Mutual Fund Architecture Q & A

To support 100K+ concurrent users and 5K+ TPS, I applied a multi-layered scale-out design:

1. Frontend Scaling: Angular app is deployed via Azure CDN + Front Door for static delivery and geo-routing.

2. API Ingress: Azure Front Door handles SSL/WAF, forwards to App Gateway (private), which routes to AKS Istio Ingress Gateway (internal). Istio handles JWT validation and rate-limiting.

3. AKS Design: We deployed AKS with HPA and KEDA, auto-scaling based on Kafka lag and CPU/memory. Services are spread across ~20+ nodes per region.

4. Kafka: 5 brokers, 100+ partitions, tuned for parallelism. MM2 mirrors Kafka across regions for DR.

5. Redis: Front-line for read-heavy requests like NAV/Portfolio — with Cosmos as fallback.

6. Load Testing: Performed with JMeter and Locust — validated 5K TPS sustained, with burst handling up to 8K+ using async Kafka producers.

NAV ingestion is designed as a modular pipeline using Kafka and idempotent services:

1. Feed Input: NAV files land in Azure Blob via SFTP from CAMS/KFin.

2. NAVIngestorService: Reads, parses → pushes to Kafka nav.raw-feeds.

3. NAVCalculatorService: Validates feeds → publishes to nav.validated.

4. NAVPublisherService: Publishes to nav.broadcast, updates Redis, Cosmos, and notifies UI.

5. Resilience: Each service has: Circuit breaker (Resilience4j) Retry on transient failures Kafka consumer offset handling with idempotency keys

6. Audit: All feed events are logged to Cosmos DB for SEBI traceability. This design ensures real-time publishing (<10s delay) and zero data loss on retry.

External APIs are failure-prone, so I followed a layered resilience model:

1. Circuit Breaker: Resilience4j with fallback to "temporarily unavailable" message.

2. Timeouts: All APIs wrapped with strict 3s timeout + 3 retries with exponential backoff.

3. Async Design: For long-running flows (e.g., Aadhaar eSign), we offload to Kafka, wait for webhook/callback.

4. Fallbacks: For non-critical APIs like CRM replies, we return templated GenAI responses or cached data.

5. Retry Queue: Kafka DLQ captures hard failures → retry consumer with backoff logic handles delayed processing.

6. Monitoring: Prometheus tracks latency, error rate; alerts pushed via AlertManager.

GenAI is integrated as domain-specific microservices, enabling contextual intelligence:

1. GenAI Microservices: GenAIAdvisorService – investment goal-based Q&A AnomalyExplainerService – NAV/Txn deviation justification DocSummarizerService – OCR + summarization of fund PDFs SupportReplyGenerator – CRM ticket responses

2. RAG Architecture: Context data pulled from Redis/Cosmos Prompt orchestrated in RAGOrchestratorService LLM API call (OpenAI) with masking, compliance filter

3. Security: PII masking, prompt logs, fallback to static responses if LLM fails.

4. UX Integration: GenAI responses shown in chat UI, investor dashboard, and CRM backend (Zendesk plugin).

Compliance is embedded into the data, access, and reporting layers:

1. Audit Trail: Cosmos DB with 7-year TTL stores all NAV, Txn, KYC, and portfolio events.

2. Access Control: Azure AD + Istio JWT-based RBAC (scope-based) ensures role-isolated access.

3. Encryption: PII encrypted at rest via Azure Key Vault; tokenization for Aadhaar/PAN.

4. SEBI/FATCA: ReportService generates exports from Cosmos → CSV → SEBI SFTP.

5. Monitoring: ELK stack and Azure Monitor track logins, KYC updates, NAV changes.

DR and multi-region HA are enabled via Azure + Kafka + Cosmos native support:

1. Azure Front Door: Routes to region A or B based on probe health.

2. App Gateway + AKS: Both regions have identical infra via Terraform + Helm.

3. Kafka MM2: Mirrors all critical topics between clusters.

4. Cosmos DB: Multi-region write, with auto-failover.

5. Redis: Redis Enterprise with geo-replication, fallback logic to Cosmos.

6. Failover Test: DR drill switches region within 2 mins, no manual steps.

I’ve built a robust DevSecOps pipeline: 1. CI/CD: Azure DevOps + Helm + Istio for progressive canary rollout CVE scanning on container build using Trivy SealedSecrets for secure config delivery 2. Observability: Prometheus + Grafana for latency, Kafka lag, HPA metrics ELK for service logs + Cosmos audit logs Azure Monitor alerts tied to Slack and email

“We chose 5 Kafka brokers for high availability with RF=3 and logical topic isolation. We provisioned 100 partitions to support parallelism and sustained high-throughput workloads across NAV ingestion, transactions, and compliance flows. This also gives us headroom for tenant growth and active-active DR support.”

