Step 3 — Design Artifacts
Architecture Diagram
Section titled “Architecture Diagram”
Source: Excalidraw source file
Cost Distribution
Section titled “Cost Distribution”
Cost Projection
Section titled “Cost Projection”
Architecture Decision Record
Section titled “Architecture Decision Record”Generated by design agent | 2026-03-11
- 🔍 Context
- ✅ Decision
- 🔄 Alternatives Considered
- ⚖️ Consequences
- 🏛️ WAF Pillar Analysis
- 🔒 Compliance Considerations
- 📝 Implementation Notes
Status: Proposed Date: 2026-03-11 Deciders: CTO, Platform Engineering Lead, Security Lead
🔍 Context
Section titled “🔍 Context”The architecture assessment for nordic-fresh-foods recommends an MVP platform that must satisfy:
- GDPR and PCI-DSS obligations
- EU data residency (primary region
swedencentral) - 99.9% service availability target with RTO 24h and RPO 12h
- A hard cost cap below €1,000/month
- Seasonal 3x traffic growth with minimal operational overhead
The primary trade-off is whether to optimize for early-stage cost and simplicity now, with a clear hardening path later, or to front-load enterprise-grade resilience and complexity in the MVP.
✅ Decision
Section titled “✅ Decision”Adopt a cost-optimized N-tier Azure architecture for the MVP, using managed PaaS services with private data access:
- Compute: Azure App Service (Linux S1) with production minimum 2 instances and autoscale to 3
- Data: Azure SQL Database (S0 DTU model) for transactional workloads
- Security and secrets: Key Vault with RBAC and Managed Identity
- Storage: Standard LRS Storage Account for product images and static assets
- Network isolation: VNet integration + Private Endpoints for SQL and Storage
- Observability: Application Insights + Log Analytics
- Identity: Microsoft Entra External ID for consumer and restaurant access
This decision is for Step 3 design intent and will be validated against governance constraints in Step 4 before implementation.
🔄 Alternatives Considered
Section titled “🔄 Alternatives Considered”| Option | Pros | Cons | WAF Impact |
|---|---|---|---|
| AKS microservices baseline | Maximum flexibility and fine-grained scaling | Higher ops overhead and significantly higher MVP cost | Reliability +, Operations -, Cost — |
| Azure Container Apps + PostgreSQL Flexible Server | Better burst scaling and modern runtime model | More moving parts and platform complexity for small team | Performance +, Operations -, Cost - |
| Azure Functions + Cosmos DB event-driven model | Consumption-based scaling and rapid feature experimentation | Architectural refactor of transactional order model and consistency complexity | Cost +, Reliability ->, Operations - |
| Selected: App Service + Azure SQL N-tier | Lowest complexity with predictable cost and compliance controls | Single-region MVP posture and deferred WAF/DDoS hardening | Cost ++, Security +, Reliability - |
⚖️ Consequences
Section titled “⚖️ Consequences”Positive
Section titled “Positive”- Keeps projected steady-state spend around ~$204/month, preserving substantial budget headroom
- Delivers a straightforward implementation path using AVM-capable services and standard tooling
- Supports GDPR and PCI-DSS controls through private data access, tokenized payments, and MI-based auth
- Reduces day-1 operational burden for a small team while retaining scale-up options
Negative
Section titled “Negative”- Accepts single-region risk in MVP and requires explicit DR drill execution to maintain confidence
- Defers WAF and advanced DDoS posture to a later hardening phase
- Places pressure on disciplined observability and scaling thresholds to avoid performance regressions
Neutral
Section titled “Neutral”- Uses DTU-based SQL sizing now, with a planned review gate for vCore or tier upgrade if usage rises
- Keeps LRS storage for MVP economics, with a pre-defined switch path to GRS when recovery goals tighten
🏛️ WAF Pillar Analysis
Section titled “🏛️ WAF Pillar Analysis”| Pillar | Impact | Notes |
|---|---|---|
| Security | Positive | Private Endpoints, Managed Identity, Key Vault RBAC, and TLS 1.2 baseline are built into the design. |
| Reliability | Mixed | Min 2 App Service instances improves availability, but multi-region failover remains deferred. |
| Performance | Mixed | Meets current SLA targets; sustained seasonal peaks require pre-peak load validation and autoscale tuning. |
| Cost Optimization | Strong Positive | Right-sized SKUs and pay-per-use monitoring keep spend far below budget ceiling. |
| Operational Excellence | Positive | Bicep-first IaC and Azure-native telemetry improve repeatability and incident visibility. |
🔒 Compliance Considerations
Section titled “🔒 Compliance Considerations”- GDPR: All core data services remain in EU region boundaries; external processors require DPA/SCC validation.
