Skip to content

GitHub CI/CD Azure Deployment

⏱️ Time: 45-75 minutes | 🎯 Goal: Deploy to Azure with GitHub Actions

Deploy Loan Defenders to Azure using GitHub Actions for automated CI/CD with production-grade infrastructure, auto-scaling, and monitoring.

Deployment Path

This guide covers deploying via GitHub Actions with CI/CD automation. For direct deployment without GitHub, see Direct Azure Deployment.

Overview

This deployment method uses GitHub Actions with OIDC authentication for automated, secure deployments to Azure.

Best for: - ✅ Production deployments with teams - ✅ Automated deployments on code changes (optional) - ✅ Deployment history and rollback - ✅ Multi-environment management (dev, staging, prod)

Prerequisites: - GitHub account and repository - Azure subscription - 45-75 minutes total time

← Back to Deployment Options | Architecture Overview

What You'll Get

This deployment creates the same production-ready infrastructure as Direct Azure Deployment, plus:

Additional Benefits: - 🤖 GitHub Actions workflows for automation - 📜 Deployment history (all deployments tracked) - ♻️ Easy rollback to previous versions - 🔐 OIDC authentication (no secrets in code) - 🌍 Multi-environment support - 👥 Team collaboration via GitHub

Infrastructure: See Azure Deployment Overview for complete architecture details.

Deployment Timeline

Simple View

┌────────────────────────────────────────────────────────┐
│ Azure Cloud                                             │
│                                                          │
│  ┌──────────┐    ┌──────────┐    ┌──────────────────┐ │
│  │ UI       │───►│ API      │───►│ MCP Servers (3)  │ │
│  │ Public   │    │ Internal │    │ Internal         │ │
│  │ HTTPS    │    │ HTTPS    │    │ HTTPS            │ │
│  └──────────┘    └──────────┘    └──────────────────┘ │
│                                          │              │
│                                          ▼              │
│                           ┌──────────────────────────┐ │
│                           │ AI Services (Private)    │ │
│                           │ GPT-4.1, GPT-5, newer   │ │
│                           │ No public access        │ │
│                           └──────────────────────────┘ │
│                                                          │
│  All services in private VNet (10.0.0.0/16)            │
└────────────────────────────────────────────────────────┘

3-Workflow Deployment Model

The deployment is split into 3 independent workflows for speed:

Workflow Time What It Deploys When to Run
1. Infrastructure 5-10 min VNet, Security, AI Services, Monitoring Rarely (infra changes)
2. Platform 5-10 min Container Registry, Container Apps Env Occasionally (platform changes)
3. Applications 3-5 min API, UI, MCP Server containers Frequently (every code change)

Total first deployment: 15-30 minutes Application updates: 3-5 minutes (90% faster than monolithic deployment)

Why? Application deployments reduced from 45-60 min to 3-5 min. You deploy infrastructure rarely, applications frequently.

See: ADR-030: Three-Workflow Deployment Architecture

Cost Estimate

Development Environment (What You'll Deploy First)

Component Monthly Cost
Container Apps (5 services) $65-90
Azure OpenAI (usage-based) $20-100
Monitoring (App Insights + Logs) $15-25
Total $100-215/month

Optional: - VPN Gateway (developer access): +$140-360/month - Can disable after initial setup - Use Azure Portal for occasional access

Production Environment (Future)

Component Monthly Cost
Container Apps (higher scale) $380-525
Azure AI Services (higher usage) $200-500
Monitoring (enhanced) $45-75
Front Door + WAF $100-150
Total $725-1,250/month

Cost Optimization Tips: - Start with dev environment ($100-215/month) - Validate MVP with real users first - Scale to production when traffic demands it - Use Azure Cost Alerts to monitor spending

See: ADR-039: MCP Servers Container Apps Deployment for detailed cost analysis

Prerequisites

Before deploying, ensure you have:

  • Azure Subscription with Contributor + User Access Administrator role
  • GitHub Account with repository access
  • Local Tools:
  • Azure CLI: brew install azure-cli or install guide
  • PowerShell 7+: brew install powershell or install guide
  • GitHub CLI: brew install gh or install guide

Optional but recommended: - Complete Stage 1 or 2 to validate the application works locally first

Quick Start

Deployment Type: Manual (recommended for reference implementation)
Time Required: 30-90 minutes (depending on components)
Automated Deployment: Available but disabled by default (can enable via GitHub Actions settings)

Manual-First Approach

This reference implementation uses manual deployment by default to help you understand each step. You can enable automated deployments later using GitHub Actions features.