If Kafka goes down, here's how we ensure continued stability: 1. Kafka MM2 Mirror (Multi-Region): Kafka is deployed with 5 brokers, RF=3, and MM2 mirroring between primary and DR regions. Producers automatically switch based on partition unavailability detection. 2. Circuit Breaker + DLQ: All Kafka producers (via Spring Kafka) use Resilience4j with circuit breakers. On repeated failures, messages are pushed to a Kafka DLQ or a fallback Redis queue. 3. Graceful Degradation: For non-critical features (e.g., notifications), if Kafka is down, we log and defer the event for batch replay. 4. Monitoring & Alerting: Prometheus tracks kafka_lag, isr_shrink, and broker health. Alerts trigger automated runbooks and fallback logic.

Great question — GenAI requires careful orchestration: 1. RAG Gateway Throttling: Our RAGOrchestratorService enforces rate limits, deduplication, and token budgeting per tenant. 2. Autoscaling GenAI Pods: All GenAI services are stateless → horizontally scaled with HPA. KEDA + Kafka lag metrics trigger scale-up for bursts. 3. Caching LLM Responses: Repeated questions (e.g., NAV explainers) are cached in Redis with TTL to avoid redundant LLM calls. 4. Fallback Logic: If LLM is overloaded or unavailable, we return a templated message or a default advisory until retry succeeds. 5. Cost Control: Each GenAI request logs tokens and cost metrics. We enforce usage caps per role/tenant using policy filters.

Cosmos DB is powerful but cost-sensitive. Here's how we protect against RU throttling: 1. Partitioning & RU Distribution: We partition Cosmos collections by investor_id or txn_date to ensure even RU usage. 2. Redis Caching Layer: All read-heavy access (NAV, portfolio) is served from Redis with Cosmos as fallback only. 3. Bulk Ingestion with Retry: NAV ingestion and txn logs are written via bulk API with retry. We use adaptive backoff on 429 errors. 4. Auto-scale Enabled: Cosmos is set to auto-scale RU/s from 10K to 50K. 5. Monitoring: We track TotalRequestUnitsConsumed, RateLimitedRequests, and get alerted on RU peaks.

We follow a combination of Istio service mesh + observability stack to catch and isolate misbehaving services: 1. Istio Circuit Breakers & mTLS: Istio injects retries, timeouts, connection limits. mTLS isolates traffic between services and allows egress visibility. 2. Prometheus + Grafana Dashboards: Track latency, 5xx errors, memory usage per service. 3. ELK Logs: Each service emits logs with trace ID. We correlate slow traces using Kibana queries or Azure Monitor Workbooks. 4. Auto-remediation: For HPA-enabled services, pods auto-scale on CPU/mem threshold breach. For long spikes, Kubernetes taints + pod eviction isolate affected pods.

SEBI compliance reporting is critical, and we use several controls: 1. Immutable Audit Source: Cosmos DB acts as the single source of truth for all transactions. 2. Data Validation Pipeline: Pre-export validator checks for schema integrity, missing NAV/txn values. 3. Retry Flow: If SEBI report fails, the system retries up to 3 times. Failing that, it raises a Level-1 alert to compliance team. 4. Backup Export Method: Last successful snapshot is used to regenerate a minimal valid report. 5. Dashboard Flagging: Admin dashboard clearly shows status: Validated, Rejected, Needs Retry.

Tenant onboarding automation for AMC partners GenAI expansion into investment risk profiling and multilingual voice bots Zero-trust network posture using Azure Private Link and API Gateway Data lake integration with Power BI for predictive analytics ML-driven anomaly detection for fund manipulation and investor behavior

“NAVIngestorService uses Kafka, so even during spikes we scale horizontally. Here’s how we handle it: Kafka’s nav.raw-feeds topic handles bursts via 10+ partitions NAVCalculatorService autoscales via KEDA (based on Kafka lag) Idempotency logic ensures duplicates are ignored Redis write is asynchronous and optimized for speed Cosmos DB backpressure is mitigated via bulk writes with retry Prometheus tracks Kafka lag, consumer CPU, Redis latency → alerts Ops before user impact.”

