Technical Architecture: Building a Secure, Scalable, and Resilient Payment Gateway on AWS
Deep dive into the cloud-native, event-driven architecture designed for high availability, resilience, low-latency, and PCI-DSS compliance supporting both card-based and UPI transactions.
Infrastructure Building Blocks
Edge & Security Layer
CloudFront
Edge delivery
TLS termination at edge, with integrated WAF for global performance.
AWS WAF
Web protection
Protects against OWASP Top 10 threats, IP blocks, geo rules.
Route 53
DNS & routing
Single hosted zone with health checks and global routing.
SSL/mTLS
Certificates
TLS 1.2+ enforced, mTLS for PoS devices using X.509 certs.
Complete Architecture Diagram
This diagram shows the complete end-to-end payment processing architecture with all AWS services, data flows, and security controls across multiple regions.
Payment Processing Flow Architecture
Layer 1Edge & Security Layer
Route 53DNS + Health ChecksCloudFrontCDN + SSL/TLSAWS WAFSecurity FilteringLayer 2API Gateway & Authentication
API GatewayRequest Routing
CognitoAuthentication
LambdaAuthorizersLayer 3Application Services (EKS Cluster)
EKSOrchestration
TokenizationPAN Protection
Risk EngineFraud Detection
Payment RouterChannel RoutingLayer 4Data & Event Streaming
AuroraPrimary DB
DynamoDBNoSQL StoreMSKEvent Streaming
ElastiCacheRedis CacheLayer 5External Integrations
Data Flow Direction
Request Flow Process
Edge Processing
Route 53 DNS resolution → CloudFront CDN → WAF security filtering → SSL/TLS termination
API Gateway
Request validation → JWT/mTLS authentication → Rate limiting → Request transformation
Service Orchestration
EKS microservices → Tokenization → Risk analysis → Payment routing
Data Processing
Aurora transactions → DynamoDB lookups → Kafka events → Redis caching
Security Architecture
Data Protection
KMS encryption at rest → CloudHSM for PCI DSS → Secrets Manager for credentials
Network Security
VPC isolation → Private subnets → Security groups → NACLs → NAT gateways
Monitoring & Compliance
CloudTrail logging → GuardDuty threat detection → Config compliance → IAM policies
PCI DSS Compliance
Token vault isolation → Audit logging → Network segmentation → Regular assessments
Core Application Stack (Per Region)
API Gateway
Amazon API Gateway (regional)- JWT token validation (OAuth2 via Cognito/Auth0)
- mTLS validation for PoS certs
- Request transformation and routing
Orchestrator
Amazon EKS (multi-AZ)- Hosts stateless microservices
- Uses App Mesh for service discovery
- Amazon MSK (Kafka) for event choreography
Core Services Architecture
Tokenization Service
Stateless pod on Amazon EKS
PAN encrypted with AWS KMS/CloudHSM
Token mappings in DynamoDB Global Table
MSK topics: tokenization.requests/responsesRisk & Fraud Engine
Event-driven service consuming from Kafka
Rule-based checks using Redis ElastiCache
ML scoring via Amazon SageMaker endpoint
Analytics sent to OpenSearchPayment Processing Services
Payment Type Resolver
Merchant configs in DynamoDBStateless service determining channel (UPI/Card)
Emits: payment.route.upi or payment.route.card
Card Router
Receives payment.route.card
Routing table stored in DynamoDB/Redis
Encodes/sends ISO 8583 over HTTPS/TCP
Handles acquirer fallback + retries
UPI Orchestrator
Manages UPI flow: QR/VPA intent creation
PSP API integration
Callback via API Gateway + LambdaPublishes: upi.status.updated
Event-Driven Architecture: Choreography Style
Gateway Orchestrator Components
The Gateway Orchestrator is the central brain of the payment gateway — responsible for managing the core payment workflows. In an event-driven, choreography-based architecture, it doesn't command subservices but emits and reacts to events, allowing loosely coupled services to collaborate.
Example Event Flow in Choreography Style
payment.initiated(from Edge API layer) → consumed by Orchestratortoken.requestedtoken.createdrisk.check.initiatedrisk.clearedroute.to.acquirer→ Router handles itpayment.authorizedis publishedKey Principle:
Orchestrator only reacts to and emits events, it does not call services directly (pure choreography).
Data & State Management
Primary Data Layer
Amazon Aurora PostgreSQLMulti-AZ, read replicas, point-in-time recovery
DynamoDB Global TablesConfigurations, tokens, session state
ElastiCache RedisSession cache, rate limiting, routing tables
Event Streaming & Analytics
Amazon MSK (Kafka)Event choreography, async processing
Kinesis Data StreamsReal-time analytics, fraud detection
OpenSearchLog aggregation, search, dashboards
Security & Compliance
Data Protection
AWS KMSEncryption at rest for all data stores
CloudHSMHardware security module for PCI DSS
Secrets ManagerCredentials rotation, secure access
Network Security
VPCPrivate subnets, NAT gateways, security groups
WAFDDoS protection, OWASP rules, rate limiting
GuardDutyThreat detection, anomaly monitoring
Compliance
CloudTrailAPI logging, audit trails, compliance
ConfigConfiguration compliance, remediation
IAMFine-grained access control, roles
Monitoring & Observability
Metrics & Monitoring
CloudWatchCustom metrics, dashboards, alarms for SLOs
X-RayDistributed tracing, latency analysis
Systems ManagerParameter store, patch management
Alerting & Notifications
SNSMulti-channel notifications (email, SMS, Slack)
SQSDead letter queues, retry mechanisms
CloudWatch AlarmsThreshold-based alerts, composite alarms
Multi-Region Architecture
Global Deployment Strategy
Primary Region (US-East-1)
Aurora Global Database (Writer)
EKS Cluster (Active)
MSK Cluster (Primary)DynamoDB Global TablesSecondary Region (EU-West-1)
Aurora Global Database (Reader)EKS Cluster (Active)MSK Cluster (Replica)DynamoDB Global TablesDR Region (AP-South-1)
Aurora Cross-Region BackupEKS Cluster (Warm Standby)
Route 53 Health Checks
S3 Cross-Region BackupCross-Region Data Flow
Disaster Recovery Strategy
Automated Failover Process
- Route 53 health checks detect primary region failure
- DNS automatically routes traffic to secondary region
- Aurora Global Database promotes reader to writer
- EKS pods auto-scale to handle increased load