Architecture

4-Stage Security Isolation with NATS JetStream Messaging.

Data Flow Diagram

Complete Request/Response cycle through all 4 isolated security stages

Client
(System)
Frontend
NATS-1
dirty-req
Request
Validator
NATS-2
clean-req
Request
Validator
Backend
Response
Validator
Your BackendServer(Your API)
NATS-4
clean-resp
Response
Validator
NATS-3
dirty-resp
AuditLog (Syslog/OTLP)
Request Path
Response Path
Request Path
Client → Frontend → NATS-1 → Request Validator → NATS-2 → Backend → Your Server
Response Path
Your Server → Backend → NATS-3 → Response Validator → NATS-4 → Frontend → Client
Unvalidated data (dirty)
Validated data (clean)
Writes to AuditLog
External system

Why 4 Separate NATS Instances?

Security Isolation

Each NATS instance is completely isolated. If an attacker compromises one component, they cannot access messages from other stages. Dirty (unvalidated) and Clean (validated) data are never mixed.

Defense in Depth

Even if the Request Validator is bypassed, the Response Validator provides another layer of protection. Each stage operates independently with its own security boundary.

Audit Trail

All messages are logged to a separate PostgreSQL audit database. This provides a complete, immutable record of all API traffic for compliance and forensics.

Performance

NATS JetStream provides high-throughput and low-latency messaging. The 4-stage architecture adds minimal overhead while providing maximum security.

Simplifications

Alternative deployment options for reduced costs with lower security requirements

Container-based Deployment

Deploy all components (Frontend, Request Validator, Response Validator, Backend, 4 NATS instances) as isolated containers in a Podman/Docker pod with internal networking.

Advantages:
  • Significantly reduced hardware costs (one host instead of eight)
  • Easy deployment with docker-compose/podman-compose
  • Internal pod network for fast communication
Disadvantages:
  • Relies on container isolation instead of hardware separation
  • Container-escape vulnerabilities could compromise all components
  • Shared kernel resources

Single Validation

Instead of running separate Request Validator and Response Validator processes, only the Backend process performs validation. NATS-1 connects directly to Backend, NATS-3 directly to Frontend.

Advantages:
  • Reduced hardware costs (2 fewer processes, 2 fewer NATS instances)
  • Faster processing (fewer hops)
  • Simpler deployment architecture
Disadvantages:
  • Validation in Backend process context (less isolated)
  • Compromised Backend could bypass validation
  • No independent security layer
  • Reduced network isolation

Single NATS Instance

Instead of 4 separate NATS instances, all message queues run through a single NATS instance with different subjects (dirty-req, clean-req, dirty-resp, clean-resp).

Advantages:
  • Lower hardware/cloud costs
  • Simpler maintenance and monitoring
  • Less network configuration
Disadvantages:
  • Reduced security isolation
  • A NATS bug could allow validation bypass
  • Compromised component has access to all queues

Learn More

See our security architecture in action with 181 documented tests.

View Architecture Tests