“We designed active-active HA: Azure Front Door detects probe failure from Region A → reroutes to Region B App Gateway + AKS infra is cloned using Terraform Kafka MM2 mirrors topics between clusters → consumers continue from same offset Cosmos DB is globally distributed with multi-region write enabled Redis Enterprise supports geo-replication with automated failover This ensures zero data loss and sub-minute RTO.”

“This affects: AKS CPU/memory — we scale nodes via HPA Kafka consumers — we pre-scale partitions + consumer group size Cosmos RU/s — monitor and auto-scale if write/read pressure increases JWT token issuance — monitored via Azure AD B2C metrics GenAI — capped via usage guardrails and Redis-based deduplication We also run load tests using Locust to simulate 2x expected traffic.”

“Cosmos cost = RU consumption × time. Here's my step-down strategy: Cache all read-heavy requests (NAV, Portfolio) in Redis Change query patterns to reduce fan-outs (e.g., filter+sort inside app) Use bulk writers instead of individual inserts Partition carefully to prevent hot partitions Enable auto-scale with hard max, review daily peak usage We also run diagnostics.getRUUsage() in SDK logs to profile high-RU queries.”

“We balance performance and consistency using: Cosmos DB consistency level set to Session (vs. eventual) Portfolio writes go to Redis first, then sync to Cosmos PortfolioService includes retry-and-verify logic Investor UI validates with backend hash or timestamp Alerts trigger if Redis and Cosmos snapshots deviate beyond threshold For critical data like portfolio and holdings, we always prioritize consistency over latency.”

“Our Cosmos DB acts as an immutable ledger with: Partitioned data by investor_id and txn_date All events (KYC, NAV, txn) written with metadata (trace_id, timestamp) Cosmos TTL is set to 7 years; we use change feed + time filters to extract Audit export logic outputs compliant CSV with hash validation Access logged and auditable via ELK + Azure Monitor We can export investor trace within minutes, with full data lineage.”

“LLM access is wrapped via a GenAI Gateway Service with: Request scoring based on urgency/context Token limiters and quotas per user/role If quota exceeds → fallback to cached answer, templated reply, or chatbot redirect API metrics logged (tokens, cost, response time) per tenant Admin notified proactively via Azure alert webhook”

“We conduct DR drills quarterly: Disable Region A front door probe → force reroute to Region B Validate Cosmos DB failover, Kafka consumer failover (MM2) Scale tests on AKS in Region B using synthetic load (Locust) Confirm logs are still flowing to ELK/Monitor Reconcile Cosmos + Redis data snapshot post failover Post-mortem documents delta, performance impact, and recovery timeline.”

“Great question. We enforce a 4-tier safety framework: RAG-first policy: All GenAI responses use Retrieval-Augmented Generation. We pass only contextual data (from Redis/Cosmos) — no open-ended prompting. LLM Validator Layer: Responses are passed through a PolicyFilterService that checks for regulatory triggers, unsupported claims, and hallucinated recommendations. Explainability & Confidence: We return a confidence score + source document snapshot to end users for transparency. Fallback & Escalation: If hallucination risk is high, the system returns a templated message:‘This query needs a human advisor. We’ve created a support ticket.’”

“We treat LLM interaction as an external boundary: PII masking is mandatory before prompt construction (<name>, <PAN>, <holding> → anonymized tokens) Use Azure OpenAI private endpoint with no data logging All prompts + responses are logged (with hashed user ID) in audit trail (Cosmos/ELK) Only role-scoped context is passed to LLM (e.g., investor sees own data; admin sees compliance view) Prompt engineering team reviews prompt design for injection prevention & leakage”

“We control GenAI cost with a metered execution model: Each tenant/role has a token and API usage quota Prompts are classified into tiers (e.g., Q&A = 1x, OCR = 3x cost) Frequently asked queries → Redis cache with TTL For burst loads → switch to batch async mode (queue → response later) All GenAI logs track: user ID, token count, cost estimate, and latency → fed to BI dashboard”

“We use layered identity and API access control: Azure AD B2C (external) and Azure AD (internal) for auth JWT tokens include role, scope, tenant, userId claims Istio validates JWT before it hits microservices Spring Security uses claims for RBAC (e.g., /portfolio/{userId} restricted to self unless admin) For compliance APIs, we enforce time-limited access and audit logging Redis holds token/session-level cache with auto-logout after 15 mins idle”

