Architecture

4-Stage Security Isolation with NATS JetStream Messaging.

Data Flow Diagram

Complete Query/Response cycle through all 4 isolated security stages

Application
(Client)
Frontend
NATS-1
dirty-query
Query
Validator
NATS-2
clean-query
Query
Validator
Backend
Response
Validator
PostgreSQL(Database)
NATS-4
clean-resp
Response
Validator
NATS-3
dirty-resp
AuditLog (Syslog/OTLP)
Query Path
Response Path
Query Path
Application → Frontend → NATS-1 → Query Validator → NATS-2 → Backend → PostgreSQL
Response Path
PostgreSQL → Backend → NATS-3 → Response Validator → NATS-4 → Frontend → Application
Unvalidated data (dirty)
Validated data (clean)
Writes to AuditLog
External system

Why 4 Separate NATS Instances?

Security Isolation

Each NATS instance is completely isolated. If an attacker compromises one component, they cannot access messages from other stages. Dirty (unvalidated) and Clean (validated) data are never mixed.

Defense in Depth

Even if the Query Validator is bypassed, the Response Validator provides another layer of protection. Each stage operates independently with its own security boundary.

Audit Trail

All messages are logged to a separate audit system. This provides a complete, immutable record of all database queries for compliance and forensics.

Performance

NATS JetStream provides high-throughput and low-latency messaging. The 4-stage architecture adds minimal overhead while providing maximum security.

Simplifications

Alternative deployment options for reduced costs with lower security requirements

Container-based Deployment

Deploy all components (Frontend, Query Validator, Response Validator, Backend, 4 NATS instances) as isolated containers in a Podman/Docker pod with internal networking.

Advantages:
  • Significantly reduced hardware costs (one host instead of eight)
  • Easy deployment with docker-compose/podman-compose
  • Internal pod network for fast communication
Disadvantages:
  • Relies on container isolation instead of hardware separation
  • Container-escape vulnerabilities could compromise all components
  • Shared kernel resources

Single Validation

Instead of running separate Query Validator and Response Validator processes, only the Backend process performs validation. NATS-1 connects directly to Backend, NATS-3 directly to Frontend.

Advantages:
  • Reduced hardware costs (2 fewer processes, 2 fewer NATS instances)
  • Faster processing (fewer hops)
  • Simpler deployment architecture
Disadvantages:
  • Validation in Backend process context (less isolated)
  • Compromised Backend could bypass validation
  • No independent security layer
  • Reduced network isolation

Single NATS Instance

Instead of 4 separate NATS instances, all message queues run through a single NATS instance with different subjects (dirty-query, clean-query, dirty-resp, clean-resp).

Advantages:
  • Lower hardware/cloud costs
  • Simpler maintenance and monitoring
  • Less network configuration
Disadvantages:
  • Reduced security isolation
  • A NATS bug could allow validation bypass
  • Compromised component has access to all queues

Learn More

Explore Signando Postgres features and pricing.

View FeaturesSee Pricing