Case Study

From AKS overheads to cloud-native freedom with Azure Container Apps

Scalene Solutions needed to reduce the operational burden of running Kubernetes while maintaining enterprise-grade security for their retail intelligence platform. We audited their Azure environment, redesigned the architecture using the Well-Architected Framework, and migrated workloads from AKS to Azure Container Apps with full Bicep automation.

Client Scalene Solutions
Industry Retail Technology
Service Cloud Migration
Duration 3 months
Scalene Solutions
Azure Container Apps Application Gateway Bicep WAF Entra ID Private VNet
70%
Reduction in infrastructure management overhead
3x
Faster deployment of new microservices
100%
Infrastructure as code with Bicep automation
Zero
Public endpoints exposed to the internet

The challenge

Scalene Solutions operates a data science platform that helps major retailers like Mecca, Myer, Officeworks, and WHSmith optimise their retail spaces. Their platform runs as a fleet of microservices on Azure, serving clients who generate over US$120 billion in combined annual sales.

The platform was originally deployed on Azure Kubernetes Service (AKS). While powerful, AKS brought significant operational overhead: patching nodes, managing cluster upgrades, configuring networking, and the constant care a Kubernetes cluster demands. Scalene’s engineers were spending too much time on infrastructure maintenance and not enough on building their core retail intelligence product.

They needed a path that would reduce infrastructure complexity without compromising security or performance.

What we did

We started with an audit of the existing Azure environment using Microsoft’s Well-Architected Framework and Azure Verified Modules. This gave us a clear picture of what was working, what was over-engineered, and where the operational pain points were.

From there, we designed and executed a migration from AKS to Azure Container Apps. The key components of the new architecture:

  • Azure Container Apps: Fully managed, serverless container environment. Scalene’s microservices run without any cluster management overhead.
  • Application Gateway with WAF: Positioned in front of the private Container Apps, providing Web Application Firewall protection, centralised SSL termination, and host-based routing.
  • Private VNet deployment: All Container Apps sit inside a private virtual network. No public endpoints. Traffic only enters through the Application Gateway.
  • Microsoft Entra ID: Role-based access control with granular permissions for managing the gateway and container environments.
  • Bicep infrastructure as code: Every component is defined in Bicep templates using loop constructs. Adding a new microservice means adding one entry to a parameter array, not writing dozens of lines of configuration.

Bicep automation in practice

The Bicep templates dynamically provision HTTPS listeners, backend address pools, health probes, and routing rules for each microservice from a single parameter array. The entire Application Gateway configuration is generated from this structure:

containerApps: [
  {
    name: 'space-advisor'
    fqdn: 'space.scalenesolutions.com'
    certName: 'space-advisor-cert'
    customDomainName: 'internal.scalene.net'
    probeHost: 'space.scalenesolutions.com'
    timeoutSeconds: 30
  }
  {
    name: 'assortment-advisor'
    fqdn: 'assortment.scalenesolutions.com'
    certName: 'assortment-cert'
    customDomainName: 'internal.scalene.net'
    probeHost: 'assortment.scalenesolutions.com'
    timeoutSeconds: 30
  }
]

This approach means deployments are repeatable, auditable, and fast. No manual Azure portal configuration. No configuration drift between environments.

The results

The migration delivered measurable improvements across operations, security, and developer productivity:

  • Infrastructure overhead dropped by roughly 70%. No more node patching, cluster upgrades, or Kubernetes networking configuration. Azure manages the container runtime.
  • Deployment speed tripled. New microservices go from code to production in hours, not days. The Bicep parameter array approach eliminated the bottleneck of manual gateway configuration.
  • Security posture improved. All Container Apps are private. WAF inspects every inbound request. SSL is centralised. Access is controlled through Entra ID with granular RBAC.
  • Engineering time was freed up. Scalene’s developers now spend their time building retail intelligence features, not managing infrastructure.

Why this matters

This engagement shows what happens when cloud architecture is designed around business outcomes rather than technology preferences. Scalene Solutions did not need Kubernetes. They needed a secure, managed platform that would let their team focus on their product. Azure Container Apps, properly architected with Application Gateway and Bicep automation, delivered exactly that.

We documented the technical details of the Application Gateway and Bicep loop patterns in a separate blog post: Securing Private Azure Container Apps with Application Gateway and Bicep Automation.

Facing similar challenges?

We can help you reduce cloud complexity and ship faster.

Start a conversation