top of page

Azure Components Overview – Digital Lending Platform

  • Writer: Anand Nerurkar
    Anand Nerurkar
  • 3 hours ago
  • 4 min read


1. Azure Front Door

Purpose:

  • Global load balancer + CDN for Angular SPA and API endpoints.

  • Provides DDoS protection, WAF (Web Application Firewall), and global failover (active-active regions).

Usage:

  • Angular app hosted in Azure Blob/Static Web App → traffic enters via Front Door.

  • Routes API requests to Azure API Management (APIM) backend.

  • Implements geo-filtering to restrict traffic to India (RBI compliance).

Key Features:

  • Layer 7 routing (path-based, header-based).

  • SSL/TLS termination (Azure-managed certs).

  • Global redundancy with automatic failover.

2. Azure API Management (APIM)

Purpose:

  • API gateway for all microservices (Loan, KYC, Credit, Fraud, etc.).

  • Centralized security, throttling, request transformation, versioning.

Usage:

  • Angular app → APIM → Istio Ingress → AKS microservices.

  • Multi-tenant: Separate policies for ICICI, HDFC tenants.

Compliance:

  • Logs API access to Azure Monitor (WORM archived for audit).

  • Enforces OAuth2/JWT via Azure AD B2C.

Key Features:

  • Rate limiting (e.g., OTP APIs capped at 5/min).

  • API versioning (v1/v2 during migration).

  • Request/response masking for PII.

3. Azure Kubernetes Service (AKS) with Istio

Purpose:

  • Host Java microservices (Spring Boot) for lending workflows.

  • Service mesh (Istio) handles:

    • mTLS for secure service-to-service communication.

    • Canary and blue-green deployments.

    • Traffic routing and observability.

Usage:

  • Each domain (Loan, KYC, Credit, Fraud, Disbursement) → separate microservice.

  • Private AKS cluster (no public endpoint), connected via VNet.

Compliance:

  • RBAC, network policies, private endpoints for databases.

  • Secrets injected from Azure Key Vault.

4. Azure Event Hubs (Kafka API)

Purpose:

  • Central event streaming backbone for event sourcing + CQRS.

  • Captures loan lifecycle events (LoanApplied, KYCVerified, etc.).

Usage:

  • Microservices publish/consume events via Kafka protocol.

  • Projections updated in Cosmos DB for real-time dashboards.

Compliance:

  • Events archived to Azure Data Lake (WORM) for 10-year RBI retention.

  • Encrypted with Azure-managed keys.

5. Azure Cosmos DB

Purpose:

  • NoSQL DB for projections, KYC documents, and real-time loan views.

  • Used by CQRS query side (fast reads for dashboards/mobile app).

Usage:

  • Materialized views (loan status, fraud flags) built from Event Hub streams.

  • Partitioned by tenantId for multi-tenant SaaS model.

Compliance:

  • Data residency in India regions.

  • Transparent encryption with CMK (Customer Managed Keys).

6. Azure SQL Database

Purpose:

  • Relational store for financial transactions, master loan data, compliance reporting.

Usage:

  • Microservices (Disbursement, Loan) maintain transactional consistency.

  • Synapse Analytics pulls from SQL for RBI/SEBI reports.

Compliance:

  • Transparent Data Encryption (TDE).

  • Geo-replication for active-active setup (Central India ↔ South India).

7. Azure Data Lake Storage (Gen2)

Purpose:

  • Immutable storage for event logs, audit trails, compliance data.

Usage:

  • Event Hub capture writes raw events to Data Lake.

  • Synapse Analytics queries Data Lake for fraud/NPA analysis.

Compliance:

  • WORM (Write Once Read Many) policy enabled (mandatory for RBI).

  • 10-year retention for audit logs.

8. Azure Synapse Analytics

Purpose:

  • Centralized analytics engine for regulatory and business dashboards.

Usage:

  • Consolidates data from Cosmos DB, Azure SQL, and Data Lake.

  • Powers Power BI dashboards for CXOs and auditors.

KPIs Monitored:

  • Loan approval turnaround time

  • Fraud detection accuracy

  • Drop-off rates during KYC

9. Azure DevOps (CI/CD + DevSecOps)

Purpose:

  • Automated build, test, security scan, and deployment pipeline.

