Deployment Architecture
Last updated: April 29, 2026
Subscription: Traxs Group Subscription (88f43a45-70f0-4b32-8e30-cf77633684e5)
Environment Overview
| Environment | API URL | Web URL | Purpose |
|---|---|---|---|
| Development | https://app-roundtrip-dev.azurewebsites.net | dev.roundtrips.app (pending) | Integration testing, automated E2E |
| Production | https://api.roundtrips.app | https://roundtrips.app | Live beta users |
Production Environment
Resource Group: rg-roundtrip-production | Region: Central US
| Resource | Name | Notes |
|---|---|---|
| App Service Plan | plan-roundtrip-production | Linux |
| App Service | app-roundtrip-production | .NET 10, api.roundtrips.app |
| SQL Server | sql-roundtrip-production | Shared with dev DB |
| SQL Database | sqldb-roundtrip-production | Production data |
| Storage Account | stroundtripproduction | Blob storage |
| Key Vault | kv-roundtrip-production | Production secrets |
| Log Analytics | log-roundtrip-production | Shared with dev App Insights |
| App Insights | appi-roundtrip-production | Production monitoring |
| SSL Certificate | api.roundtrips.app | Bound to custom domain |
| Entra CIAM | roundtripapp.onmicrosoft.com | Identity provider — shared across environments |
Frontend: Cloudflare Pages → roundtrips.app — auto-deploys on push to main branch of RoundTripWeb
Key Vault Secrets (production):
ApplicationInsights--ConnectionStringConnectionStrings--BlobStorageConnectionStrings--DefaultConnectionEntra--ClientIdEntra--ClientSecretEntra--TenantId
Known gap: Personal account Key Vault (kv-roundtrip-prod) has 16 secrets. Production KV has 6. Remaining secrets need to be verified — some may have been renamed (e.g. AzureAd--* → Entra--*). Do not delete personal account until verified. See Session D notes.
Development Environment
Resource Group: rg-roundtrip-dev | Region: Central US
Created: April 29, 2026
| Resource | Name | Notes |
|---|---|---|
| App Service Plan | plan-roundtrip-dev | B1 Linux — minimal cost |
| App Service | app-roundtrip-dev | .NET 10, HTTPS only, WebSockets enabled, HTTP/2 |
| SQL Database | sqldb-roundtrip-dev | Serverless Gen5, auto-pause 60min — on production SQL server |
| Key Vault | kv-roundtrip-dev | Dev secrets, RBAC auth |
| App Insights | appi-roundtrip-dev | Connected to shared Log Analytics workspace |
| Managed Identity | System-assigned on app-roundtrip-dev | principalId: a9bc1cf0-fb71-4cb5-b263-4debd472743c |
| KV Role Assignment | Key Vault Secrets User | App Service can read dev KV secrets |
App Insights Connection String:
InstrumentationKey=2421a4da-b85b-4dda-9dbe-be63abc5d073;IngestionEndpoint=https://centralus-2.in.applicationinsights.azure.com/;LiveEndpoint=https://centralus.livediagnostics.monitor.azure.com/;ApplicationId=8bbbb1dd-ad25-436e-acea-8a1aab194a74
Frontend: Cloudflare Pages dev branch → dev.roundtrips.app (pending setup)
Pending — dev environment not yet complete:
- Populate
kv-roundtrip-devwith dev secrets - Configure App Service Key Vault references (
@Microsoft.KeyVault(...)) - Run EF Core migrations against
sqldb-roundtrip-dev - Seed dev tenant + E2E test users in
sqldb-roundtrip-dev - Set up Cloudflare Pages dev branch →
dev.roundtrips.app - Create ADO deployment pipeline for dev (
RoundTripAPI-Deploy-Dev) - Configure E2E pipeline to run against dev environment
Azure Configuration Notes
WebSockets — must be enabled via CLI
WebSockets are disabled by default on Azure App Service Linux. The Portal UI does not expose this toggle for Linux apps. Always enable via CLI:
az webapp config set \
--name <app-name> \
--resource-group <rg-name> \
--web-sockets-enabled true
Applied to: app-roundtrip-production ✅, app-roundtrip-dev ✅
Key Vault Access — Managed Identity + RBAC
Both App Services use system-assigned managed identities with Key Vault Secrets User role. Access policies are NOT used — RBAC only.
