07DevOps

Azure Cloud Infrastructure

Secure cloud architectures on Azure: VNet-isolated data plane, Managed Identity for service-to-service authentication, and stateless containers shipped from ACR. The diagram below illustrates the live topology of FideliCards.

FideliCards · Production Architecture

Mobile

Android / iOS

Azure Container Registry

Azure Container Registry

ACR

HTTPS + JWT
Microsoft Entra ID

Microsoft Entra ID

Azure Active Directory

AZURE VIRTUAL NETWORK · VNet

Azure Container AppAzure Container App · .NET stateless

Validate

JWT middleware

pass-through

API Endpoint

Minimal API · Protected

Managed Identity

System-assigned · no secrets stored

✓ scoped per resource to SQL

db txn

Azure SQL

VNet-private

API response
← Swipe to explore architecture

REQUEST FLOW

auto-advancing · click any step to pin

The mobile app issues an HTTPS call to the Container App's public Ingress. The JWT in the Authorization header is forwarded to the Validate step, which checks it against Microsoft Entra ID metadata.

ARCHITECTURE HIGHLIGHTS

NETWORK · ISOLATION

VNet-locked data plane

Azure SQL is reachable only via private endpoint. No public surface for the data store, ensuring only Container Apps inside the VNet can connect.

IDENTITY · PASSWORDLESS

System-Assigned Managed Identity

Container Apps authenticate to Azure SQL with their own identity. Tokens are rotated by Azure and scoped per resource, keeping the codebase credential-free.

COMPUTE · CONTAINERS

Stateless Container Apps

Docker images pushed to ACR, pulled by Container Apps revisions. Scale to zero when idle; new revisions go live with traffic split for instant rollback.

AUTH · TOKEN VALIDATION

Microsoft Entra ID at the edge

JWTs issued by Entra ID are validated at the API boundary. Both social and enterprise logins follow a unified authentication flow.

DATA · OWNERSHIP

Azure SQL — single source of truth

Source of truth on Azure SQL with VNet-locked access, daily PITR-backed backups, and EF Core migrations applied at deploy time.

DELIVERY · CI/CD

Image-based, blue/green deploys

Pipelines build, push to ACR by digest, then promote revisions. No re-tagging, ensuring the exact tested artifact is deployed.

STACK

Azure Container AppsDocker.NET 8 / 9Microsoft Entra IDManaged IdentityBicepAzure Container RegistryAzure Virtual NetworkAzure SQL ServerEntity FrameworkJWTGitHub ActionsAzure DevOps