Step 1: Set Up GitHub OIDC Authentication (10 minutes)

Why OIDC? Passwordless authentication eliminates secrets in GitHub, reducing security risks. See ADR-027: User Access Administrator for GitHub Actions for detailed rationale.

Option A: Automated Setup (Recommended)

# Clone repository
git clone https://github.com/YOUR_ORG/loan-defenders.git
cd loan-defenders

# Login to Azure
az login
az account set --subscription "YOUR_SUBSCRIPTION_NAME"

# Run automated OIDC setup script
./scripts/setup-github-oidc.sh dev

# Script creates:
# - Azure AD App Registration
# - Federated credential for GitHub Actions
# - Service Principal with Contributor + User Access Administrator roles

# Add the 3 output values to GitHub Secrets:
# Go to: GitHub → Settings → Secrets and variables → Actions → New repository secret
# Add these secrets:
#   AZURE_CLIENT_ID (from script output)
#   AZURE_TENANT_ID (from script output)
#   AZURE_SUBSCRIPTION_ID (from script output)

Option B: Manual Setup

Follow: GitHub Secrets Setup Guide

Why These Roles? - Contributor: Deploy resources (VNet, Container Apps, AI Services) - User Access Administrator: Assign RBAC roles to managed identities - See ADR-027 for security justification

Step 2: Deploy Infrastructure (15-60 minutes)

Time Estimates: - Core infrastructure (VNet, AI Services, Monitoring): ~10-15 minutes - Container Apps Environment: ~10-15 minutes - VPN Gateway (optional): ~30-45 minutes ⚠️ - Total without VPN: ~20-30 minutes - Total with VPN: ~50-75 minutes

VPN Gateway Takes Time

VPN Gateway deployment is the longest step (~30-45 minutes). Deploy it only if you need direct VNet access from your local machine. You can use Azure Portal/Bastion for occasional access.

Option A: Manual Deployment (Recommended for Learning)

# Option 1: Deploy via PowerShell (local)
cd infrastructure/scripts
./Deploy-Infrastructure.ps1 -Environment dev -DeployVpnGateway $false

# Option 2: Deploy via GitHub UI (recommended)
# 1. Go to: GitHub → Actions → "Deploy Infrastructure"
# 2. Click "Run workflow"
# 3. Select environment: "dev"
# 4. Select deploy_vpn_gateway: false (unless needed)
# 5. Click "Run workflow"
# 6. Monitor progress in Actions tab (~20-30 minutes)

Option B: Automated Deployment (Optional)

Automated deployments are disabled by default in this reference implementation.

To enable automation: 1. Go to: .github/workflows/deploy-infrastructure.yml 2. Uncomment the push trigger (currently commented out) 3. Commit and push → deployment runs on every push to main

Why Manual by Default? - Educational: Understand each deployment step - Control: Deploy when ready, not on every commit - Cost: Avoid accidental infrastructure creation - Best Practice: Review before deploying to production

Step 3: Deploy Applications (10-15 minutes)

After infrastructure is ready:

Option A: Manual GitHub UI Deployment (Recommended)

# 1. Go to: GitHub → Actions → "Deploy API to Azure Container Apps"
# 2. Click "Run workflow"
# 3. Select environment: "dev"
# 4. Click "Run workflow"
# 5. Monitor progress (~10-15 minutes)

# Repeat for UI:
# Go to: GitHub → Actions → "Deploy UI to Azure Container Apps"
# Click "Run workflow"

Option B: Manual PowerShell Deployment

cd infrastructure/scripts
./Deploy-ContainerApps.ps1 -Environment dev

Option C: Enable Automated Deployment (Optional)

