This repository demonstrates the re-architecture and migration of a traditional 3-tier web application into a cloud-native, loosely coupled system deployed on Azure Kubernetes Service (AKS). Originally hosted on a tightly coupled Azure setup (VMs, Web Apps, and Azure SQL), the system experienced scaling limitations, slow response times, and manual, fragile deployments. Our mission was to modernize the platform for scalability, high availability, observability, and automated delivery using GitHub Actions, Terraform, and Azure-native services.
| Layer | Technology | Description |
|---|---|---|
| Frontend | React + TypeScript + Vite | Containerized SPA served via Ingress (NGINX/AGIC) |
| Backend | Spring Boot (Java 21) | REST API deployed to AKS (ClusterIP service) |
| Database | Azure SQL (Private Endpoint) | Managed relational database for production |
| Orchestration | AKS (2+ node pools) | System & user node pools, autoscaling enabled |
| Networking | Azure VNet | Private subnets, secure communication, ingress controller |
| Secrets | Azure Key Vault + CSI | Centralized, secure secret management |
| Registry | Docker Hub | Stores signed and immutable container images |
| Monitoring | Prometheus + Grafana | End-to-end observability for workloads and cluster health |
- AKS Cluster with autoscaling
- Ingress Controller (NGINX or AGIC) with TLS
- Azure SQL behind a Private Endpoint
- Key Vault + CSI for secure secrets
- Prometheus & Grafana monitoring stack
- Network isolation and RBAC
- Managed with Terraform
- Stored in
terraform/directory - Executed via GitHub Actions
- Remote backend on Azure Storage for state locking
Resources Provisioned:
- AKS Cluster
- Azure SQL (Private Endpoint)
- ACR
- Key Vault
- Log Analytics + Monitoring
- Triggered on changes in
frontend/** - Build → Test → Containerize → Push → Deploy
- Health checks and rolling updates with no downtime
- Triggered on changes in
backend/** - Unit & integration tests
- Immutable tagging (no
:latest) - Helm or K8s manifest deployment
- Secrets: Managed via Azure Key Vault (no plaintext)
- Auth: GitHub OIDC → Azure (no static credentials)
- RBAC: Least privilege service accounts
- Private Networking: SQL via private endpoint
- Images: Scanned, signed, immutable
- Network Policies: Restrict access between namespaces
- Stack: Prometheus + Grafana + Alertmanager
- Dashboards: API latency, error rates, saturation, pod health
- Alerts: High error rate, pod crash, unschedulable pods
- Runbooks: Deployment, rollback, scaling, secret rotation
This project builds upon the official bootcamp application:
github.com/saurabhd2106/devops-project2-ih
| Name | GitHub |
|---|---|
| Zainb Al-Atawi | @zainbsuliman |
| Shahad Al-Johani | @Elenore68 |
| Abdulkarim Al-Sahli | @Abdulkarim-Alsahli |
| Wafa Allihaibi | @Waf-DPM-dev |
| Shada Haddad | @Shada11haddad |
| Shouq Alsulami | @76ilq |