Azure resource topology

Aucert runs on Azure (Founders Hub credits, ~$5K). The architecture is cloud-agnostic — only Terraform contains cloud-specific code.

Resource groups

Resource group	Purpose	Terraform tier
aucert-foundation-rg	Shared infra: VNet, AKS, ACR, Key Vault, Storage, Internal PG, DNS	foundation/
aucert-dev-rg	Dev environment: Product PG, Redis	environments/dev/
aucert-tfstate-rg	Terraform remote state (manual)	N/A

Network topology

VNet aucert-vnet (10.0.0.0/16) in aucert-foundation-rg:

Subnet	CIDR	Purpose
aks-subnet	10.0.0.0/22	AKS node pool (1024 IPs)
postgres-subnet	10.0.4.0/24	Product PG (delegated, cross-RG)
redis-subnet	10.0.5.0/24	Redis Private Endpoint (cross-RG)
keyvault-subnet	10.0.6.0/24	Key Vault private endpoints
internal-platform-subnet	10.0.7.0/24	Internal Platform PG (delegated)
prod-subnet	10.0.8.0/24	Future production PG (Month 4-6)

Reserved (not created): Staging 10.1.0.0/16, Production 10.2.0.0/16.

Compute

• AKS cluster: aucert-aks, 2x Standard_D2s_v6, K8s 1.32, Azure CNI
• ACR: aucertacr41e0x5 (Basic SKU, ~$5/mo)
• Namespaces: internal-platform (active), aucert-dev (planned), ingress (planned)

Data tier

Instance	RG	Tier	Databases
aucert-internal-pg	foundation-rg	Burstable B2s, PG 16	plane_db, astra_db, internal_shared_db
aucertdev-product-pg	dev-rg	Burstable B2s, PG 16	aucert (dev)
aucertdev-redis-41e0x5	dev-rg	Basic C0, TLS 6380	Shared (DB index per env)

External access

• Cloudflare Tunnel: Outbound-only, no public IP on AKS
• Cloudflare Access: Google OAuth, @aucert.ai only
• Domain: aucert.dev for internal tools (plane.aucert.dev, astra.aucert.dev)

What's next

• Terraform tiers — Three-tier IaC organization
• Cloudflare setup — DNS and tunnel configuration