Multi‑Cloud Angular Delivery in 2025: AWS, Azure, GCP with CI/CD via GitHub Actions, Jenkins, and Azure DevOps

Platform-delivery · · · 9 minute read

Multi‑Cloud Angular Delivery in 2025: AWS, Azure, GCP with CI/CD via GitHub Actions, Jenkins, and Azure DevOps

One repo, three clouds, zero drama: how I ship Angular 20+ to AWS, Azure, and GCP with repeatable CI/CD, runtime config, and measurable outcomes.

Matthew Charlton

Senior Angular Engineer & Platform/DX Consultant

Matthew Charlton is a remote Angular consultant with 10+ years building enterprise applications for Fortune 100 companies in aviation, media, telecommunications, and insurance. Creator of gitPlumbers (stabilizing and modernizing AI-assisted and legacy systems so teams can ship faster, scale confidently, and innovate without chaos), IntegrityLens (revolutionizing hiring with comprehensive candidate verification and technical assessment using cutting-edge AI and multi-layered authentication), and SageStepper (the AI interview studio built for students and professionals who want to turn practice into panel-ready confidence through adaptive mock interviews and auto-coached feedback). Currently accepting 1-2 select Angular projects per quarter.

One repo, three clouds, zero drama. Build once, inject config at deploy, and let CI do the cloud‑specific heavy lifting.
Back to all posts

The Multi‑Cloud Ask: Ship Angular to AWS, Azure, and GCP Without Duplication

A real scene from the field

At a global entertainment company and Charter, I’ve had the call: “Leadership wants multi‑cloud. Can we ship the Angular dashboard to AWS, Azure, and GCP by end of sprint—no regressions?” If you’ve ever watched deep links 404 behind CloudFront or Azure Front Door while Jenkins and GitHub Actions both fight over artifacts, you know the pain.

Here’s how I do it today with Angular 20+, Signals/SignalStore, Nx, PrimeNG, SSR, and Docker—measured with Core Web Vitals, flame charts, and CI budgets. This is the platform/delivery playbook I’ve used on a broadcast media network VPS scheduling and an insurance technology company telematics dashboards, and it scales to kiosks (United) with offline‑tolerant flows.

Why Multi‑Cloud Angular Delivery Matters in 2025

Business drivers you can defend

As enterprises plan 2025 Angular roadmaps, multi‑cloud isn’t hype. It’s resilience. A CDN misconfig shouldn’t take your employee tracker (a global entertainment company) or ads analytics (Charter) offline. When you hire an Angular developer or bring in an Angular consultant, ask how they separate build from deploy, and how they automate cloud‑specific edges without duplicating app code.

  • Resilience and vendor risk

  • Latency to global users

  • Compliance/sovereignty

  • Negotiation leverage

The measurable goals

If we can’t measure it, we don’t ship it. Angular DevTools render counts, Lighthouse CI budgets, Sentry release health, and GA4/Firebase Performance are part of the deployment definition of done.

  • <2s TTI on SSR routes from three regions

  • 99.98% uptime under CDN purges

  • <10 min rollback across providers

  • No rebuilds for config changes

Build Once, Deploy Anywhere: Cloud‑Agnostic Artifacts and Runtime Config

// app/runtime-config.service.ts (Angular 20+)
import { Injectable, inject, signal } from '@angular/core';

export type AppConfig = { apiUrl: string; sentryDsn?: string; cdnRegion?: string };

@Injectable({ providedIn: 'root' })
export class RuntimeConfigService {
  private cfg = signal<AppConfig>({ apiUrl: '/api' });
  readonly config = this.cfg.asReadonly();

  async load(): Promise<void> {
    const res = await fetch('/assets/config.json', { cache: 'no-store' });
    this.cfg.set(await res.json());
  }
}

// main.ts
import { bootstrapApplication } from '@angular/platform-browser';
import { AppComponent } from './app/app.component';
import { RuntimeConfigService } from './app/runtime-config.service';

