Last updated on 
High-level architecture: App Gateway is the public entry point to internal ACA services with private data-plane dependencies. 
Network flow: URL path routing on App Gateway to internal ACA endpoints with Private DNS + Private Endpoints.
Version: 1.0.0
ePlatform Architecture on Azure Container Apps
Diagrams
This document describes the logical and physical architecture of the ePlatform deployment on Azure Container Apps (ACA).
It complements:
- OVERVIEW.md – concepts and philosophy
- CONFIG.md – configuration reference
- DEPLOYMENT.md – operational execution
- NOTES.md – engineering caveats
🧱 1. High-Level System Architecture
flowchart TB
Internet --> DNS[Public DNS]
DNS --> AGW[Application Gateway]
AGW --> ACAENV[Azure Container Apps Environment<br/>(Internal Ingress)]
ACAENV --> API[Backend API]
ACAENV --> AUTH[Auth Service]
ACAENV --> SYNC[Sync Service]
ACAENV --> UI[Frontend / Web]
API --> REDIS[(Redis)]
API --> MONGO[(Mongo vCore)]
subgraph VNET["Virtual Network"]
AGW
ACAENV
REDIS
MONGO
end
Key points
- Application Gateway is the only public entry point.
- All Container Apps use internal ingress only.
- Data services are accessed via Private Endpoints.
🌐 2. Network Architecture
flowchart LR
subgraph Internet
Client
end
subgraph Azure
subgraph VNet
AGW[App Gateway Subnet]
ACA[ACA Infra Subnet]
PE_DB[DB Private Endpoint Subnet]
PE_CACHE[Cache Private Endpoint Subnet]
end
end
Client --> AGW
AGW --> ACA
ACA --> PE_DB
ACA --> PE_CACHE
Principles
- No public exposure of backend services.
- All east-west traffic stays inside VNet.
- Private DNS zones resolve internal endpoints.
🔀 3. Ingress & Routing
flowchart LR
AGW[Application Gateway]
AGW -->|/api/*| API[Backend API]
AGW -->|/auth/*| AUTH[Auth Service]
AGW -->|/sync/*| SYNC[Sync Service]
AGW -->|/*| UI[Frontend]
Routing model
- Path-based routing on App Gateway.
- Backend targets resolve to internal ACA FQDNs.
- TLS terminates at App Gateway.
🧩 4. Container Apps Environment
flowchart TB
ENV[ACA Environment]
ENV --> APP1[Container App - API]
ENV --> APP2[Container App - Auth]
ENV --> APP3[Container App - Sync]
ENV --> APP4[Container App - Web]
ENV --> LOG[Log Analytics]
ENV --> METRIC[Azure Monitor]
Characteristics
- Internal-only ingress.
- Autoscaling per service.
- Managed identities supported.
💾 5. Data Layer
flowchart LR
API --> REDIS[(Redis)]
API --> MONGO[(MongoDB vCore)]
REDIS --- PE1[Private Endpoint]
MONGO --- PE2[Private Endpoint]
Redis
- Option A: Azure Cache for Redis
- Option B: Redis Enterprise (EQ-QA style)
Mongo
- Azure Cosmos DB for MongoDB vCore
- Private endpoint + private DNS
- HA configurable
🔐 6. Security Architecture
flowchart TB
User --> TLS[TLS Termination @ App Gateway]
TLS --> PrivateNet[Private VNet]
PrivateNet --> ACA
ACA --> Data[(Private Data Services)]
Security controls
- TLS termination at edge.
- No public IPs on services.
- Secrets injected via pipeline.
- Network isolation by default.
🔄 7. Deployment Flow
flowchart TD
Config[Edit 00_config.sh] --> Net[Create VNet & Subnets]
Net --> AGW[Deploy App Gateway]
AGW --> ACAENV[Create ACA Environment]
ACAENV --> DATA[Deploy Redis + Mongo]
DATA --> APPS[Deploy Container Apps]
APPS --> ROUTES[Configure Routing]
🧪 8. Environment Reuse Model
flowchart LR
Scripts --> QA[EQ-QA]
Scripts --> PROD[EQ-PROD]
Scripts --> DEV[DEV]
Scripts --> DR[DR]
Config --> Scripts
Only 00_config.sh changes between environments.
📌 Notes
- Mermaid diagrams render in GitHub, VS Code, and most markdown viewers.
- For presentations, diagrams can be exported using Mermaid tools.
- Architecture intentionally avoids public exposure of backend services.