🏦 Fintech Traffic Architecture — Reference Design (Interview Level)

Let’s assume:

• Public fintech platform
• Web + mobile clients
• Partner APIs
• Microservices backend (EKS/ECS)
• Lambda-based async flows
• Strong security + audit requirements

✅ Layered Traffic Model (How I Explain in Interview)

I design traffic in layers, not tools:

Layer 1 — Global Edge Layer

• CloudFront
• WAF
• DDoS protection
• TLS edge termination
• static asset caching

Layer 2 — API Control Layer

• API Gateway (for external APIs)
• throttling
• auth
• schema validation
• partner control

Layer 3 — Application Routing Layer

• ALB (HTTP microservices routing)
• path/host routing
• service fan-out

Layer 4 — High-Performance TCP Layer

• NLB (when needed)
• gRPC / TCP / static IP

Interviewers like layered thinking.

🌍 CloudFront — When to Use in Fintech Traffic

✅ Use CloudFront When:

• public user traffic global
• frontend assets
• document downloads
• statement PDFs
• JS/CSS bundles
• WAF + bot protection needed
• geo restriction required
• edge TLS termination
• origin shielding needed

❌ Don’t Use CloudFront When:

• internal APIs only
• ultra low latency internal calls
• highly dynamic non-cacheable APIs (sometimes still OK but limited gain)

⚠️ CloudFront Tradeoffs

• cache invalidation cost
• config complexity
• header forwarding affects cache hit
• not ideal for east-west traffic
• origin timeout limits exist

🚪 API Gateway — When to Use in Fintech

✅ Use API Gateway When:

• external partner APIs
• fintech integrations
• merchant APIs
• webhook endpoints
• Lambda backends
• need throttling per client
• usage plans needed
• request validation needed
• auth centralization needed

💪 API Gateway Strengths

• built-in throttling
• per-client limits
• JWT/IAM auth
• request validation
• direct Lambda/SQS integration
• no servers
• audit visibility

⚠️ API Gateway Tradeoffs

• per-request cost high at scale
• payload limits
• timeout limits
• not ideal for streaming
• adds latency vs ALB
• mapping templates complexity

⚖️ ALB — When to Use

✅ Use ALB When:

• microservices on EKS/ECS
• path-based routing needed
• multiple services behind one domain
• HTTP/gRPC routing
• WAF integration needed
• container backends
• need host/path rules

💪 ALB Strengths

• L7 smart routing
• multiple target groups
• sticky sessions
• WebSocket support
• cheaper than API GW at high RPS
• good for internal + external apps

⚠️ ALB Tradeoffs

• no per-client throttling
• no usage plans
• less API governance
• regional only
• higher latency than NLB
• HTTP only

⚡ NLB — When to Use

✅ Use NLB When:

• TCP/UDP traffic
• gRPC high performance
• static IP required
• partner IP allowlisting
• TLS passthrough
• ultra low latency
• very high RPS

⚠️ NLB Tradeoffs

• no path routing
• no WAF
• no auth layer
• no header rules
• L4 only

🧠 ALB Buffering & Request Handling — Interview Trap Topic

✅ Does ALB buffer requests?

Yes — ALB buffers client request body before sending to target (for HTTP). Implications:

• protects backend from slow clients
• adds memory buffering at LB
• large uploads can stress LB
• backend sees full request at once

⚠️ ALB buffering tradeoffs

• large uploads → latency
• streaming not ideal
• timeout risk for slow upload
• better to use S3 pre-signed upload for large files

Interview bonus if you mention this.

⏱️ Timeout & Limit Differences (Critical)

API Gateway timeout

• shorter integration timeout
• good for fast APIs only

ALB timeout

• configurable idle timeout
• better for longer HTTP calls

CloudFront timeout

• origin timeout limits
• retries configurable

Mismatch causes 502/504 errors — real production failure pattern.

🧾 Fintech Pattern — Typical Final Architecture

Public Web App

CloudFront → WAF → ALB → EKS services

Partner API

CloudFront (optional) → API Gateway → Lambda / ALB backend

High-Perf gRPC

Client → NLB → service

🧮 Decision Matrix — Interview Gold Answer

✅ When interviewer asks: “ALB vs API Gateway vs CloudFront?”

