Skip to main content
Grand Central iPaaS uses a composable architecture built on open-source technologies. The platform enables you to build, manage, and govern integrations with flexibility while maintaining the security, compliance, and operational standards required by financial services.

Architectural planes

The platform architecture separates concerns into two distinct planes: the provisioning plane and the runtime plane. This separation creates distinct lifecycles for infrastructure governance and application deployment.

Provisioning plane (self-service repository)

The provisioning plane handles the static configuration of your organization. Changes to this plane trigger Terraform and OpenTofu pipelines that provision or update Azure resources and GitHub permissions. The provisioning plane manages:
  • User management: Provision access to GitHub teams and Azure roles such as Reader and Contributor.
  • Repository management: Create repositories with built-in governance, branch protection, and CI/CD bindings.
  • Secret management: Define infrastructure-level secrets managed through SOPS.

Runtime plane (applications-live repository)

The runtime plane manages the dynamic state of your applications running on Kubernetes. This plane uses ArgoCD to continuously synchronize your Git configuration with the live cluster state. The runtime plane manages:
  • Application deployment: Deploy connectors, APIs, and event configurations across environments (development, staging, test, UAT).
  • Networking: Configure ingress and egress rules, routing, and traffic policies using Istio.
  • Configuration management: Manage ConfigMaps and application secrets securely.

Data flow between planes

The following workflow shows how changes flow through the platform:
  1. Code: You push code to a feature branch in a service or configuration repository.
  2. Review: A pull request triggers automated linting (such as Gitleaks) and peer review.
  3. Merge: After approval and merge, the pipeline triggers.
  4. Sync: The appropriate plane processes the change:
    • Self-service: The CI pipeline applies Terraform to update Azure and GitHub resources.
    • Applications-live: ArgoCD detects the change and synchronizes the Kubernetes cluster to match the new desired state.

Platform value proposition

Grand Central iPaaS provides three core capabilities:
  • Enhanced productivity: Pre-built connectors and transformations accelerate development timelines.
  • Flexible development: The platform combines low-code Domain Specific Language (DSL) with pro-code capabilities.
  • Built-in governance: Centralized management provides scalability, security, and monitoring across all integrations.

Core platform capabilities

Grand Central iPaaS provides reusable components and patterns that accelerate integration development.

Composable integration components

Grand Central iPaaS includes a library of functional and technical components that serve as reusable building blocks for integration development. These components are enterprise-grade and maintained as part of the platform’s core offering, which ensures consistency and reliability across all integrations. Functional components - the platform provides:

Grand Central Kamelets

Banking-specific integration units tailored for common financial services operations, encapsulating complex banking logic into simple, parameterized building blocks

300+ open-source components

Proven Enterprise Integration Patterns for messaging, routing, transformation, and orchestration scenarios that span industries

GC SDK

Comprehensive developer productivity tools that streamline the integration development process

Domain APIs

Pre-built banking operations following industry standards, exposing ready-to-use functionality
Technical components - the platform includes:

Protocol adapters

Seamless communication across REST, SOAP, and asynchronous messaging patterns

Data transformers

XSLT for XML payloads and JOLT for JSON transformations, with flexibility for custom transformation logic

Error handling

Sophisticated patterns including retry logic, circuit breakers, and dead letter queues for resilient integration behavior

Security components

OAuth 2.0, mutual TLS, and encryption capabilities integrated directly into integration flows

Enterprise integration patterns and orchestration

Grand Central iPaaS implements integration patterns that address enterprise integration challenges. These patterns provide proven solutions for common scenarios while remaining flexible for unique business requirements. Message routing patterns control where messages flow within the integration landscape:
  • Content-based routing: Examines message content to determine the destination.
  • Message filters: Selectively process messages based on defined criteria.
  • Dynamic routers: Adapt behavior based on runtime conditions.
  • Recipient lists: Broadcast messages to multiple destinations based on business rules.
Message transformation patterns move data between systems with different data models:
  • Content enrichers: Add information to messages by querying additional data sources.
  • Content filters: Remove unnecessary elements from messages.
  • Claim checks: Temporarily store large payloads externally, replacing them with references.
  • Normalizers: Transform messages from various formats into a common canonical form.
Message construction patterns distribute or aggregate business events:
  • Message aggregators: Collect related messages and combine them into composite messages.
  • Message splitters: Break large messages into smaller pieces for parallel processing.
  • Message sequence: Maintain ordering when messages must be processed in sequence.
  • Scatter-gather: Parallelize operations across multiple systems, then gather the results.