Usage:

  • CI: Maven build → Unit tests → SonarQube (SAST) → Dependency check → Docker → ACR.

  • CD: Helm deploy → Istio canary → DAST (OWASP ZAP) → Azure Policy compliance check.

Compliance:

  • Integrates Azure Policy for continuous compliance checks (deny non-India regions).

  • Tracks deployment audit logs.

10. Azure Container Registry (ACR)

Purpose:

  • Secure storage for container images used by AKS.

Usage:

  • Microservices built as Docker images → pushed to ACR → pulled by AKS at deploy time.

Compliance:

  • Private link to AKS (no public exposure).

  • Image scanning with Microsoft Defender for Containers.

11. Azure Key Vault

Purpose:

  • Centralized secrets, keys, and certificate management.

Usage:

  • Stores DB passwords, API keys, TLS certs.

  • Injected into microservices via Key Vault CSI driver.

Compliance:

  • RBAC enforcement for secret access.

  • Automatic key rotation (90 days).

12. Azure Policy & Blueprints

Purpose:

  • Governance and compliance enforcement.

Usage:

  • Restrict resources to India region.

  • Enforce encryption-at-rest for all storage accounts.

  • Deny deployment of public IPs on sensitive workloads.

Blueprint:

  • Combines policies for VNet, AKS, APIM, Key Vault, Event Hub.

13. Azure Traffic Manager

Purpose:

  • DNS-based load balancing between active-active regions.

Usage:

  • Routes user requests to nearest healthy region (Central vs South India).

  • Failover in case of regional outage.

Compliance:

  • Health probes monitored and logged for SLA reporting.

14. Azure Monitor + Application Insights

Purpose:

  • Observability and alerting for microservices and infrastructure.

Usage:

  • Collects logs, metrics, distributed traces (via Istio).

  • Alerts for SLA breaches (loan approval latency > 5 mins).

Compliance:

  • Logs exported to Data Lake for 7–10 year retention.

15. Azure Virtual Network (VNet) + NSG

Purpose:

  • Network isolation: public (Angular) vs private (AKS, DBs).

Usage:

  • Public subnet: Angular SPA, APIM, Front Door.

  • Private subnet: AKS, Cosmos DB, SQL, Event Hub.

  • NSGs enforce strict east-west traffic controls.

16. Hybrid Connectivity (VPN/ExpressRoute)

Purpose:

  • Connect modern microservices to legacy core banking/loan system.

Usage:

  • ExpressRoute (primary) + VPN Gateway (failover).

  • Used for data migration, real-time reconciliation.

Compliance:

  • Traffic encrypted; monitored via Azure Firewall logs.

Integration Flow (Text Version)

User (Mobile/Web)

|

Azure Front Door (WAF + Global LB)

|

API Management (Rate limit, JWT)

|

Istio Ingress (AKS private cluster)

|

Java Microservices (Loan, KYC, Credit, Fraud)

|

Event Hub (Kafka) <---> Cosmos DB (Projections)

|

Azure SQL (Core data) <---> Legacy Loan System (Hybrid VPN/ExpressRoute)

|

Data Lake (WORM) <---> Synapse Analytics

|

Power BI (CXO & RBI/SEBI dashboards)

Why This Architecture Fits BFSI

  • Regulatory compliance (RBI, SEBI, PCI DSS):

    • Data residency in India.

    • WORM audit logs.

    • Tokenization of sensitive data (Key Vault).

  • Resilience:

    • Active-active across two regions.

    • Traffic Manager + Front Door failover.

  • Scalability:

    • Event-driven with Event Hub + KEDA auto-scaling on AKS.

  • Security:

    • Istio mTLS, APIM policies, NSG segregation, WAF.

  • Observability:

    • End-to-end tracing via Application Insights + Istio.

 
 
 

Recent Posts

See All
Microservices 3

Section 2 – BFSI Use Case Architectures (Azure Cloud) Use Case 1: Loan Microservices 1. High-Level Architecture Flow [Customer App/Web] ...

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
  • Facebook
  • Twitter
  • LinkedIn

©2024 by AeeroTech. Proudly created with Wix.com

bottom of page