To auto-deploy on every commit: 1. Edit .github/workflows/deploy-api.yml and .github/workflows/deploy-ui.yml 2. Uncomment the push trigger 3. Commit → Apps deploy automatically on push to main

Step 4: Deploy AI Models (5 minutes)

Via Azure AI Foundry Portal:

  1. Go to: https://ai.azure.com
  2. Sign in with Azure credentials
  3. Select "Loan Defenders AI Project"
  4. Go to "Deployments" → "Create new deployment"
  5. Deploy required models:
  6. Model choice: GPT-4.1, GPT-5, or newer (developer preference)
  7. Recommended: Latest available model for best agent reasoning
  8. See AI Models Deployment Guide for details

Monitor deployment

gh run watch 

### Step 3: Deploy Container Platform (5-10 min)

```bash
# Deploy ACR and Container Apps Environment
gh workflow run deploy-container-platform.yml --field environment=dev

# Monitor deployment
gh run watch

Step 4: Deploy Applications (3-5 min)

# Deploy API, UI, and MCP servers
gh workflow run deploy-applications.yml --field environment=dev

# Monitor deployment
gh run watch

Step 5: Configure AI Models (5 min)

The infrastructure creates Azure AI Services, but you need to deploy specific models:

  1. Navigate to https://ai.azure.com
  2. Sign in with Azure credentials
  3. Select "Loan Defenders AI Project"
  4. Go to "Deployments" → "Create new deployment"
  5. Deploy required models:
  6. Model choice: GPT-4.1, GPT-5, or newer (developer preference)
  7. Recommended: Latest available model for best agent reasoning
  8. See AI Models Deployment Guide for details

Step 6: Verify It Works

# Get UI URL
az containerapp show \
  --name ldfdev-ui \
  --resource-group ldfdev-rg \
  --query properties.configuration.ingress.fqdn -o tsv

# Open in browser - you should see Loan Defenders UI

Done! You now have a production-ready deployment in Azure.

What Happens After First Deployment?

Automatic Deployments

  • Every push to main branch automatically deploys applications (Workflow 3)
  • No manual deployment needed for code changes
  • Takes 3-5 minutes per deployment

Manual Infrastructure Updates

  • Run Workflow 1 only when infrastructure changes (network, security, AI config)
  • Run Workflow 2 only when platform changes (ACR, Container Apps environment)

Development vs Production

Development Configuration (What You're Deploying)

  • Scale: 1-2 replicas per service
  • Resources: 0.5 vCPU, 1GB RAM per container
  • Cost: $100-215/month
  • Security: ✅ Full production-grade (VNet, NSGs, Managed Identity)
  • Performance: 100-200ms latency (acceptable for MVP)
  • When to use: MVP testing, development, demos

Production Configuration (Future Upgrade)

  • Scale: 2-10 replicas per service
  • Resources: 1.0 vCPU, 2GB RAM per container
  • Cost: $725-1,250/month
  • Security: ✅ Enhanced (+ OAuth2, WAF, DDoS protection)
  • Performance: <50ms latency, 99.95% SLA
  • When to use: Live production with real users

Recommendation: Start with dev, validate MVP, then scale to production when traffic demands it.

Common Questions

Do I need the VPN Gateway?

No for most use cases. Only deploy VPN Gateway if you need: - Private access to AI Foundry portal for troubleshooting - Direct access to internal Container Apps for debugging

Cost: $140-360/month - can disable when not needed.

Alternative: Use Azure Portal for occasional access (no VPN needed).

Can I deploy to my own Azure subscription?

Yes! The deployment works with any Azure subscription. Just ensure you have: - Contributor role (to create resources) - User Access Administrator role (to assign RBAC permissions)

How do I update just the application code?

Automatic: Push to main branch - GitHub Actions deploys automatically (3-5 min)

Manual: Run Workflow 3: 

gh workflow run deploy-applications.yml --field environment=dev

What if something goes wrong?

See the Troubleshooting section below or the comprehensive Troubleshooting Guide.

Security Highlights

Zero Trust Architecture

