Micro service architecture
Architecture
Account Broker Service Resilience
Application Load Balancer
Routes incoming traffic to the Account Broker Service Microservices
Ensures high availability and failover support
Account Broker Service Microservices
Registration Server
A&A Service (OAuth2.0)
Account Broker Endpoint
Platform Resilience Layer
Application Load Balancer
Core Platform Microservices
A&A Service (OAuth2.0)
Account Consent Service
Account Redirect URI Service
Account Separated Services
Analytics Layer
Log Data Lake
Reporting
Alarms
AWS environment
Accounting Broker VPC
Account Broker Services
TPP onboarding
TPP authentication and authorization
Routing requests to downstream consent and data services
Key Components
Public Subnets
NAT Gateway
Bastion Host
Private Subnets
Load Balancer
ECS Fargate Services
Aurora DB Cluster
Accounting Platform VPC
Account Aggregation Services
Consent handling
Token validation
Data access to account/balance/transaction services
Key Components
Public Subnets
NAT Gateway
Bastion Host
Private Subnets
App Load Balancer
ECS Fargate Services
Amazon Aurora
Security & Secrets Management
AWS Secrets Manager
Stores sensitive configuration like DB passwords, tokens, API keys
AWS IAM (Identity and Access Management)
Role-based access control across services
AWS Shield / WAF (implied)
Protects from DDoS (likely integrated with API Gateway)
Monitoring & Notification
Amazon CloudWatch
Monitors ECS health, API latency, error rates
Collects logs and custom metrics
Amazon SNS
Triggers alerts for failures (e.g., service down, consent failures)
Key Services by Functional Domain
Broker Services
Consent Handling
Data Services
Infra & Support
List of Services
Registration
Onboards Third Party Providers (TPPs) into the system
Authentication and authorisation
Issues and validates OAuth2.0 tokens for all TPP interactions
Account Broker Service
Acts as an intermediary API layer between external clients (TPPs) and backend microservices
Security
Protocol & Standards
OAuth2.0
Used for secure token-based authentication between services, TPPs, and the platform
TLS 1.2 and above
All service communications are encrypted using TLS (Transport Layer Security)
Access Control
RBAC (Role-Based Access Control)
Access to services and data is permissioned based on user or system roles
Limits exposure and adheres to the principle of least privilege
Infrastructure-Level Security
Private Subnet Deployment
Microservices are deployed inside private subnets of the Virtual Private Cloud (VPC)
Secrets and Certificate Management
AWS KMS (Key Management Service)
Manages encryption keys for secure data handling and token signing
Enables centralized control over key access and rotation policies
AWS Secrets Manager
DB passwords
OAuth2.0 client secrets
TLS certificates
API Gateway
Gateway Role in Architecture
API Gateway
Traffic routing
Request transformation
Security enforcement
Platform Used
You can use either
AWS API Gateway
Or another cloud-native API gateway (e.g., Azure API Management, Kong, Apigee)
Security Features
Built-in Security (AWS API Gateway)
OAuth2.0 & JWT validation
HTTPS TLS 1.2 encryption
Resource-level IAM policies
Access Control
API Key + Password for premium user access
Custom authorizers can be used for fine-grained access control using Lambda or Cognito
Monitoring & Logging
Integrated with AWS CloudWatch
Logs requests and responses
Tracks usage per TPP or endpoint
Enables alerting on anomalies or failure patterns
Optionally connect to
X-Ray for end-to-end request tracing
SNS/Email for notification-based alerts
Integration with Backend
The API Gateway routes traffic to
Application Load Balancers for microservices
Lambda functions for lightweight workflows
VPC private integrations for secure, isolated services