Network architecture
The platform operates across two Azure tenancies and the customer’s backend:| Component | Description |
|---|---|
| BaaS Tenancy | Hosts WAF and AKS for the EBP client interface |
| GC Tenancy | Contains the platform runtime within a private VNet protected by NSGs |
| Customer Backend | Customer systems of record, either on-premises or cloud-based |
Service mesh (Istio)
All application traffic is managed by Istio, providing:- Mutual TLS (mTLS): Encryption between services is enabled by default.
- Traffic management: Fine-grained routing, load balancing, and failover.
- Observability: Distributed tracing and metrics collection without code changes.
Egress controls
Outbound traffic from the cluster is restricted by default. To allow applications to communicate with external APIs, you must explicitly define:- ServiceEntries: Declare external services that applications can access.
- Egress Gateways: Route outbound traffic through controlled exit points.
Ingress and egress flow
Internal ingress (EBP client)
Traffic from the EBP client interface connects via Azure PrivateLink:External ingress (Fintech / Open Banking)
External traffic traverses multiple security layers:| Layer | Function |
|---|---|
| 1. Secure boundary | VPN or TLS/mTLS with NACL for source validation |
| 2. WAF | OWASP protection, threat inspection, traffic filtering |
| 3. API Management | Policy enforcement, credential management, rate limiting |
| 4. Internal NSGs | Network-level filtering and segmentation |
| 5. AKS cluster | Workload-level security policies within private VNet |
Egress flow
Outbound traffic to customer backends flows through:| Layer | Function |
|---|---|
| 1. AKS runtime | Initiates connection from private VNet |
| 2. Internal NSGs | Enforce egress policies and validate destinations |
| 3. NAT Gateway | Provides consistent outbound IP and filtering |
| 4. Customer backend | Connects via PrivateLink, VPN, or TLS/mTLS |
Connectivity options
Grand Central supports three primary connectivity options:Azure PrivateLink
Best for: Azure-to-Azure connectivity, cross-region integrations| Attribute | Value |
|---|---|
| Internet exposure | None |
| Latency | Low (Azure backbone) |
| Maintenance | Low |
Site-to-Site VPN
Best for: On-premises connectivity, initial go-live, smaller branch connections| Attribute | Value |
|---|---|
| Internet exposure | Encrypted tunnel over internet |
| Latency | Variable |
| Maintenance | Moderate |
Internet connectivity
Best for: End-user traffic, third-party services, public APIs| Attribute | Value |
|---|---|
| Internet exposure | Full |
| Latency | Variable |
| Maintenance | Higher |
Azure ExpressRoute
Best for: High bandwidth, low latency on-premises connectivity For mission-critical workloads requiring dedicated connectivity:- Direct connection from cloud to on-premises infrastructure
- Site-to-Site VPN as failover
- PrivateLink for cloud backbone connectivity
Web Application Firewall
Staging and UAT runtimes are protected by Azure Application Gateway with WAF enabled in Prevention mode. This shields APIs from common web vulnerabilities including OWASP Top 10 attacks.Private connectivity
Critical infrastructure components access Azure services via Private Links:- Azure Key Vault
- Azure Storage Accounts
- Azure Container Registry
Security controls summary
| Layer | Controls |
|---|---|
| Ingress | WAF, DDoS protection, IP filtering (NACL), mTLS |
| API Management | OAuth/OIDC, rate limiting, circuit breakers |
| Runtime (AKS) | Kyverno policies, namespace isolation, Istio policies |
| Egress | PrivateLink, VPN, NAT Gateway, mTLS |