Answer like this:

Use CloudFront when:

• global edge delivery
• caching
• WAF edge protection
• static or semi-static
• user-facing web

Use API Gateway when:

• external APIs
• partner integrations
• per-client throttling
• auth + validation needed
• serverless backend

Use ALB when:

• container microservices
• internal/external app routing
• path routing
• high RPS HTTP

Use NLB when:

• TCP/gRPC
• static IP needed
• ultra performance
• non-HTTP

🔥 Interview Power Move Answer (One-liner)

If interviewer asks:

“How do you choose between them?”

Say:

I choose based on layer — CloudFront for edge delivery and protection, API Gateway for API governance and throttling, ALB for microservice HTTP routing, and NLB for high-performance L4 traffic. I don’t treat them as competitors — I layer them.

That’s a senior-level answer.

Perfect — now we move into the Traffic Architecture Scenario Round — 20 Questions. This is exactly how senior DevOps / platform interviews probe depth: they give a traffic pattern and ask you to choose the right AWS traffic component + justify tradeoffs + limits.

Rules for this round:

• Each scenario = realistic fintech / prod case
• You answer with design + reasoning
• I give you model interview-grade answer
• Focus = CloudFront vs API Gateway vs ALB vs NLB decisions

We’ll do Questions 1–10 in this message (so it stays readable). Then next 10 after.

🧠 Traffic Architecture Scenario Round — Q1–Q10

✅ Scenario 1 — Global fintech web app with heavy static + dynamic API

Question: What traffic stack do you choose?

Answer: I put CloudFront at the edge for global acceleration, TLS, WAF, and static asset caching. Static content goes to S3 origin with long TTL. Dynamic API paths route to ALB or API Gateway depending on API type. This reduces origin load and latency while keeping API control separate.

✅ Scenario 2 — Partner payment API with strict per-client rate limits

Answer: API Gateway is the right front door because it supports usage plans, API keys, and per-client throttling. ALB cannot enforce per-client rate limits. I’d attach WAF and JWT/Lambda authorizer. Backend can be Lambda or ALB/EKS.

✅ Scenario 3 — Internal microservice-to-microservice traffic inside EKS

Answer: None of these — use ClusterIP + service mesh or internal service networking. Using ALB/API Gateway for east-west traffic adds latency and cost. Interviewers like when you say “don’t use edge tools internally.”

✅ Scenario 4 — Ultra-low latency gRPC trading service

Answer: NLB. It supports TCP/HTTP2/gRPC efficiently with low latency. ALB adds L7 overhead and may cause protocol issues. If static IP needed for exchange allowlist — NLB with Elastic IP.

✅ Scenario 5 — Public REST API with Lambda backend and moderate traffic

Answer: HTTP API Gateway — lower cost and latency than REST API type. Native Lambda integration, built-in auth and throttling. No need for ALB here unless traffic becomes very high and steady.

✅ Scenario 6 — 2GB file upload from clients

Answer: Direct S3 pre-signed upload — not ALB or API Gateway. Both have payload and buffering limits. LB buffering makes this inefficient and failure-prone. Edge can still use CloudFront → S3 if needed.

✅ Scenario 7 — Need WAF + bot filtering + geo block for web + APIs

Answer: CloudFront + WAF at edge. Then route to ALB or API Gateway origins. Edge WAF is cheaper and blocks earlier. Centralizes protection.

✅ Scenario 8 — Legacy TCP payment switch integration

Answer: NLB — TCP passthrough, stable IP, high connection scale. ALB/API Gateway are wrong protocol layer.

✅ Scenario 9 — 150 microservices HTTP platform, want single public endpoint

Answer: CloudFront → ALB with path/host routing to many target groups. One ALB per env is cost-efficient and operationally simpler. API Gateway would be expensive and rule-heavy at that scale.

✅ Scenario 10 — Need request/response transformation at gateway layer

Answer: API Gateway REST API (not HTTP API) because it supports mapping templates and transformation. ALB cannot transform payloads. This is a feature-based choice.