Skip to content
APEX

Design Document & Inventory

Design Document

Section titled “Design Document”

Introduction

Section titled “Introduction”

This document records the deployed Malta Catering Azure workload as it exists after the successful azd provision run on 2026-04-15. It is intended to support operations, audit review, troubleshooting, and future iteration of the workload.

Intended Audience: Solution Architects, Operations/SRE Teams, Security & Compliance Teams, Development Teams

Project Overview

Section titled “Project Overview”

Malta Catering is a containerized online ordering demo for a Malta-based catering outlet. The deployed workload runs a Linux container on Azure App Service and uses private connectivity to Key Vault, Table Storage, and Azure Container Registry. Monitoring is provided through Application Insights and Log Analytics, and cost governance is enforced with a monthly budget resource.

Business Objectives:

  • Publish a live online ordering surface for customers and staff.
  • Keep customer and order data inside EU-hosted Azure resources.
  • Demonstrate an App Service-based alternative to the blocked Container Apps deployment path.

Design Objectives

Section titled “Design Objectives”
ObjectiveTargetImplementation
Availability99.0% service targetSingle-region App Service plan with staging slot
PerformanceLow-latency always-on container hostingP0v3 Linux App Service Plan with one dedicated worker
SecurityPrivate backend access and managed identityVNet integration, 3 private endpoints, Key Vault RBAC, ACR pull via MI
ScalabilityDev/demo scale with room for growthPremium v3 plan supports vertical scaling and additional workers

Constraints & Assumptions

Section titled “Constraints & Assumptions”

Constraints:

  • The original S1 plan selection was not deployable in this subscription and region; the deployed plan is P0v3.
  • The workload remains single-region in swedencentral; no warm DR region is deployed.

Assumptions:

  • Table Storage backup/export remains a future production enhancement rather than part of the current deployment.
  • Budgetary and monitoring baselines assume a dev/demo usage profile with low ingestion and low transaction volume.

Stakeholders

Section titled “Stakeholders”
RoleTeamResponsibility
Platform OwnerDemo PlatformAzure subscription, policy, and deployment flow
Application OwnerMalta CateringContainer image, app behavior, and demo content
Operations Contactplatform@example.comRuntime verification and operational follow-up

Architecture Overview

Section titled “Architecture Overview”

The as-built architecture is delivered as editable Draw.io source.

CategoryCount
Compute3
Networking10
Data1
Security2

Additional deployed components include 2 monitoring resources, 1 Event Grid system topic, and 1 management budget object.

Networking

Section titled “Networking”

The production endpoint is public on the default Azure hostname, while all backend platform services are restricted through private endpoints inside the workload VNet.

Virtual Network Summary

Section titled “Virtual Network Summary”
VNet NameAddress SpaceRegionPurpose
vnet-malta-catering-dev10.0.0.0/24swedencentralWorkload network for App Service integration and private endpoints

Subnet Allocation

Section titled “Subnet Allocation”
SubnetAddress RangeDelegated ToNSG
snet-app-service10.0.0.0/27Microsoft.Web/serverFarmsNone
snet-private-endpoints10.0.0.32/27NoneNone

DNS & Private Endpoints

Section titled “DNS & Private Endpoints”
ServicePrivate EndpointPrivate DNS Zone
Azure Key Vaultpep-kv-malta-dev-b6lg3l-vault-0privatelink.vaultcore.azure.net
Table Storagepep-stmaltadevb6lg3l-table-0privatelink.table.core.windows.net
Azure Container Registrypep-acrmaltadevb6lg3l-registry-0privatelink.azurecr.io

Storage

Section titled “Storage”

Storage Account Summary

Section titled “Storage Account Summary”
AccountKindReplicationAccess TierPublic Access
stmaltadevb6lg3lStorageV2Standard_LRSHotDisabled

Data Retention

Section titled “Data Retention”
Data CategoryRetention PeriodLifecycle Policy
Customer PII90 days targetApplication-managed deletion on request
Order records1 year targetApplication-managed retention
Menu dataIndefiniteManual application update

Compute

Section titled “Compute”

