Deployment Architecture Diagram
Infrastructure layout showing how CMS is deployed as independently
deployable frontend and backend components, protected through Zscaler,
Akamai, and Azure Application Gateway, with private AKS runtime and
separated operational and analytical data stores
Authorized Riyadh Air Users (Browser Access)
USER ACCESS & EDGE ENTRY LAYER
Controlled user access path and public edge protection before Azure
origin entry
Zscaler
Enterprise-controlled user access layer enforcing zero-trust
access and approved enterprise access paths
Akamai Edge
Primary public entry point providing WAF, DDoS protection, bot
protection, and controlled edge routing
Azure Application Gateway (WAF)
Controlled origin entry, L7 routing, inspection, and protected
forwarding to AKS ingress
TLS
Protected Inbound Path
Internet → Zscaler → Akamai → AppGW → AKS Ingress with no direct
public AKS exposure
Frontend and backend are deployed separately; the browser never
accesses Fabric, DocumentDB, ADLS, or private backend services
directly.
FRONTEND DEPLOYMENT LAYER
Separate frontend deployable artifact delivered through the edge
layer
React SPA
Web-only React single-page application providing dashboards,
workflows, alerts, filtering, and interactive user actions
UI
Frontend Static Build
Own deployable artifact with layout assets, branding, icons, and
UI resources packaged with the frontend build
CDN
Frontend Delivery via Akamai
Frontend is delivered separately through Akamai rather than
deployed as an AKS backend workload
BACKEND COMPUTE LAYER – PRIVATE AKS
Multiple independently deployable backend services/components hosted
on a private AKS cluster
ING
AKS Ingress
Internal ingress reachable only from Azure Application Gateway
API
CMS Backend API Services
Frontend-facing secured APIs exposed by backend services with no
dedicated BFF layer
DOM
Domain Services
Business capability services such as Roster, Attendance, Events,
Trainings, Qualifications, Recruitment, and Productivity
PLT
Platform Services
Workflow, Notification, and Document Management services
deployed as supporting backend capabilities
HPA
AKS Runtime Controls
Private cluster, containerized services, namespace isolation,
and horizontal scaling for backend workloads
DATA & STORAGE LAYER
Clear separation between enterprise analytical data, CMS operational
data, and file-based artifacts
Microsoft Fabric
Read-only enterprise analytics source consumed only through
backend services using governed backend access
Azure DocumentDB
CMS operational datastore for workflow state, requests,
notifications, document metadata, settings, and audit records
Azure Storage Account (Blob Storage)
File and artifact storage for exports, generated documents,
attachments, and archived workflow artifacts
IDENTITY, SECURITY & OPERATIONS
Cross-cutting controls applied across independently deployable
backend services
Azure AD SSO
Enterprise authentication, token issuance, and identity context
for frontend and backend API access
RBAC
Backend Authorization
RBAC + ABAC enforced directly within backend services for
protected APIs, workflow operations, and document access
Datadog
Centralized logs, metrics, traces, monitoring, alerting, and
observability across platform components
Infobip
External outbound notification delivery for email and workflow
event messaging
DEPLOYMENT PRINCIPLES
1
Separate Deployables
React frontend and AKS backend services are deployed separately
to support release isolation and independent scaling
2
No BFF Layer
No dedicated backend-for-frontend component is deployed; secured
backend services directly expose the required frontend APIs
3
Private Backend Exposure
AKS remains private and reachable only through protected origin
controls behind App Gateway and Akamai
4
Data Separation
Fabric stays read-only for enterprise analytics, DocumentDB
stores CMS operational data, and ADLS stores binary artifacts
User access & edge layer
Frontend deployment
Backend compute on AKS
Data & storage layer
Identity, security & operations
Deployment principles