The way Architecture is done in BigTech, top-down “rules” and technology choices.
We will talk about freedom in making architecture decisions for Product and Core teams.
We'll go deeper into Fintech solution, built as a crucial component of global SaaS: Microservices, APIs and Queues, Event Sourcing, Feature Toggles, SDLC, CI/CD, DevOps, Monitoring, Analytics and more.
"Fintech inside of a SaaS powered by 2000+ Microservices", Volodymyr Malyk
1.
2. Nuclear Industry Online Games
Volodymyr Malyk
Fintech
● 12+ years in HighLoad and BigData
● Python, PHP, Scala, R, C++ and more
● Co-organizer of the International Software
Architects Club committee
3. team of 5,000
● Digital Business and Online Presence
210M users in 190 countries
● SaaS Website Platform (Software as a Service)
Online Stores, Restaurants, Hotels, Travel, Events, and more
● 5% websites, 20+ data centers/PoPs Multi Clouds
8k builds a day, 450 deployments a day, 500M LoC
4. 1. Product & Core, rules and tools
2. Microservices and Request flow
3. Payments at Wix and Lessons Learned
Agenda
Fintech inside of a SaaS powdered by 2000+ Microservices
↓
7. Product (75%)
Core & Infra (25%)
Technologies
and Open-source
Frameworks, libs, etc
Big data, analytics, etc
CI/CD, Alerts, etc
...
FRs
Functional Requirements
8. Product (75%)
Core & Infra (25%)
Technologies
and Open-source
Business Impact
Online Stores
Restaurants
Hotels
...
Frameworks, libs, etc
Big data, analytics, etc
CI/CD, Alerts, etc
...
FRs
Functional Requirements
9. Product (75%)
Core & Infra (25%)
Business Impact
Velocity & Delivery
NFRs: ab-tests, feature-toggles, ...
Modifiability
NFRs: dependencies, cost-effort, ...
Maintainability
NFRs: lifespan, ...
Performance
NFRs: CPU & Memory, Latency, ...
Availability
NFRs: downtime XX.XX nine’s, ...
Backward compatibility
NFRs: deprecated N days support, ...
...
...
Technologies
and Open-source
QA and NFRs
Quality Attributes and Non-Functional Requirements
10. Product (75%)
Core & Infra (25%)
Business Impact
Velocity & Delivery
NFRs: ab-tests, feature-toggles, ...
Modifiability
NFRs: dependencies, cost-effort, ...
Maintainability
NFRs: lifespan, ...
Performance
NFRs: CPU & Memory, Latency, ...
Availability
NFRs: downtime XX.XX nine’s, ...
Backward compatibility
NFRs: deprecated N days support, ...
...
...
Technologies
and Open-source
QA and NFRs
Quality Attributes and Non-Functional Requirements
11. Principles
1. System Design skill is a MUST
2. API-First: governance, style guide, documentation portal
3. Production-Only: Feature Toggles + AB Tests, TDD
Tools
● 2k+ microservices: CI/CD, Monitoring, API Registry, ...
● 30 min to scaffold & register a new one
● Scala, TypeScript, Node.js, Serverless, gRPC, Kafka and more
12. Principles
1. System Design skill is a MUST
2. API-First: governance, style guide, documentation portal
3. Production-Only: Feature Toggles + AB Tests, TDD
Tools
● 2k+ microservices: CI/CD, Monitoring, API Registry, ...
● 30 min to scaffold & register a new one
● Scala, TypeScript, Node.js, Serverless, gRPC, Kafka and more
13. Tools
● 2k+ microservices: CI/CD, Monitoring, API Registry, ...
● 30 min to scaffold & register a new one
● Scala, TypeScript, Node.js, Serverless, gRPC, Kafka and more
Principles
1. System Design skill is a MUST
2. API-First: 101 guidelines, documentation portal, governance, tools
3. Production-Only: Feature Toggles + AB Tests, TDD
14. Principles
1. System Design skill is a MUST
2. API-First: 101 guidelines, documentation portal, governance, tools
3. Production-Only: Feature Toggles + AB Tests, TDD
Tools
● 2k+ microservices: CI/CD, Monitoring, API Registry, ...
