Skip to main content

Deployment Architecture

Last updated: April 29, 2026 Subscription: Traxs Group Subscription (88f43a45-70f0-4b32-8e30-cf77633684e5)


Environment Overview

EnvironmentAPI URLWeb URLPurpose
Developmenthttps://app-roundtrip-dev.azurewebsites.netdev.roundtrips.app (pending)Integration testing, automated E2E
Productionhttps://api.roundtrips.apphttps://roundtrips.appLive beta users

Production Environment

Resource Group: rg-roundtrip-production | Region: Central US

ResourceNameNotes
App Service Planplan-roundtrip-productionLinux
App Serviceapp-roundtrip-production.NET 10, api.roundtrips.app
SQL Serversql-roundtrip-productionShared with dev DB
SQL Databasesqldb-roundtrip-productionProduction data
Storage AccountstroundtripproductionBlob storage
Key Vaultkv-roundtrip-productionProduction secrets
Log Analyticslog-roundtrip-productionShared with dev App Insights
App Insightsappi-roundtrip-productionProduction monitoring
SSL Certificateapi.roundtrips.appBound to custom domain
Entra CIAMroundtripapp.onmicrosoft.comIdentity provider — shared across environments

Frontend: Cloudflare Pages → roundtrips.app — auto-deploys on push to main branch of RoundTripWeb

Key Vault Secrets (production):

  • ApplicationInsights--ConnectionString
  • ConnectionStrings--BlobStorage
  • ConnectionStrings--DefaultConnection
  • Entra--ClientId
  • Entra--ClientSecret
  • Entra--TenantId

Known gap: Personal account Key Vault (kv-roundtrip-prod) has 16 secrets. Production KV has 6. Remaining secrets need to be verified — some may have been renamed (e.g. AzureAd--*Entra--*). Do not delete personal account until verified. See Session D notes.


Development Environment

Resource Group: rg-roundtrip-dev | Region: Central US Created: April 29, 2026

ResourceNameNotes
App Service Planplan-roundtrip-devB1 Linux — minimal cost
App Serviceapp-roundtrip-dev.NET 10, HTTPS only, WebSockets enabled, HTTP/2
SQL Databasesqldb-roundtrip-devServerless Gen5, auto-pause 60min — on production SQL server
Key Vaultkv-roundtrip-devDev secrets, RBAC auth
App Insightsappi-roundtrip-devConnected to shared Log Analytics workspace
Managed IdentitySystem-assigned on app-roundtrip-devprincipalId: a9bc1cf0-fb71-4cb5-b263-4debd472743c
KV Role AssignmentKey Vault Secrets UserApp Service can read dev KV secrets

App Insights Connection String:

InstrumentationKey=2421a4da-b85b-4dda-9dbe-be63abc5d073;IngestionEndpoint=https://centralus-2.in.applicationinsights.azure.com/;LiveEndpoint=https://centralus.livediagnostics.monitor.azure.com/;ApplicationId=8bbbb1dd-ad25-436e-acea-8a1aab194a74

Frontend: Cloudflare Pages dev branch → dev.roundtrips.app (pending setup)

Pending — dev environment not yet complete:

  • Populate kv-roundtrip-dev with dev secrets
  • Configure App Service Key Vault references (@Microsoft.KeyVault(...))
  • Run EF Core migrations against sqldb-roundtrip-dev
  • Seed dev tenant + E2E test users in sqldb-roundtrip-dev
  • Set up Cloudflare Pages dev branch → dev.roundtrips.app
  • Create ADO deployment pipeline for dev (RoundTripAPI-Deploy-Dev)
  • Configure E2E pipeline to run against dev environment

Azure Configuration Notes

WebSockets — must be enabled via CLI

WebSockets are disabled by default on Azure App Service Linux. The Portal UI does not expose this toggle for Linux apps. Always enable via CLI:

az webapp config set \
--name <app-name> \
--resource-group <rg-name> \
--web-sockets-enabled true

Applied to: app-roundtrip-production ✅, app-roundtrip-dev

Key Vault Access — Managed Identity + RBAC

Both App Services use system-assigned managed identities with Key Vault Secrets User role. Access policies are NOT used — RBAC only.

App settings reference secrets via Key Vault references:

@Microsoft.KeyVault(VaultName=kv-roundtrip-production;SecretName=ConnectionStrings--DefaultConnection)

EF Core Migrations — never run at startup

Migrations are run manually from the local machine against the target database. Never set MigrateDatabase() in Program.cs — this causes startup timeouts on Azure App Service.

Do Not run ef database update

# Run migrations against dev
dotnet ef database update --connection "Server=sql-roundtrip-production.database.windows.net;Database=sqldb-roundtrip-dev;..."

# Run migrations against production
dotnet ef database update --connection "Server=sql-roundtrip-production.database.windows.net;Database=sqldb-roundtrip-production;..."

SSL Certificates

SSL certificates must be explicitly bound to custom domains — binding is not automatic. Production SSL for api.roundtrips.app is managed by Azure App Service certificates in rg-roundtrip-production.

Dev environment uses the default *.azurewebsites.net SSL — no custom domain until dev.roundtrips.app is configured.


ADO Pipelines

Organization: traxs (Visual Studio Online) Self-hosted agent: laptop in pool traxs-self-hosted

Repos:

  • traxs/RoundTrip/RoundTripAPI
  • traxs/RoundTrip/RoundTripWeb

Current Pipelines (Production)

PipelineTriggerAction
RoundTripAPI CI/CDPush to mainBuild + deploy to app-roundtrip-production
RoundTripWeb CI/CDPush to mainBuild + deploy to Cloudflare Pages
Playwright-RoundTripWebManual / push to mainE2E tests against roundtrips.app

Target Pipeline Structure (Session D — in progress)

feature/fix branch

▼ PR
development ──► CI Build + Tests ──► Deploy to DEV ──► E2E Tests

Pete reviews + approves

▼ PR (manual) │
main ◄────────────────────────────────────────────────────────┘

▼ CI Build + Tests + Deploy to Production

Pending pipelines to create:

  • RoundTripAPI-Deploy-Dev — deploys development branch to app-roundtrip-dev
  • RoundTripWeb-Deploy-Dev — deploys development branch to Cloudflare Pages dev
  • RoundTripWeb-E2E-Dev — runs Playwright against dev.roundtrips.app
  • ADO approval gate on production deployment

PR Template

Location in both repos: .azuredevops/pull_request_template.md

Covers:

  • Linear ticket link
  • API handler pattern checklist (SignalR, CancellationToken, domain exceptions)
  • Security checklist (no secrets, tenant scoping, endpoint roles)
  • Database checklist (migrations, CHECK constraints)
  • Frontend architecture checklist
  • Testing requirements

Subscription Layout

SubscriptionIDContains
Traxs Group Subscription88f43a45-70f0-4b32-8e30-cf77633684e5All RoundTrip environments (production + dev)
Pay-As-You-Go (personal)38f312a1-bf65-458f-9dfe-11335e30846cOld resources — pending cleanup

Personal Account Cleanup (pending)

  • rg-roundtrip-prod — old production ✅ safe to delete once KV secrets verified
  • traxs-dev-rg — old Entra CIAM ✅ safe to delete (new CIAM in Traxs Group)
  • rg-traxs-taskflow — dead project ✅ safe to delete
  • dashboard-rg — portal dashboard ✅ safe to delete

Before deleting personal account resources: Verify all 16 secrets from kv-roundtrip-prod are present in kv-roundtrip-production (with possible AzureAd--*Entra--* renaming).