API standardization and management

Grand Central iPaaS integrates with API management platforms to provide full lifecycle API governance from design through publishing, consumption, and monitoring. This integration ensures that all APIs adhere to organizational standards and benefit from centralized policy enforcement. The platform uses OpenAPI specifications as the foundation for all API definitions. For details on how specifications are structured and used, see OpenAPI specifications. The API management layer enforces governance policies across all exposed APIs:
  • Policy-driven security: Centralized configuration of OAuth flows, API keys, and mutual TLS.
  • Rate limiting: Protects backend systems from overload while ensuring fair resource allocation.
  • Authentication and authorization: Integration with enterprise identity providers and fine-grained permissions.
  • Lifecycle management: Tracks API versions, manages deprecation cycles, and provides usage analytics.

Anatomy of a Grand Central iPaaS integration

Every integration built on Grand Central iPaaS follows a consistent structure composed of five core component types. Understanding this anatomy helps you navigate and understand any integration within the platform.

Bill of materials (BOM)

The Bill of Materials is a POM project that contains all base-platform dependencies required to build a Grand Central Connector. Instead of each integration team managing dependency versions independently, the BOM provides centralized dependency management. This ensures version consistency across all components and eliminates compatibility issues. BOM contents - the BOM includes:

Core platform libraries

Foundational capabilities used by all connectors

Integration framework

Apache Camel infrastructure dependencies

Testing and validation

Comprehensive tools for quality assurance

Security and compliance

Modules that bake security into every integration

Kamelets: Integration units

Kamelets are the fundamental unit of abstraction for common operations. They serve as building blocks from which you assemble integration connectors. Each Kamelet encapsulates a specific integration operation, making it reusable, testable, and composable. Kamelets come in three types:

Source Kamelets

Data producers generating messages from sources like database queries, message queues, or scheduled jobs

Sink Kamelets

Data consumers sending processed messages to destinations like REST APIs, file systems, or messaging brokers

Action Kamelets

Data processors transforming, validating, enriching, or routing messages as they flow through integration
Grand Central iPaaS provides a catalog of banking-specific Kamelets for account operations, payment processing, customer data management, transaction handling, and security operations. Each Kamelet is parameterized, so you can customize its behavior without modifying code.

OpenAPI specifications

OpenAPI specifications define the contract between Grand Central iPaaS and its consumers. These specifications are packaged and shared through JAR files that client applications consume as dependencies. They provide the single source of truth for API definitions, ensuring that server implementations, client code, documentation, and tests remain synchronized. The specifications define:
  • API endpoint paths and HTTP methods
  • Request and response schemas with data types and validation rules
  • Authentication and authorization requirements
  • Error response models for client-side error handling
The specifications integrate into development through automatic server code generation, client library creation, documentation generation, and contract testing.

Template-based transformations

Template-based transformations convert data between different formats and structures as messages flow through integrations. Instead of writing custom transformation code, you create declarative transformation templates. For XML payloads, the platform supports XSLT transformations that handle complex nested structure manipulation, conditional logic based on message content, and integration with function libraries. For JSON payloads, the platform uses JOLT transformations, which provide a declarative syntax for JSON structure manipulation. JOLT’s path-based field mapping defines how source JSON structures map to target structures, and its array manipulation capabilities handle filtering, sorting, and aggregation. Advanced transformation features include:
  • Template inheritance: Define common transformation logic once and reuse it across multiple transformations.
  • Reusable components: Compose smaller transformations into larger ones.
  • Variable substitution: Enable context-specific customization.
  • Dynamic field mapping: Adapt transformation logic based on message content or business rules.