- PCI-DSS: Cardholder data is excluded from App Service scope via hosted payment fields or redirect tokenization.
- Identity governance: Entra External ID is scoped to consumer identities; workforce access remains in org tenant.
- Security controls:
publicNetworkAccessremains disabled on SQL and Storage in production.
📝 Implementation Notes
Section titled “📝 Implementation Notes”- Enforce policy-aligned configuration in Step 4/5 artifacts, especially network isolation and TLS settings.
- Implement resilience patterns for external integrations: timeout, bounded retries with jitter, circuit breaker.
- Define production reliability review gates tied to uptime incidents and load-test outcomes.
- Revisit this ADR when either condition is met:
- sustained usage >80% SQL DTU for 14 days, or
- monthly availability drops below 99.9%
Cost Estimate
Section titled “Cost Estimate”- 💵 Cost At-a-Glance
- ✅ Decision Summary
- 🔁 Requirements → Cost Mapping
- 📊 Top 5 Cost Drivers
- 🏛️ Architecture Overview
- 🧾 What We Are Not Paying For (Yet)
- ⚠️ Cost Risk Indicators
- 🎯 Quick Decision Matrix
- 💰 Savings Opportunities
- 🧾 Detailed Cost Breakdown
- References
Generated by architect agent | 2026-03-11
| ⬅️ Previous | 📑 Index | Next ➡️ |
|---|---|---|
| Architecture Assessment | Demo Index | Governance Constraints |
Generated: 2026-03-11 Region: swedencentral Environment: Production + Development MCP Tools Used: azure_bulk_estimate, azure_cost_estimate, azure_price_search Architecture Reference: Architecture Assessment
💵 Cost At-a-Glance
Section titled “💵 Cost At-a-Glance”Monthly Total: ~$204 | Annual: ~$2,448
Status Indicator Cost Trend ➡️ Stable (growth driven by user acquisition) Savings Available 💰 ~$180/year with Dev/Test licensing Compliance ✅ GDPR + PCI-DSS aligned
✅ Decision Summary
Section titled “✅ Decision Summary”- ✅ Approved: N-Tier Web (App Service S1 ×2 instances + SQL S0 + KV + Storage + App Insights) with Private Endpoints for Prod; B1 + Basic for Dev
- ⏳ Deferred: Redis Cache, CDN/Front Door, WAF/Application Gateway, DDoS Standard, multi-region failover
- 🔁 Redesign Trigger: If concurrent users exceed 500 or SQL DTU sustained >80%, upgrade compute/database tier
Confidence: Medium | Expected Variance: ±15% (Log Analytics ingestion and autoscale frequency are primary unknowns)
🔁 Requirements → Cost Mapping
Section titled “🔁 Requirements → Cost Mapping”| Requirement | Architecture Decision | Cost Impact | Mandatory |
|---|---|---|---|
| SLA 99.9% / RTO 24h / RPO 12h | Single region, App Service S1, SQL PITR | Baseline (no uplift) | Yes |
| GDPR data residency | swedencentral region, EU-only processing | $0 (region choice) | Yes |
| PCI-DSS (tokens only) | Private Endpoints for SQL + Storage | +$15.60/month | Yes |
| 3× seasonal autoscale | App Service autoscale 2→3 instances | +$73/month at peak | Yes |
