Azure resource topology

Aucert runs on Azure (Founders Hub credits, ~$5K). The architecture is cloud-agnostic — only Terraform contains cloud-specific code.

Resource groups

Resource group	Purpose	Terraform tier
aucert-foundation-rg	Shared infra: VNet, AKS, ACR, Key Vault, Storage, Internal PG, DNS	`foundation/`
aucert-dev-rg	Dev environment: Product PG, Redis	`environments/dev/`
aucert-tfstate-rg	Terraform remote state (manual)	N/A

VNet aucert-vnet (10.0.0.0/16) in aucert-foundation-rg:

Subnet	CIDR	Purpose
aks-subnet	10.0.0.0/22	AKS node pool (1024 IPs)
postgres-subnet	10.0.4.0/24	Product PG (delegated, cross-RG)
redis-subnet	10.0.5.0/24	Redis Private Endpoint (cross-RG)
keyvault-subnet	10.0.6.0/24	Key Vault private endpoints
internal-platform-subnet	10.0.7.0/24	Internal Platform PG (delegated)
prod-subnet	10.0.8.0/24	Future production PG (Month 4-6)

Reserved (not created): Staging 10.1.0.0/16, Production 10.2.0.0/16.

AKS cluster: aucert-aks, 2x Standard_D2s_v6, K8s 1.32, Azure CNI
ACR: aucertacr41e0x5 (Basic SKU, ~$5/mo)
Namespaces: internal-platform (active), aucert-dev (planned), ingress (planned)

Instance	RG	Tier	Databases
aucert-internal-pg	foundation-rg	Burstable B2s, PG 16	plane_db, astra_db, internal_shared_db
aucertdev-product-pg	dev-rg	Burstable B2s, PG 16	aucert (dev)
aucertdev-redis-41e0x5	dev-rg	Basic C0, TLS 6380	Shared (DB index per env)

Component	Purpose	Configuration
Cloudflare Tunnel	Outbound-only access, no public IP on AKS	Pod in AKS connects outbound to Cloudflare edge
Cloudflare Access	Zero Trust authentication	Google OAuth, `@aucert.ai` domain only
aucert.dev	Internal tools domain	plane.aucert.dev, astra.aucert.dev
AI Foundry	LLM inference	HTTPS to `aucert-ai.cognitiveservices.azure.com` (public, no VNet presence)

All covered by Founders Hub credits ($5,000).