private subnet | Allow |
| 110 | Outbound | TCP 443 | Public subnet | PE subnet | Allow |
| 900 | Outbound | Any | Any | Any | Deny |
Private Apps NSG
| Priority | Direction | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | Inbound | TCP 80/443 | Public subnet | Private subnet | Allow |
| 200 | Inbound | TCP 80/443 | Private subnet | Private subnet | Allow (intra-CAE) |
| 900 | Inbound | Any | Any | Any | Deny |
| 100 | Outbound | TCP 1433 | Private subnet | PE subnet | Allow (SQL) |
| 110 | Outbound | TCP 10000 | Private subnet | PE subnet | Allow (Redis TLS) |
| 120 | Outbound | TCP 443 | Private subnet | PE subnet | Allow (KV/ASB/ACR) |
| 900 | Outbound | Any | Any | Any | Deny |
Azure Front Door Traffic Flow
Route rules:
| Route | Cache | WAF | Origin |
|---|---|---|---|
/api/* | Bypass | Yes | Public CAE — Gateway.API |
/auth/* | Bypass | Yes | Public CAE — Keycloak |
/* (catch-all) | 1 year (immutable hash files) | Yes | Azure SWA |
DNS Architecture
Private DNS zones (per environment VNet):
| DNS Zone | Resolves to |
|---|---|
privatelink.database.windows.net | SQL private endpoint |
privatelink.redis.cache.windows.net | Redis private endpoint |
privatelink.servicebus.windows.net | ASB private endpoint |
privatelink.vaultcore.azure.net | Key Vault private endpoint |
privatelink.azurecr.io | ACR private endpoint |
{cae-unique-id}.azurecontainerapps.io | ACA internal service FQDN |