“We designed the platform to be multi-tenant and regulation-resilient: Tenant-scoped APIs and RBAC using Istio VirtualServices and token claims Central onboarding engine provisions client config, brand theme, fund mapping dynamically Regulation triggers (SEBI update, FATCA change) are decoupled from core using: ComplianceRulesService (config-driven) SEBIExporterService (versioned spec) Each tenant’s data is logically isolated in Cosmos and Redis Event-based architecture (Kafka) allows plugging new flows with minimal impact”

“We already have a basic AI audit trail via: Prompt & Response pairs stored in Cosmos with timestamp, traceId LLM execution metadata: token count, latency, API used AIExplainabilityService provides: Source content used (from RAG vector DB) Reasoning explanation from the model (where supported) Admin can export these logs monthly as encrypted CSVs We support redaction logs for user data deletion under GDPR as well”

“Over the next 18 months, here’s the strategic roadmap: Partner API platform → expose fund selection, onboarding, and reporting via API to 3rd-party fintechs GenAI 2.0 → voice bot + investment simulator using investor personality modeling Unified compliance engine → multi-regulator config-driven exporter Data Mesh → Kafka to Synapse pipelines → BI insights for investor behavior, fraud trends AI model marketplace → allow each AMC to plug their own explainers or robo-advisors The vision is to become the backend-as-a-service for MF distribution and compliance in India.”

“We follow a layered resilience model for pod and node stability: Pod Crash: Liveness & readiness probes detect stuck pods → auto-restart CrashLoopBackOff monitored via Azure Monitor and Prometheus Node Failure: PodDisruptionBudgets and anti-affinity rules ensure HA across zones Node auto-replacement via VMSS autoscaling OOM Protection: Set resource limits/requests per pod Horizontal Pod Autoscaler (HPA) on CPU/mem OOMKill alerts push to Slack for critical services All restarts are logged and correlated using trace IDs in ELK.”

“We use Azure DevOps + Helm + Istio for progressive deployment: Build Phase: Docker image built and vulnerability scanned (Trivy, Aqua) Helm chart version tagged with Git commit + timestamp Deploy Phase: Canary deployment via Istio traffic shifting (e.g., 10/90 → 50/50 → 100%) Validate success with synthetic probes, Prometheus alert silence window Rollback: Helm rollback supported with version pinning Istio route instantly shifted back to previous pod set All deployments logged and traceable in release dashboard.”

“For DR drills, we test region failover and data integrity: 1. Fail Primary Region: Simulate region outage by disabling Azure Front Door health probe Front Door shifts to secondary App Gateway (Region B) 2. Validate AKS Readiness: AKS-B already hot-warm with mirror images, configs via Terraform Istio + Prometheus + Kafka consumers active 3. Data Layer Validation: Cosmos DB: Multi-region write → test insert + consistency Redis: Geo-replication → validate real-time cache health Kafka: MM2 consumer offset validation 4. Reporting & Reconciliation: Cross-region audit logs, trace ID validation Daily DR report sent to compliance team + execs”

“We use GitOps and IaC to manage environment consistency: Terraform provisions AKS, App Gateway, Cosmos, Redis, etc. Helm Charts version-controlled in Git for all microservices Sealed Secrets: Secrets are encrypted and stored in Git, decrypted at runtime only in-cluster Environment Promotion Pipelines: Lower → Staging → Prod with diff checks Drift detection via terraform plan and Azure Policy compliance alerts”

“Production support kicks in with structured triage: Step 1: Check pod status: kubectl describe pod → look for image pull, OOM, volume errors Step 2: Review kubectl logs (also visible in ELK) Step 3: Check for Istio sidecar injection or init container failure Step 4: Validate secret mounts or configMaps mismatch (common in sealed secrets) Step 5: Evict pod and allow HPA or Karpenter (if used) to reschedule If issue persists → quick rollback via Helm and route traffic via Istio to stable pods”

“Every service must pass our readiness gates: ✅ Functional tests: Unit, Integration, E2E in CI ✅ Load tests: > 2x expected TPS using Locust/JMeter ✅ Security scans: Docker CVEs + SAST ✅ Observability: Prometheus alerts, ELK logs, dashboards ✅ Rollback plan: Helm version history tested ✅ Chaos Testing (optional): Introduce pod kill or latency for top 3 services Only after passing these do we tag a release as prod-ready.”

“We use Confluent Schema Registry + Avro schemas with version control: Backward compatibility enforced as default policy CI checks run schema diff + compatibility test Service contracts are published and shared via internal developer portal For breaking changes → we use versioned topics (e.g., txn.v1, txn.v2) Consumer lag and error trends tracked via Prometheus/Kafka Exporter”