  • Private Networking: All backend services in private VNet (no public access)
  • Managed Identity: Applications authenticate without credentials
  • Network Security Groups: Firewall rules on every subnet
  • Private Endpoints: AI Services, Key Vault, Storage have no public access

Outcome: If an attacker compromises a container, they cannot access Azure services without proper RBAC permissions.

Compliance Features

  • Encryption at rest: Azure-managed keys
  • Encryption in transit: TLS 1.2+ for all communication
  • Audit logging: All deployments and access logged
  • RBAC: Least-privilege access (Cognitive Services OpenAI User, not Owner)

See: Detailed Security Architecture

Common Issues & Quick Fixes

Issue: "No core infrastructure deployment found"

Cause: Workflow 2 or 3 triggered before Workflow 1 completed

Fix: 

# Check Workflow 1 status
gh run list --workflow deploy-infrastructure.yml --limit 1

# Wait for completion, then retry
gh workflow run deploy-container-platform.yml --field environment=dev

Issue: "ACR name already taken"

Cause: Azure Container Registry names are globally unique

Fix: Edit infrastructure/bicep/environments/dev-container-platform.parameters.json and add a random suffix to acrName (e.g., ldfdevacr12345)

Issue: Container Apps deployment timeout

Normal: Container Apps Environment creation takes 5-10 minutes (external mode). If timeout exceeds 30 minutes, check Azure service health.

More help: See Comprehensive Troubleshooting Guide or Deployment Guide Troubleshooting

Next Steps

📚 Detailed Technical Documentation

For complete step-by-step instructions, architecture deep-dive, and advanced configuration:

→ Complete Deployment Guide

Includes: - Detailed security & reliability architecture - All 3 workflows explained in depth - Workflow discovery and dependency management - Comprehensive troubleshooting - Monitoring and cost optimization

🔧 Specific Deployment Tasks

Choose based on what you need:

  1. Azure Deployment Architecture - Detailed infrastructure architecture, network design, security controls
  2. AI Models Deployment - How to deploy and manage AI models dynamically
  3. RBAC Setup - Configure developer and application permissions
  4. VPN Setup - Enable developer VPN access (optional)
  5. Monitoring Setup - Configure alerts and dashboards
  6. CI/CD Configuration - Customize GitHub Actions workflows

🏗️ Architecture & Decisions

Understand why we made specific technical choices:

Need Help?

  1. Check Documentation:
  2. Complete Deployment Guide - Comprehensive technical guide
  3. Troubleshooting Guide - Common issues and solutions

  4. Azure Deployment Architecture - Deep-dive on architecture

  5. View Logs:

  6. GitHub Actions: gh run view RUN_ID --log
  7. Azure Portal: Resource Group → Deployments

  8. Container Apps: az containerapp logs show --name ldfdev-api --resource-group ldfdev-rg --follow

  9. Open GitHub Issue:

  10. Include deployment logs and error messages
  11. Tag with deployment label

Summary

You're deploying a production-ready system with: - ✅ Enterprise security (private networking, managed identity, Zero Trust) - ✅ Auto-scaling and health monitoring - ✅ Manual deployment by default (educational, cost-conscious) - ✅ Optional CI/CD automation (enable when ready) - ✅ Cost-optimized for MVP ($100-145/month without VPN) - ✅ Microsoft-maintained infrastructure (Azure Verified Modules)

Deployment Time: - First deployment: 30-60 minutes (without VPN) or 60-90 minutes (with VPN) - Application updates: 10-15 minutes - Infrastructure updates: 15-30 minutes

Key Points: - GitHub OIDC eliminates secrets (passwordless auth) - see ADR-027 - VPN Gateway adds 30-45 minutes to deployment time - Manual deployment is the default (enables in workflow files for automation) - Model choice is developer preference (GPT-4.1, GPT-5, or newer)

Ready to deploy? Follow the Quick Start above or see the Complete Deployment Guide for detailed instructions.

Last Updated: 2025-01-15