| <100 concurrent users | S1 plan + SQL S0 (10 DTU) | Baseline sizing | Yes |
| Consumer identity | Entra External ID (free tier) | $0 (within 50K MAU) | Yes |
| Monitoring + alerting | App Insights + Log Analytics (pay/GB) | +$4.60/month | Yes |
📊 Top 5 Cost Drivers
Section titled “📊 Top 5 Cost Drivers”| Rank | Resource | Monthly Cost | % of Total | Trend | Optimization |
|---|---|---|---|---|---|
| 1️⃣ | App Service Plan S1 (Prod) | $146.00 | 72% | ⬆️ | Min 2 for availability; scale to 3 |
| 2️⃣ | Azure SQL Database S0 | $14.73 | 7% | ➡️ | Monitor DTU; stay on S0 if <80% |
| 3️⃣ | Private Endpoints ×2 | $14.60 | 7% | ➡️ | Fixed cost; required for compliance |
| 4️⃣ | App Service Plan B1 (Dev) | $13.14 | 6% | ➡️ | Stop/deallocate when not in use |
| 5️⃣ | Azure SQL Database Basic | $4.90 | 2% | ➡️ | Dev only; pause outside work hours |
💡 Quick Win: Stop the Dev App Service Plan outside business hours to save
$9/month ($108/year).
1️⃣ App Service Plan S1 (Production)
Section titled “1️⃣ App Service Plan S1 (Production)”| Aspect | Detail |
|---|---|
| Current SKU | S1 (Linux) |
| Monthly Cost | $146.00 (2 instances × $73.00) |
| Cost Breakdown | Compute: $73.00/instance (flat rate per instance) |
| Optimization | Min 2 for availability; cannot reduce below 2 |
| Potential Savings | ~$15/month with 1-year RI (if available) |
2️⃣ Azure SQL Database S0
Section titled “2️⃣ Azure SQL Database S0”| Aspect | Detail |
|---|---|
| Current SKU | S0 (10 DTU) |
| Monthly Cost | $14.73 |
| Optimization | Stay on S0 while DTU <80% |
| Potential Savings | $0 (already minimum viable tier) |
🏛️ Architecture Overview
Section titled “🏛️ Architecture Overview”Cost Distribution
Section titled “Cost Distribution”| Category | Monthly Cost (USD) | Share |
|---|---|---|
| 💻 Compute | $159.14 | 78% |
| 💾 Data Services | $21.88 | 11% |
| 🌐 Networking | $15.60 | 8% |
| 📊 Observability | $4.60 | 2% |
| 🔑 Security | $0.00 | 0% |
| 📦 Storage | $2.75 | 1% |
Month-over-Month Projection
Section titled “Month-over-Month Projection”
Key Design Decisions Affecting Cost
Section titled “Key Design Decisions Affecting Cost”| Decision | Cost Impact | Business Rationale | Status |
|---|---|---|---|
| S1 over B1 (Prod) | +$132.86/month 📈 | Autoscale + min 2 instances for availability | Required |
| Private Endpoints (×2) | +$15.60/month 📈 | GDPR + PCI-DSS compliance mandates | Required |
| S0 over Basic (Prod SQL) | +$9.83/month 📈 | 10 DTU needed for concurrent order processing | Required |
| Pay-per-GB monitoring | Cost-effective 📉 | Low ingestion volumes (<5 GB/month total) | Required |
| Single region | -$100+/month 📉 | No failover region cost; acceptable for MVP | Optional |
🧾 What We Are Not Paying For (Yet)
Section titled “🧾 What We Are Not Paying For (Yet)”- Azure Front Door / CDN — Add when page load exceeds 3s target ($35-50/month)
- Redis Cache (Basic C0) — Add if inventory API latency exceeds 500ms (~$15/month)