(async () => {
  const cfg = new RuntimeConfigService();
  await cfg.load();
  await bootstrapApplication(AppComponent, { providers: [{ provide: RuntimeConfigService, useValue: cfg }] });
})();

# During deploy, write cloud-specific config without rebuild
cat > dist/apps/web/assets/config.json <<EOF
{ "apiUrl": "https://api.prod.example.com", "sentryDsn": "$SENTRY_DSN", "cdnRegion": "$REGION" }
EOF

Principles that prevent duplication

The trap is embedding env vars at compile time. Instead, build once and inject environment at deploy. For SSR, keep Node server reading process.env; for static, load a small JSON at runtime.

  • One Nx workspace, one Angular build (SSR optional)

  • Immutable asset hashing; short‑TTL shell (index.html)

  • Runtime config injection (no rebuild per cloud)

  • Feature flags via Firebase Remote Config or App Config

Runtime config example (static hosting)

Generate config.json during deploy; read with Signals for reactivity if needed.

SSR Containers that Run on Any Cloud

# Dockerfile for Angular SSR (Angular 20+, Node 20)
FROM node:20-alpine AS build
WORKDIR /workspace
COPY package*.json ./
RUN npm ci --no-audit --no-fund
COPY . .
RUN npx nx build web-ssr --configuration=production

FROM node:20-alpine AS runtime
WORKDIR /app
ENV NODE_ENV=production PORT=8080
COPY --from=build /workspace/dist/apps/web-ssr/ .
# Optional: provide runtime env to SSR via env vars
EXPOSE 8080
CMD ["node", "server/main.js"]

Why containers

for a major airline’s kiosk simulation we standardized on Docker to keep hardware APIs consistent in CI. The same approach keeps Angular SSR consistent across clouds.

  • Same artifact for Cloud Run, App Service, or Fargate

  • Faster cold starts vs ad‑hoc Node provisioning

  • Easier canaries and rollbacks

Multi‑stage Dockerfile for Angular SSR

CDN and Storage Topologies by Cloud

Static hosting patterns

Keep immutable assets cached for a year; keep index.html at 60–300s to allow quick rollbacks. Deep link routing requires single‑page app rewrites in each CDN.

  • AWS: S3 + CloudFront (OAC)

  • Azure: Blob Static Website + Front Door (Rules Engine)

  • GCP: Cloud Storage + Cloud CDN (HTTPS LB)

SSR behind CDN

Cache only safe routes; tag responses with Cache‑Control: s-maxage and a versioned surrogate key for purges.

  • AWS: ALB -> Fargate or Lambda@Edge for simple rewrites

  • Azure: App Service behind Front Door

  • GCP: Cloud Run behind HTTPS LB + CDN

GitHub Actions Matrix: Deploy to AWS, Azure, GCP with OIDC

name: deploy-multicloud
on:
  push:
    tags: [ 'v*.*.*' ]
permissions:
  id-token: write
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: 20 }
      - run: npm ci --no-audit --no-fund
      - run: npx nx build web --configuration=production
      - uses: actions/upload-artifact@v4
        with: { name: web-dist, path: dist/apps/web }
  deploy:
    needs: build
    runs-on: ubuntu-latest
    strategy:
      matrix:
        cloud: [ aws, azure, gcp ]
    steps:
      - uses: actions/download-artifact@v4
        with: { name: web-dist, path: dist }
      - name: Write runtime config
        run: |
          jq -n --arg dsn "$SENTRY_DSN" '{apiUrl:"https://api.example.com", sentryDsn:$dsn}' > dist/assets/config.json
      - name: AWS deploy
        if: matrix.cloud == 'aws'
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: us-east-1
      - if: matrix.cloud == 'aws'
        run: |
          aws s3 sync dist s3://$S3_BUCKET --delete --cache-control max-age=31536000,immutable --exclude index.html
          aws s3 cp dist/index.html s3://$S3_BUCKET/index.html --cache-control max-age=120
          aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths /index.html
      - name: Azure deploy
        if: matrix.cloud == 'azure'
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - if: matrix.cloud == 'azure'
        run: |
          az storage blob upload-batch -s dist -d '$web' --account-name $AZURE_STORAGE --overwrite
          az cdn endpoint purge -g $AZ_RG -n $AZ_CDN --profile-name $AZ_PROFILE --content-paths '/index.html'
      - name: GCP deploy
        if: matrix.cloud == 'gcp'
        uses: google-github-actions/auth@v2
        with: { workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER }}, service_account: ${{ secrets.GCP_SA }} }
      - if: matrix.cloud == 'gcp'
        uses: google-github-actions/setup-gcloud@v2
      - if: matrix.cloud == 'gcp'
        run: |
          gsutil -m rsync -r dist gs://$GCS_BUCKET
          gcloud compute url-maps invalidate-cdn-cache $URL_MAP --path '/index.html' --global