Compute Resource Summary

Section titled “Compute Resource Summary”
ResourceTypeSKUInstancesScaling
asp-malta-catering-devApp Service PlanP0v31Manual scale only
app-malta-catering-devWeb App for ContainersIncluded1Bound to plan capacity
app-malta-catering-dev/stagingDeployment SlotIncluded1Bound to plan capacity

Scaling Configuration

Section titled “Scaling Configuration”
ResourceMinMaxScale Trigger
asp-malta-catering-dev130Manual App Service plan scaling
app-malta-catering-dev11No autoscale configured

Identity & Access

Section titled “Identity & Access”

Managed Identities

Section titled “Managed Identities”
IdentityTypeAssigned ToKey Permissions
156a5dbf-66f8-48b0-bf7c-bcd156eb6528System-assignedapp-malta-catering-devAcrPull, Key Vault Secrets User, Storage Table Data Contributor
d8c9ade8-c8c6-4f01-b300-4cd749a68fffSystem-assignedapp-malta-catering-dev/stagingNo direct role assignments detected

RBAC Role Assignments

Section titled “RBAC Role Assignments”
PrincipalRoleScope
Production web app identityAcrPullacrmaltadevb6lg3l
Production web app identityKey Vault Secrets Userkv-malta-dev-b6lg3l
Production web app identityStorage Table Data Contributorstmaltadevb6lg3l
Staging slot identityNone assignedNot configured

Security & Compliance

Section titled “Security & Compliance”

Security Controls

Section titled “Security Controls”
ControlImplementationEvidence
TLS 1.2+App Service and slot both enforce minTlsVersion = 1.2.asbuilt/webapp.json, .asbuilt/webapp-staging.json
HTTPS-onlyProduction and staging sites both set httpsOnly = true.asbuilt/webapp.json, .asbuilt/webapp-staging.json
Managed IdentitySystem-assigned identity enabled on production and slot.asbuilt/webapp.json, .asbuilt/webapp-staging.json
Network isolationKey Vault, Storage, and ACR use private endpoints with public access disabled.asbuilt/keyvault.json, .asbuilt/storage.json, .asbuilt/acr.json

Compliance Mapping

Section titled “Compliance Mapping”
FrameworkControl IDStatus
GDPRData residency in EU region
GDPRSecrets isolation and least privilege⚠️
GDPRCustomer authentication path⚠️

The deployed workload materially improves the original architecture posture through private backend connectivity, managed identity, disabled shared keys, and Key Vault RBAC. Two important operational gaps remain in the as-built state: App Service Authentication is not enabled, and the staging slot identity currently has no RBAC assignments.

Backup & Disaster Recovery

Section titled “Backup & Disaster Recovery”

Recovery Objectives

Section titled “Recovery Objectives”
TierRTO TargetRPO TargetServices
Critical24 hoursBest-effortApp Service, Storage, Container image availability
Important24 hours7 days / last known stateKey Vault, monitoring workspace, private DNS
Standard48 hoursBest-effortBudgeting, auxiliary diagnostics, documentation

Backup Summary

Section titled “Backup Summary”
ServiceBackup TypeRetentionGeo-Redundant
App Service configInfrastructure as code redeploySource-controlledNo
Key VaultSoft delete + purge protection7 daysNo
Storage Table dataNone deployedN/ANo
ACR container metadataRetention policy15 days for untagged manifestsNo

Management & Monitoring

Section titled “Management & Monitoring”

Monitoring Configuration

Section titled “Monitoring Configuration”
ServiceMonitoring ToolKey Metrics
Web App / SlotApplication Insights + Log AnalyticsRequests, failures, container startup, HTTP status
App Service PlanAzure platform metricsCPU, memory, worker status
BudgetAzure Consumption BudgetForecast 80%, forecast 120%, actual 100%

Alert Rules

Section titled “Alert Rules”
AlertSeverityThresholdAction
forecast80Sev3Forecast spend ≥ 80%Email platform@example.com
forecast120Sev2Forecast spend ≥ 120%Email platform@example.com
actual100Sev2Actual spend ≥ 100%Email platform@example.com
Application availability alertsNot deployedN/AGap recorded in Step 7

Resource Inventory

Section titled “Resource Inventory”

Generated: 2026-04-15 Source: Deployed Azure resources and implemented Bicep templates Environment: Development Region: swedencentral

Inventory Summary

Section titled “Inventory Summary”
CategoryCount
Total Resources20
Compute3
Data Services1
Networking10
Messaging1
Security2
Monitoring2
Management1

The total includes the resource-group budget and the three private DNS zones that are not surfaced by the generic az resource list result set but are present in the live resource group and included in the as-built evidence set under .asbuilt/.