● 30 min to scaffold & register a new one
● Scala, TypeScript, Node.js, Serverless, gRPC, Kafka and more
15. Tools
● 2k+ microservices: CI/CD, Monitoring, API Registry ...
● 30 min to scaffold & register a new one
● gRPC, Kafka, Scala, TypeScript, Node.js, Serverless and more
Principles
1. System Design skill is a MUST
2. API-First: 101 guidelines, documentation portal, governance, tools
3. Production-Only: Feature Toggles + AB Tests, TDD
41. Payment Providers Worldwide
● Quality Attribute: Velocity & Delivery
● Solution: transform NFRs to FRs
Integrate via API — NO
Expose SPI — YES!
42. Service Provided Interface (SPI)
● An API intended to be implemented by a third party.
● Yes, that’s like a plugin system.
● The same as if all Payment Providers had the same API for us:
○ Connect Account
○ Create Transaction
○ Refund Transaction
○ Webhooks on payment state
○ Idempotency
43. Service Provided Interface (SPI)
● API-First — new Revenue Stream!
● Documentation as a Product
● Still have uncovered cases
54. Event-Sourcing
Business-logic Domain events
State
(Aggregate)
State under Feature Toggle
(custom Aggregate)
Analytics and BI
Commands Store
Crucial Side-Effects
payments, etc
Supportive Side-Effects
email, BI, etc
● MySQL as a storage
● Events are stored by tenant id + type
● Events are backward compatible
● Rebuild Aggregate in-memory per request
● No snapshots
● Events migration is OK
55. Event-Sourcing
Business-logic Domain events
State
(Aggregate)
State under Feature Toggle
(custom Aggregate)
Analytics and BI
Commands Store
Crucial Side-Effects
payments, etc
Supportive Side-Effects
email, BI, etc
● MySQL as a storage
● Events are stored by tenant id + type
● Events are backward compatible
● Rebuild Aggregate in-memory per request
● No snapshots
● Events migration is OK
56. Event-Sourcing
Business-logic Domain events
State
(Aggregate)
State under Feature Toggle
(custom Aggregate)
Analytics and BI
Commands Store
Crucial Side-Effects
payments, etc
Supportive Side-Effects
email, BI, etc
● MySQL as a storage
● Events are stored by tenant id + type
● Events are backward compatible
● Rebuild Aggregate in-memory per request, per tenant
● No snapshots
● Events migration is OK
57. Event-Sourcing
Business-logic Domain events
State
(Aggregate)
State under Feature Toggle
(custom Aggregate)
Analytics and BI
Commands Store
Crucial Side-Effects
payments, etc
Supportive Side-Effects
email, BI, etc
● MySQL as a storage
● Events are stored by tenant id + type
● Events are backward compatible
● Rebuild Aggregate in-memory per request, per tenant
● No snapshots
● Events migration is fine
60. ● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
● Wrapper - API to encapsulate DB interaction
● Mask PII
Logs?
61. ● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
● Wrapper - API to encapsulate DB interaction
● Mask PII
Logs?
62. ● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
● Wrapper - API to encapsulate DB interaction
● Mask PII
Logs?
PII GDPR
63. ● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
● Wrapper - API to encapsulate DB interaction
● Mask PII
Logs?
PCI DSS
PII GDPR
64. ● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
● Wrapper - API to encapsulate DB interaction
● Mask PII
Logs?
PCI DSS
Confidential
PII GDPR
65. Audit Logs
● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
● Wrapper — API to encapsulate DB interaction
● Mask PII: full names, email addresses, etc
66. Audit Logs
● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
○ Wrapper — API to encapsulate DB interaction
● Mask PII: full names, email addresses, etc
● No Credit Card data!
Confidential
67. Audit Logs
● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
○ Wrapper — API to encapsulate DB interaction
● Mask PII: full names, email addresses, etc
● No Credit Card data!
Confidential
PII GDPR
68. Audit Logs
● Store requests to 3rd parties
● Store responses from 3rd parties
● Store Webhooks
● Encrypted “logs” in DB, by business entities ids
○ Wrapper — API to encapsulate DB interaction
● Mask PII: full names, email addresses, etc
● No Credit Cards data!
PCI DSS
Confidential
PII GDPR