- WAF v2 / Application Gateway — Add at >5K concurrent users (~$250/month)
- DDoS Protection Standard — Add if targeted attacks detected (~$2,944/month)
- Multi-region active-passive — Add if 24h RTO becomes unacceptable (doubles infrastructure cost)
- Microsoft Defender for Cloud — Recommended post-MVP (~$15/resource/month)
- Azure Front Door Premium — For Private Link origins and advanced WAF rules
Assumptions & Uncertainty
Section titled “Assumptions & Uncertainty”- Log Analytics ingestion stays within 5 GB/month free tier (monitor after launch)
- Autoscale triggers infrequently outside peak season (June-August, December)
- Storage growth averages 5 GB/month for first 6 months
- Entra External ID stays within 50K MAU free tier for 12+ months
- No cross-region data transfer costs (single region)
⚠️ Cost Risk Indicators
Section titled “⚠️ Cost Risk Indicators”| Resource | Risk Level | Issue | Mitigation |
|---|---|---|---|
| App Service S1 (×3) | 🟡 Medium | Scaling to 3rd instance at peak adds $73/mo | Set max instances to 3; monitor closely |
| Log Analytics | 🟡 Medium | Ingestion may exceed 5 GB free tier | Configure sampling rate; exclude verbose |
| SQL Database S0 | 🟢 Low | DTU exhaustion during peaks | Alert at 80% DTU; upgrade to S1 ($30/mo) |
| Storage transactions | 🟢 Low | High transaction volume from images | Enable CDN if transaction costs spike |
⚠️ Watch Item: Peak-season autoscale (June-August) could maintain 3 instances for extended periods, pushing monthly cost to $277-308. Set autoscale cool-down to 10 minutes to avoid unnecessary scale-out.
🎯 Quick Decision Matrix
Section titled “🎯 Quick Decision Matrix”“If you need X, expect to pay Y more”
| Requirement | Additional Cost | SKU Change | Verdict | Notes |
|---|---|---|---|---|
| 99.99% SLA | +$65/month | P1v3 + Zone-redundant | 🟡 Monitor | Wait until user base justifies |
| Redis Cache (hot inventory) | +$15/month | C0 Basic | 🟢 Go | Add when inventory API >500ms p95 |
| CDN for static assets | +$35/month | Standard profile | 🟢 Go | Add when page load >3s target |
| WAF + Application Gateway | +$250/month | WAF_v2 | 🔴 Defer | Over budget for MVP; add post-launch |
| Multi-region failover | +$130/month | Duplicate stack | 🔴 Defer | RTO 24h acceptable for MVP |
| SQL S1 (20 DTU) | +$15/month | S1 | 🟡 Monitor | Trigger: sustained DTU >80% |
💰 Savings Opportunities
Section titled “💰 Savings Opportunities”Total Potential Savings: ~$180/year
Section titled “Total Potential Savings: ~$180/year”
Strategy Commitment Monthly Savings Annual Savings % Reduction Dev/Test pricing N/A $15 $180 11% Stop Dev outside hours N/A $9 $108 7% Reserved Instances (RI) 1-year Not recommended — — Spot Instances N/A Not applicable — — Note: RIs not recommended for a 3-month-old startup with uncertain growth trajectory. Re-evaluate after 6 months of stable usage.