App settings reference secrets via Key Vault references:
@Microsoft.KeyVault(VaultName=kv-roundtrip-production;SecretName=ConnectionStrings--DefaultConnection)
EF Core Migrations — never run at startup
Migrations are run manually from the local machine against the target database. Never set MigrateDatabase() in Program.cs — this causes startup timeouts on Azure App Service.
Do Not run ef database update
# Run migrations against dev
dotnet ef database update --connection "Server=sql-roundtrip-production.database.windows.net;Database=sqldb-roundtrip-dev;..."
# Run migrations against production
dotnet ef database update --connection "Server=sql-roundtrip-production.database.windows.net;Database=sqldb-roundtrip-production;..."
SSL Certificates
SSL certificates must be explicitly bound to custom domains — binding is not automatic. Production SSL for api.roundtrips.app is managed by Azure App Service certificates in rg-roundtrip-production.
Dev environment uses the default *.azurewebsites.net SSL — no custom domain until dev.roundtrips.app is configured.
ADO Pipelines
Organization: traxs (Visual Studio Online)
Self-hosted agent: laptop in pool traxs-self-hosted
Repos:
traxs/RoundTrip/RoundTripAPItraxs/RoundTrip/RoundTripWeb
Current Pipelines (Production)
| Pipeline | Trigger | Action |
|---|---|---|
RoundTripAPI CI/CD | Push to main | Build + deploy to app-roundtrip-production |
RoundTripWeb CI/CD | Push to main | Build + deploy to Cloudflare Pages |
Playwright-RoundTripWeb | Manual / push to main | E2E tests against roundtrips.app |
Target Pipeline Structure (Session D — in progress)
feature/fix branch
│
▼ PR
development ──► CI Build + Tests ──► Deploy to DEV ──► E2E Tests
│
Pete reviews + approves
│
▼ PR (manual) │
main ◄────────────────────────────────────────────────────────┘
│
▼ CI Build + Tests + Deploy to Production
Pending pipelines to create:
-
RoundTripAPI-Deploy-Dev— deploysdevelopmentbranch toapp-roundtrip-dev -
RoundTripWeb-Deploy-Dev— deploysdevelopmentbranch to Cloudflare Pages dev -
RoundTripWeb-E2E-Dev— runs Playwright againstdev.roundtrips.app - ADO approval gate on production deployment
PR Template
Location in both repos: .azuredevops/pull_request_template.md
Covers:
- Linear ticket link
- API handler pattern checklist (SignalR, CancellationToken, domain exceptions)
- Security checklist (no secrets, tenant scoping, endpoint roles)
- Database checklist (migrations, CHECK constraints)
- Frontend architecture checklist
- Testing requirements
Subscription Layout
| Subscription | ID | Contains |
|---|---|---|
| Traxs Group Subscription | 88f43a45-70f0-4b32-8e30-cf77633684e5 | All RoundTrip environments (production + dev) |
| Pay-As-You-Go (personal) | 38f312a1-bf65-458f-9dfe-11335e30846c | Old resources — pending cleanup |
Personal Account Cleanup (pending)
rg-roundtrip-prod— old production ✅ safe to delete once KV secrets verifiedtraxs-dev-rg— old Entra CIAM ✅ safe to delete (new CIAM in Traxs Group)rg-traxs-taskflow— dead project ✅ safe to deletedashboard-rg— portal dashboard ✅ safe to delete
Before deleting personal account resources: Verify all 16 secrets from kv-roundtrip-prod are present in kv-roundtrip-production (with possible AzureAd--* → Entra--* renaming).