Application / Conceptual Architecture Diagram

Crew Management System – secure access, React presentation layer, API management entry, dedicated BFF layer, independently deployable backend services, internal workflow capability, data platforms, and enterprise support services

→ Secure Access

→ Frontend

→ API Management

→ BFF

→ Backend Services

→ Data & Support

Users

👨‍✈️ 👩‍✈️ 👨‍✈️

Operational Users Daily operational access

🧑‍💼

Supervisors / Managers Approvals and oversight

👨‍💻

Admin Users Configuration and control

Secure Access Layer

🌐

Browser

Zscaler Enterprise-controlled zero-trust access

Akamai WAF • DDoS • Bot protection • Edge security

Azure Application Gateway Protected origin ingress and routing

Secured request path: Browser → Zscaler → Akamai → Azure Application Gateway. Backend services are not directly exposed.

Presentation Layer

React Web Application SPA frontend for CMS screens, dashboards, workflows, notifications, filters, and document actions

Presentation layer only. The frontend calls protected APIs and does not directly access enterprise data platforms or internal backend services.

API Management Layer

APIC

IBM API Connect Secured API entry • managed exposure • request forwarding to the frontend-facing backend layer

APIC acts as the managed API entry and forwarding layer before requests reach the dedicated BFF service.

BFF Layer

BFF

Backend for Frontend Frontend-facing API controller that validates tokens, handles request admission, shapes responses, routes requests, and orchestrates multi-service calls

Single BFF service between React and backend domain/platform services, aligned with the HLD.

Backend Services on AKS

Business Domain Services

Crew Profile Service

Roster Service

Attendance Service

Events Service

Leave Service

Trainings Service

Qualifications Service

Recruitment Service

Productivity Service

Shared Platform Services

Workflow Management Component Internal workflow capability handling lifecycle rules, approvals, escalations, tasks, and status transitions

Notification Service Triggers operational and workflow-driven notifications

DOC

Document Management Uploads, downloads, document metadata, and generated files

AUTH

AuthZ Enforcement Backend services enforce RBAC + ABAC after request admission

AUD

Audit / Logging Business-critical actions, audit visibility, and tracing

Multiple independently deployable backend services/components are hosted on AKS. The workflow capability remains internal to CMS backend services in MVP.

Data & Enterprise Support

Data & Storage

Microsoft Fabric Enterprise analytical data • curated datasets • read-only source for backend services

Azure DocumentDB CMS operational data including workflow records, notifications, preferences, audit records, and document metadata

Azure Storage Account (Blob Storage) Uploads • attachments • exports • generated documents • archived artifacts

Enterprise Support Services

Azure AD Authentication • SSO • token issuance and validation

RX Notification Service Outbound email and workflow-driven notification delivery

Datadog Logs • metrics • traces • monitoring

Data responsibilities remain separated: Fabric for read-only enterprise data, DocumentDB for CMS operational data, and Blob Storage for file objects and generated artifacts.

React Web App → IBM API Connect
Frontend calls secured CMS APIs through the managed API entry layer

IBM API Connect → BFF
APIC forwards frontend requests to the dedicated BFF service

BFF → Backend Services on AKS
BFF validates tokens, handles request admission, orchestrates calls, and routes requests to the appropriate backend services

BFF → Workflow / Notification / Document Services
Frontend-driven actions are admitted through the BFF before execution inside backend domain and platform services

Backend Services → Microsoft Fabric
Read-only access to curated analytics and enterprise operational datasets

Backend Services → Azure DocumentDB
CMS operational records including workflow state, requests, notifications, preferences, audit, and document metadata

Document Management → Azure Storage Account (Blob Storage)
Uploads, attachments, generated files, archived artifacts, and file retrieval

Notification Service → RX Notification Service
Outbound email and workflow-driven notification delivery

Frontend + BFF + Backend Services → Azure AD
Enterprise authentication, token issuance, validation, and secure API access

Backend Services → Datadog
Logs, metrics, traces, observability, and operational monitoring

        Access & presentation
        API management
        BFF layer
        Business & platform services
        Data & storage
      

Main view covered: Users → Secure Access → React SPA → IBM API Connect → BFF → Backend Services on AKS → Fabric / DocumentDB / Blob Storage, with Azure AD, RX Notification Service, and Datadog integrated across the solution.