Azure Components Overview – Digital Lending Platform
- Anand Nerurkar
- 3 hours ago
- 4 min read
1. Azure Front Door
Purpose:
Global load balancer + CDN for Angular SPA and API endpoints.
Provides DDoS protection, WAF (Web Application Firewall), and global failover (active-active regions).
Usage:
Angular app hosted in Azure Blob/Static Web App → traffic enters via Front Door.
Routes API requests to Azure API Management (APIM) backend.
Implements geo-filtering to restrict traffic to India (RBI compliance).
Key Features:
Layer 7 routing (path-based, header-based).
SSL/TLS termination (Azure-managed certs).
Global redundancy with automatic failover.
2. Azure API Management (APIM)
Purpose:
API gateway for all microservices (Loan, KYC, Credit, Fraud, etc.).
Centralized security, throttling, request transformation, versioning.
Usage:
Angular app → APIM → Istio Ingress → AKS microservices.
Multi-tenant: Separate policies for ICICI, HDFC tenants.
Compliance:
Logs API access to Azure Monitor (WORM archived for audit).
Enforces OAuth2/JWT via Azure AD B2C.
Key Features:
Rate limiting (e.g., OTP APIs capped at 5/min).
API versioning (v1/v2 during migration).
Request/response masking for PII.
3. Azure Kubernetes Service (AKS) with Istio
Purpose:
Host Java microservices (Spring Boot) for lending workflows.
Service mesh (Istio) handles:
mTLS for secure service-to-service communication.
Canary and blue-green deployments.
Traffic routing and observability.
Usage:
Each domain (Loan, KYC, Credit, Fraud, Disbursement) → separate microservice.
Private AKS cluster (no public endpoint), connected via VNet.
Compliance:
RBAC, network policies, private endpoints for databases.
Secrets injected from Azure Key Vault.
4. Azure Event Hubs (Kafka API)
Purpose:
Central event streaming backbone for event sourcing + CQRS.
Captures loan lifecycle events (LoanApplied, KYCVerified, etc.).
Usage:
Microservices publish/consume events via Kafka protocol.
Projections updated in Cosmos DB for real-time dashboards.
Compliance:
Events archived to Azure Data Lake (WORM) for 10-year RBI retention.
Encrypted with Azure-managed keys.
5. Azure Cosmos DB
Purpose:
NoSQL DB for projections, KYC documents, and real-time loan views.
Used by CQRS query side (fast reads for dashboards/mobile app).
Usage:
Materialized views (loan status, fraud flags) built from Event Hub streams.
Partitioned by tenantId for multi-tenant SaaS model.
Compliance:
Data residency in India regions.
Transparent encryption with CMK (Customer Managed Keys).
6. Azure SQL Database
Purpose:
Relational store for financial transactions, master loan data, compliance reporting.
Usage:
Microservices (Disbursement, Loan) maintain transactional consistency.
Synapse Analytics pulls from SQL for RBI/SEBI reports.
Compliance:
Transparent Data Encryption (TDE).
Geo-replication for active-active setup (Central India ↔ South India).
7. Azure Data Lake Storage (Gen2)
Purpose:
Immutable storage for event logs, audit trails, compliance data.
Usage:
Event Hub capture writes raw events to Data Lake.
Synapse Analytics queries Data Lake for fraud/NPA analysis.
Compliance:
WORM (Write Once Read Many) policy enabled (mandatory for RBI).
10-year retention for audit logs.
8. Azure Synapse Analytics
Purpose:
Centralized analytics engine for regulatory and business dashboards.
Usage:
Consolidates data from Cosmos DB, Azure SQL, and Data Lake.
Powers Power BI dashboards for CXOs and auditors.
KPIs Monitored:
Loan approval turnaround time
Fraud detection accuracy
Drop-off rates during KYC
9. Azure DevOps (CI/CD + DevSecOps)
Purpose:
Automated build, test, security scan, and deployment pipeline.
Usage:
CI: Maven build → Unit tests → SonarQube (SAST) → Dependency check → Docker → ACR.
CD: Helm deploy → Istio canary → DAST (OWASP ZAP) → Azure Policy compliance check.
Compliance:
Integrates Azure Policy for continuous compliance checks (deny non-India regions).
Tracks deployment audit logs.
10. Azure Container Registry (ACR)
Purpose:
Secure storage for container images used by AKS.
Usage:
Microservices built as Docker images → pushed to ACR → pulled by AKS at deploy time.
Compliance:
Private link to AKS (no public exposure).
Image scanning with Microsoft Defender for Containers.
11. Azure Key Vault
Purpose:
Centralized secrets, keys, and certificate management.
Usage:
Stores DB passwords, API keys, TLS certs.
Injected into microservices via Key Vault CSI driver.
Compliance:
RBAC enforcement for secret access.
Automatic key rotation (90 days).
12. Azure Policy & Blueprints
Purpose:
Governance and compliance enforcement.
Usage:
Restrict resources to India region.
Enforce encryption-at-rest for all storage accounts.
Deny deployment of public IPs on sensitive workloads.
Blueprint:
Combines policies for VNet, AKS, APIM, Key Vault, Event Hub.
13. Azure Traffic Manager
Purpose:
DNS-based load balancing between active-active regions.
Usage:
Routes user requests to nearest healthy region (Central vs South India).
Failover in case of regional outage.
Compliance:
Health probes monitored and logged for SLA reporting.
14. Azure Monitor + Application Insights
Purpose:
Observability and alerting for microservices and infrastructure.
Usage:
Collects logs, metrics, distributed traces (via Istio).
Alerts for SLA breaches (loan approval latency > 5 mins).
Compliance:
Logs exported to Data Lake for 7–10 year retention.
15. Azure Virtual Network (VNet) + NSG
Purpose:
Network isolation: public (Angular) vs private (AKS, DBs).
Usage:
Public subnet: Angular SPA, APIM, Front Door.
Private subnet: AKS, Cosmos DB, SQL, Event Hub.
NSGs enforce strict east-west traffic controls.
16. Hybrid Connectivity (VPN/ExpressRoute)
Purpose:
Connect modern microservices to legacy core banking/loan system.
Usage:
ExpressRoute (primary) + VPN Gateway (failover).
Used for data migration, real-time reconciliation.
Compliance:
Traffic encrypted; monitored via Azure Firewall logs.
Integration Flow (Text Version)
User (Mobile/Web)
|
Azure Front Door (WAF + Global LB)
|
API Management (Rate limit, JWT)
|
Istio Ingress (AKS private cluster)
|
Java Microservices (Loan, KYC, Credit, Fraud)
|
Event Hub (Kafka) <---> Cosmos DB (Projections)
|
Azure SQL (Core data) <---> Legacy Loan System (Hybrid VPN/ExpressRoute)
|
Data Lake (WORM) <---> Synapse Analytics
|
Power BI (CXO & RBI/SEBI dashboards)
Why This Architecture Fits BFSI
Regulatory compliance (RBI, SEBI, PCI DSS):
Data residency in India.
WORM audit logs.
Tokenization of sensitive data (Key Vault).
Resilience:
Active-active across two regions.
Traffic Manager + Front Door failover.
Scalability:
Event-driven with Event Hub + KEDA auto-scaling on AKS.
Security:
Istio mTLS, APIM policies, NSG segregation, WAF.
Observability:
End-to-end tracing via Application Insights + Istio.
Comments