Network Connectivity
The network architecture is split between different Azure tenancies and uses a combination of public and private networking components to establish secure boundaries.Network Architecture Overview
Multi-Tenancy Design
Architecture spans BaaS and GC tenancies plus customer backend
Private VNET Protection
Runtime environment secured within private virtual network
Multiple NSG Layers
Network Security Groups protecting the runtime environment
Flexible Connectivity
Azure PrivateLink, VPN, and internet connectivity options
Architectural Boundaries
The platform operates across two main Azure tenancies and the customer’s backend: BaaS Tenancy (EBP Customer Subscription) hosts components like WAF and AKS for the EBP Client interface. Web Application Firewall (WAF) provides entry point security policies for comprehensive traffic filtering. Azure Kubernetes Service (AKS) delivers container orchestration for EBP client-facing services. GC Tenancy (GC Customer Subscription) contains the platform’s Runtime environment secured within a Private VNET. Private VNET Runtime hosts the core integration platform runtime secured in private virtual network with multiple Network Security Groups (NSG) protecting the environment. Customer Backend/Core represents customer’s systems of record, which can be On-premises or On-Cloud. On-Premises Systems include traditional data center infrastructure and core banking systems. Cloud-Based Systems encompass modern cloud infrastructure and applications.Secure Ingress and Egress Flow
The connectivity architecture uses multiple layers of security components, typically Network Security Groups (NSG), to protect the Runtime. Internal Ingress (EBP Client) traffic originates from the EBP Client interface within the BaaS Tenancy and connects to the GC Tenancy Runtime via Azure PrivateLink. This path is secured entirely within Azure’s backbone network, with no internet exposure. The flow follows: EBP Client → PrivateLink → Private VNET → AKS Runtime. External Ingress (Fintech / Open Banking API) traffic from external sources traverses multiple security layers before reaching the Runtime through a five-layer security model:1. Secure Boundary
VPN or TLS/mTLS with NACL validates source authenticity and encrypts connections
2. Web Application Firewall
Applies security policies, inspects for threats, and filters malicious traffic
3. API Management
Enforces policies, manages credentials, and applies rate limiting
4. Internal NSGs
Provide network-level filtering and segmentation
5. AKS Cluster
Applies workload-level security policies within Private VNET
1. AKS Runtime
Initiates outbound connection from within Private VNET based on integration requirements
2. Internal NSGs
Enforce egress policies and validate destinations
3. NAT Gateway
Provides consistent outbound IP and additional filtering
4. Customer Backend
Connects via Azure PrivateLink (Azure-to-Azure), VPN (on-premises), or TLS/mTLS with NACL (internet-based)
Connectivity Options
The Grand Central Platform supports three primary options for secure connectivity:Azure PrivateLink
Azure-only dedicated route with no internet exposure. Uses separate endpoints for ingress and egress traffic with complete Azure backbone isolation.Use Cases: Azure-to-Azure connectivity, cross-AZ connections, cross-Region integrationsCharacteristics: Lower operational maintenance, seamless cross-zone/region, no internet exposure, high throughput with low latencies
Site-to-Site VPN
Cost-effective secure connectivity through highly available encrypted IPSec tunnel over the internet.Use Cases: Initial go-live scenarios, on-premises connectivity, connecting to smaller branchesCharacteristics: Quick setup, cost-effective, encrypted tunnel, no performance guarantees due to internet dependency
Internet Connectivity
Flexible public-facing integrations supporting internet interfaces for inbound and outbound traffic.Use Cases: End user traffic, third-party services, public API endpointsCharacteristics: Higher operational maintenance, mandatory IP whitelist or mTLS, no performance guarantees, maximum flexibility
High Bandwidth/Low Latency Architecture
For topologies requiring high bandwidth and low latency for on-premises connectivity, the architecture often uses Azure ExpressRoute.ExpressRoute Connection
Azure presence with ExpressRoute enables connection from Cloud to On-Premises infrastructure. Provides secure and consistent connectivity with high throughput capability and low latencies for mission-critical workloads.
Redundancy & Backup
Site-to-Site VPN acts as ExpressRoute failover with Azure PrivateLink supporting cloud backbone connectivity. High availability design includes multiple connectivity paths and automatic failover capabilities.
Security Controls
All connectivity options implement comprehensive security measures at multiple layers.Ingress Security
Ingress Security
Security measures governing incoming traffic:
- Web Application Firewall (WAF): Entry-point Security Policies
- DDOS Protection: Defense against Denial of Service attacks
- IP Filtering: Network Access Control List (NACL)
- mTLS Support: Mutual Transport Layer Security for authentication
API Management Services
API Management Services
Authorization and traffic control at the API layer:
- Policy Enforcement: API policies enforce AuthZ (Authorization) & AuthN (Authentication)
- Traffic Shaping: Rate limiting and Circuit breaking
- Credential Management: Credential Manager for handling Egress Auth
Runtime Security (AKS)
Runtime Security (AKS)
Security and isolation controls in the runtime environment:
- Network & Pod Security: Policy enforcement managed with Kyverno
- Workload Isolation: Application workload isolation per Namespace using Network & Istio Policies
- Standards and Practices: Pod Security Standards & Best Practices in Helm charts
Egress Security
Egress Security
Security measures for outgoing traffic:
- Connectivity Support: Azure Private Link and Site-2-Site VPN
- Filtering and Authentication: IP filtering with NACL and mTLS Support