Why OIDC

This is my default for IntegrityLens and SageStepper. It keeps secrets out of repos and shortens incident response.

  • No long‑lived keys

  • Fine‑grained, auditable access

  • Works across AWS/Azure/GCP

Reusable workflow example

Build once, then deploy per cloud.

Jenkins and Azure DevOps Pipelines That Won’t Fork Your Build

// Jenkinsfile
pipeline {
  agent any
  stages {
    stage('Build') {
      steps {
        sh 'npm ci --no-audit --no-fund'
        sh 'npx nx build web --configuration=production'
        stash includes: 'dist/apps/web/**', name: 'web'
      }
    }
    stage('Deploy') {
      parallel {
        stage('AWS') {
          steps {
            unstash 'web'
            withAWS(role: env.AWS_ROLE_ARN, region: 'us-east-1') {
              sh 'aws s3 sync dist/apps/web s3://$S3_BUCKET --delete'
              sh 'aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths /index.html'
            }
          }
        }
        stage('Azure') {
          steps {
            unstash 'web'
            withCredentials([azureServicePrincipal('AZURE_CREDS')]) {
              sh 'az storage blob upload-batch -s dist/apps/web -d $web --account-name $AZURE_STORAGE --overwrite'
            }
          }
        }
        stage('GCP') {
          steps {
            unstash 'web'
            sh 'gsutil -m rsync -r dist/apps/web gs://$GCS_BUCKET'
          }
        }
      }
    }
  }
}

# azure-pipelines.yml
trigger:
  branches: { include: [ main ] }
stages:
- stage: Build
  jobs:
  - job: Build
    pool: { vmImage: 'ubuntu-latest' }
    steps:
    - task: NodeTool@0
      inputs: { versionSpec: '20.x' }
    - script: |
        npm ci --no-audit --no-fund
        npx nx build web --configuration=production
      displayName: Build
    - publish: dist/apps/web
      artifact: web
- stage: Deploy
  dependsOn: Build
  jobs:
  - deployment: Deploy_Azure
    environment: prod-azure
    strategy:
      runOnce:
        deploy:
          steps:
          - download: current
            artifact: web
          - task: AzureCLI@2
            inputs:
              azureSubscription: AzureServiceConnection
              scriptType: bash
              scriptLocation: inlineScript
              inlineScript: |
                az storage blob upload-batch -s $(Pipeline.Workspace)/web -d '$web' --account-name $(AZURE_STORAGE) --overwrite

Jenkinsfile (a broadcast media network/Legacy environments)

Keep build in one stage, fan out deploys.

Azure DevOps YAML (Charter/Enterprise)

Use service connections with approvals and gates.

Guardrails: Smoke Tests, Lighthouse Budgets, and Canaries

- name: Lighthouse CI
  run: |
    npx @lhci/cli autorun \
      --collect.url=https://$PROD_URL \
      --assert.assertions.document-size:maxNumericValue=500 \
      --assert.assertions.interactive:maxNumericValue=2000 \
      --upload.target=temporary-public-storage

Automate what fails first

at a leading telecom provider we blocked deploy if TTI regressed >10%. For kiosks, we simulate offline and device APIs in Docker before rollout. Tie these to CI so multi‑cloud doesn’t multiply risk.