Compute Resources

Section titled “Compute Resources”
NameTypeSKULocationMonthly CostPurpose
asp-malta-catering-devApp Service PlanP0v3swedencentral$64.97Linux dedicated compute plan for the workload
app-malta-catering-devApp Service Web AppIncluded in planswedencentral$0.00Production container host and public endpoint
app-malta-catering-dev/stagingApp Service deployment slotIncluded in planswedencentral$0.00Pre-production slot for staged validation

Data Services

Section titled “Data Services”
NameTypeSKUConfigurationLocationMonthly Cost
stmaltadevb6lg3lStorage AccountStandard_LRSStorageV2, hot tier, HTTPS-only, shared key disabled, public access disabledswedencentral$0.00 baseline

Networking Resources

Section titled “Networking Resources”
NameTypeConfigurationLocation
vnet-malta-catering-devVirtual NetworkAddress space 10.0.0.0/24swedencentral
snet-app-serviceDelegated subnet10.0.0.0/27, delegated to Microsoft.Web/serverFarmsswedencentral
snet-private-endpointsPrivate endpoint subnet10.0.0.32/27, private endpoint policies disabledswedencentral
pep-stmaltadevb6lg3l-table-0Private EndpointTable Storage private link in snet-private-endpointsswedencentral
pep-kv-malta-dev-b6lg3l-vault-0Private EndpointKey Vault private link in snet-private-endpointsswedencentral
pep-acrmaltadevb6lg3l-registry-0Private EndpointACR registry private link in snet-private-endpointsswedencentral
pep-stmaltadevb6lg3l-table-0.nic...Network InterfaceManaged NIC for Storage private endpointswedencentral
pep-kv-malta-dev-b6lg3l-vault-0.nic...Network InterfaceManaged NIC for Key Vault private endpointswedencentral
pep-acrmaltadevb6lg3l-registry-0.nic...Network InterfaceManaged NIC for ACR private endpointswedencentral
privatelink.table.core.windows.netPrivate DNS ZoneOne VNet link, two record setsglobal
privatelink.vaultcore.azure.netPrivate DNS ZoneOne VNet link, two record setsglobal
privatelink.azurecr.ioPrivate DNS ZoneOne VNet link, three record setsglobal

Messaging Resources

Section titled “Messaging Resources”
NameTypeSKUConfigurationLocation
stmaltadevb6lg3l-54b43000-43fb-447d-bedf-faef9631cdcfEvent Grid system topicStandardAuto-created platform topic associated with storageswedencentral

Security Resources

Section titled “Security Resources”
NameTypeConfigurationLocation
kv-malta-dev-b6lg3lKey VaultStandard tier, RBAC enabled, purge protection on, public network disabledswedencentral
acrmaltadevb6lg3lContainer RegistryPremium tier, admin disabled, retention policy enabled, public network disabledswedencentral

Monitoring Resources

Section titled “Monitoring Resources”
NameTypeRetentionLocation
log-malta-catering-devLog Analytics Workspace30 daysswedencentral
appi-malta-catering-devApplication Insights90 daysswedencentral

Management Resources

Section titled “Management Resources”
NameTypeConfigurationLocation
budget-malta-catering-devBudgetMonthly budget $500, notifications at forecast 80/120 and actual 100rg scope
%%{init: {'theme':'base','themeVariables':{pie1:'#0078D4',pie2:'#107C10',pie3:'#5C2D91',pie4:'#D83B01',pie5:'#FFB900',pie6:'#008575'}}}%%
pie showData
    title Resource Distribution by Category
    "Compute" : 3
    "Data" : 1
    "Networking" : 10
    "Messaging" : 1
    "Security" : 2
    "Monitoring" : 2

Budget management is tracked outside the category chart because it is a governance object rather than a workload runtime component.