🧾 Detailed Cost Breakdown
Section titled “🧾 Detailed Cost Breakdown”Assumptions
Section titled “Assumptions”- Hours: 730 hours/month
- Network egress: Minimal (<1 GB/month within region)
- Storage growth: 5 GB/month for first 6 months
- Log ingestion: 2 GB App Insights + 3 GB Log Analytics = 5 GB total
Line Items
Section titled “Line Items”| Category | Service | SKU / Meter | Quantity / Units | Est. Monthly |
|---|---|---|---|---|
| 💻 Compute (Prod) | App Service Plan | S1 Linux | 2 instances | $146.00 |
| 💻 Compute (Dev) | App Service Plan | B1 Linux | 1 instance | $13.14 |
| 💾 Data (Prod) | Azure SQL Database | S0 (10 DTU) | 1 database | $14.73 |
| 💾 Data (Dev) | Azure SQL Database | Basic (5 DTU) | 1 database | $4.90 |
| 📦 Storage (Prod) | Storage Account | Standard LRS | 50 GB | $2.25 |
| 📦 Storage (Dev) | Storage Account | Standard LRS | 10 GB | $0.45 |
| 🔑 Security | Key Vault (Prod) | Standard | ~1K ops | $0.00 |
| 🔑 Security | Key Vault (Dev) | Standard | Minimal ops | $0.00 |
| 📊 Observability | Application Insights | Pay-per-GB | 2 GB | $4.60 |
| 📊 Observability | Log Analytics | Pay-per-GB | 3 GB (free tier) | $0.00 |
| 📊 Observability | App Insights (Dev) | Pay-per-GB | 1 GB | $2.30 |
| 🌐 Networking | Private Endpoint | SQL | 730 hours | $7.30 |
| 🌐 Networking | Private Endpoint | Storage | 730 hours | $7.30 |
| 🌐 Networking | Private DNS Zone | SQL privatelink | 1 zone | $0.50 |
| 🌐 Networking | Private DNS Zone | Storage privatelink | 1 zone | $0.50 |
| 🆔 Identity | Entra External ID | Free tier | ~10.5K MAU | $0.00 |
| Total | $203.97 |
Peak Season Scenario
Section titled “Peak Season Scenario”| Change | Steady-State | Peak (3×) | Delta |
|---|---|---|---|
| App Service Plan (Prod) | $146.00 | $219.00 | +$73.00 |
| All other resources | $57.97 | $57.97 | $0.00 |
| Compute Total | $203.97 | $276.97 | +$73.00 |
Variable Meter Sensitivity (Peak Season):
| Meter | p50 Scenario | p90 Scenario | Notes |
|---|---|---|---|
| SQL DTU bursting | $0.00 | $15.00 | Upgrade to S1 if sustained >80% DTU |
| Log Analytics ingestion | $0.00 | $5.00 | Free tier (5 GB) may be exceeded at peak |
| App Insights extra ingestion | +$2.30 | +$6.90 | 1-3 GB extra at 3× traffic |
| Storage transactions | $0.50 | $3.00 | Image serving transaction volume increase |
| Network egress (inter-zone) | $0.00 | $1.00 | Minimal; single-region |
| Variable Total | $2.80 | $30.90 | |
| Grand Peak Total (p50/p90) | $279.77 | $307.87 | Compute + variable meters |
[!NOTE] Peak assumes full-month autoscale to 3 instances. Actual peak months (June-August, December) will vary based on scale-out duration. Variable meters represent additional consumption-based costs beyond fixed compute.
Free-Tier Cliff Analysis
Section titled “Free-Tier Cliff Analysis”| Service | Free Tier Limit | Current Usage | Cliff Cost | Trigger |
|---|---|---|---|---|
| Log Analytics | 5 GB/month | ~3 GB | +$2.76/GB | Verbose logging at peak |
| Entra External ID | 50K MAU | ~10.5K MAU | $0.0025/auth | Unlikely within 12 months |
| Key Vault | 10K ops free | ~1K ops | $0.03/10K ops | Very unlikely |
- App Service Plan S1 is not eligible for Reserved Instances; RI applies to P-series and above
- Dev/Test pricing via Visual Studio subscription can reduce App Service and SQL costs
- Entra External ID free tier covers first 50K MAU — no cost until user base exceeds this threshold
- Azure SQL geo-backup is included at no additional cost with S0 tier
- Private DNS Zone billing: $0.50/zone/month + $0.0004/million queries (negligible)
References
Section titled “References”| Topic | Link |
|---|---|
| Azure Pricing Calculator | Calculator |
| Cost Management | Overview |
| Reserved Instances | Reservations |
| WAF Cost Optimization | Checklist |
| App Service Pricing | Pricing |
| SQL Database Pricing | Pricing |