About This Architecture

Carrefour's hybrid microservices platform integrates on-premises infrastructure with Azure West Europe via Hub-Spoke VNet topology, leveraging Azure Container Apps as the recommended compute foundation. Traffic flows from external users through Application Gateway and WAF in the DMZ, then to internal microservices in the Spoke VNet across Ingress, ACA, and Platform Services subnets, with governed egress through Azure Firewall and DNS resolution via Private Resolver. The architecture combines Infrastructure-as-Code (Terraform), CI/CD (Jenkins), artifact management (GCP Artifact Registry), observability (Elastic), and security primitives including Managed Identity, Key Vault, App Configuration, and Private Link for seamless hybrid connectivity. This pattern demonstrates enterprise-grade multi-cloud integration with clear separation of concerns, centralized governance, and event-driven workload orchestration using Azure Functions on ACA for exceptions. Fork and customize this diagram on Diagrams.so to adapt the Hub-Spoke model, adjust subnet ranges, or swap components for your hybrid infrastructure requirements.

People also ask

How do you design a hybrid microservices architecture on Azure that integrates on-premises infrastructure with secure, governed egress and multi-cloud observability?

Carrefour's architecture uses a Hub-Spoke VNet topology in Azure West Europe: the Hub VNet (10.0.0.0/16) provides centralized connectivity, security (Application Gateway, WAF, Azure Firewall), and DNS resolution via Private Resolver, while the Spoke VNet (10.1.0.0/16) hosts Container Apps microservices, Functions for event-driven workloads, and managed services (Key Vault, App Configuration, Event