  • Cypress smoke hits top routes post‑deploy

  • Lighthouse CI budget gates (bundle size/TTI)

  • Sentry release health and API pings

  • Blue/green or 1–5% canary before 100%

Lighthouse gate example (GitHub Actions)

When to Hire an Angular Developer for Multi‑Cloud Delivery

Bring in help when you see this

An Angular expert should consolidate builds, introduce OIDC, and codify CDN rules. If you need an Angular consultant with a global entertainment company/United/Charter experience, I can review your setup in a week and ship the first safe deployment thereafter.

  • Rebuilds per environment are slowing releases

  • CDN cache rules cause deep‑link 404s

  • Secrets are copied between CI systems

  • Rollbacks take >15 minutes or require hotfix builds

Related Resources

Key takeaways

  • Treat the Angular app as a cloud‑agnostic artifact; inject environment at deploy time to avoid rebuilds.
  • Use OIDC/workload identity for cloud auth—no long‑lived keys in CI.
  • Pin static assets to immutable hashed paths and purge CDNs only for index.html and SSR routes.
  • Matrix CI/CD lets one workflow deploy to AWS, Azure, and GCP with cloud‑specific steps.
  • Add automated smoke tests, Lighthouse budgets, and canary rollouts to prevent bad releases across providers.

Implementation checklist

  • Angular 20+ build with SSR option and hashed assets
  • Runtime config injected per cloud at deploy time
  • OIDC/Federated identity set up for AWS, Azure, GCP
  • CDN configured with immutable caching for assets and short TTL for index.html
  • Matrix CI/CD across GitHub Actions/Jenkins/Azure DevOps
  • Blue/green or canary deploy with instant rollback
  • Automated smoke + Lighthouse performance budgets in CI
  • Sentry + OpenTelemetry wired with environment/region tags
  • Infra docs with DR/Failover steps and TTLs
  • Weekly deployment drills across all clouds

Questions we hear from teams

How much does it cost to hire an Angular developer for multi‑cloud delivery?
Typical engagements start with a 1‑week assessment ($6–10k) and 2–6 weeks to implement CI/CD, runtime config, and CDN rules. Fixed‑fee options are available once scope is clear.
How long does a multi‑cloud Angular rollout take?
For a mature app, 2–4 weeks. If SSR, edge rewrites, or kiosk offline flows are involved, expect 4–8 weeks. We ship in increments with canaries and zero‑downtime rollbacks.
What CI/CD should we choose: GitHub Actions, Jenkins, or Azure DevOps?
Use what your org trusts. I often build once in GitHub Actions and fan out deploys. Jenkins remains for on‑prem; Azure DevOps excels with approvals and service connections.
Can we keep SSR deterministic with Signals and SignalStore?
Yes. Build SSR in a container, keep env at runtime, and use typed adapters for any RxJS streams. Measure with render counts and flame charts to prevent regressions.
What does a typical engagement include?
Assessment, CI/CD pipeline templates, OIDC setup, CDN rules per cloud, runtime config, smoke/perf budgets, Sentry/Otel wiring, and hand‑off docs. Discovery call within 48 hours; assessment delivered in 5 business days.

Ready to level up your Angular experience?

Let AngularUX review your Signals roadmap, design system, or SSR deployment plan.

Hire Matthew – Remote Angular Expert for Multi‑Cloud Delivery See Multi‑Cloud CI/CD Templates and Live Apps

NG Wave

Angular Component Library

A comprehensive collection of 110+ animated, interactive, and customizable Angular components. Converted from React Bits with full feature parity, built with Angular Signals, GSAP animations, and Three.js for stunning visual effects.

Explore Components
NG Wave Component Library

Related resources