Camel DSL: Integration routes

The Camel Domain Specific Language provides a low-code framework for defining integration patterns and routes. This DSL balances configuration and code, guiding you toward best practices while remaining flexible for unique requirements. Camel routes can run in multiple modes:
  • Local development: Routes run locally for rapid testing and debugging.
  • Remote execution: Routes deploy to the Grand Central platform runtime.
  • Camel-K: Kubernetes-native execution with automatic operator management.
  • Camel-K Native: Routes compile to native binaries using GraalVM for optimal startup time and memory footprint.
The following example shows a typical Camel route: 
from("Kamelet:banking-account-source")
  .log("Processing account: ${body.accountId}")
  .to("Kamelet:data-validator")
  .choice()
    .when(simple("${body.status} == 'ACTIVE'"))
      .to("Kamelet:account-processor")
    .otherwise()
      .to("Kamelet:error-handler")
  .end()
  .to("Kamelet:banking-account-sink");
Routes begin with a source endpoint that receives or generates messages. They apply transformations and routing logic using fluent method chaining, implement error handling and retry logic declaratively, and terminate at sink endpoints that deliver processed messages. The DSL supports:
  • Content-based routing
  • Message transformation through built-in or custom processors
  • Error handling with dead letter channels and retry policies
  • Transaction management for data consistency across systems

Development methodology

Grand Central iPaaS uses a plug-and-play development methodology that streamlines the journey from concept to production-ready connector. This methodology provides clear steps while remaining flexible for different team structures and requirements.

Start with templates

Every Grand Central integration begins with a project template that provides standardized structure and eliminates boilerplate setup. These templates encapsulate best practices, ensuring that new projects start on solid foundations. Template types cover common integration scenarios:

Core banking connectors

Structure for integrating with systems of record, including pre-configured Kamelets for common banking operations and standard transformation patterns

Payment system integration

Payment processing requirements including ISO 20022 message handling, payment network protocols, and regulatory reporting

CRM connectors

Customer relationship management integration handling customer data synchronization, event propagation, and master data management patterns

Custom API integration

Starting point for unique integration requirements with flexible customization options
Each template provides:
  • Pre-configured project structure following Maven or Gradle conventions
  • Dependency management setup that references the appropriate BOM
  • Testing frameworks configured and ready for use
  • CI/CD pipeline configurations for immediate automation

Adopt OpenAPI specifications

With the project structure in place, define or import OpenAPI specifications that describe the APIs your integration exposes. You can:
  • Import existing OpenAPI definitions when integrating with systems that provide API contracts.
  • Generate specifications from BIAN service domain definitions for banking scenarios.
  • Create custom specifications from scratch using OpenAPI design tools.
Code generation produces:
  • REST endpoint implementations that handle HTTP request routing and response serialization
  • Data models and DTOs for type-safe request and response payloads
  • Client libraries for consuming applications
  • API documentation synchronized with the implementation

Reuse Kamelets and SDKs

With the API contract defined, implement business logic by composing pre-built Kamelets and using SDKs. This reuse-first approach accelerates development while ensuring consistent implementation of common patterns. The Grand Central Kamelets catalog provides banking-specific operations:
  • Account operations: Handle account creation, modification, inquiry, and closure.
  • Payment processing: Implement payment initiation, validation, enrichment, and status tracking.
  • Customer management: Facilitate customer onboarding, KYC data collection, and profile maintenance.

Technology stack

Grand Central iPaaS uses a modern technology stack built on open-source foundations. For detailed technology versions and components, see Technology stack.

Developer and operational experience

Grand Central iPaaS optimizes both development and operational experiences.

Real-time development capabilities

The platform enables real-time development through:
  • Hot reload: Apply code changes without restarting the application.
  • Local testing: Run integrations on your development machine with the same runtime environment used in production.
  • Dev mode: Automatically recompile code and redeploy changes.
  • Quick feedback: Immediately detect errors with actionable error messages.
Lean incremental builds optimize the compile-test-debug cycle:
  • Quarkus dev mode watches source files and recompiles only changed classes.
  • Incremental updates replace only modified components.
  • Dependency caching reuses downloaded dependencies across builds.
  • Parallel builds use multiple CPU cores for independent modules.
Image reuse strategies minimize container image build and transfer time:
  • Docker layer caching stores unchanged layers from previous builds.
  • Pre-built base images provide standardized foundations.
  • Centralized image registries store and distribute images efficiently.
  • Semantic version tags control which image versions deploy to each environment.
Dependency management ensures consistent, reliable builds:
  • BOM projects centralize version management.
  • Maven and Gradle provide standard build tools with extensive plugin ecosystems.
  • Internal artifact repositories cache external dependencies and host internal libraries.
  • Dependency scanning identifies security vulnerabilities in third-party libraries.

Production-ready operations

In production, traits configuration fine-tunes integration runtime behavior:
  • Resource limits: Set CPU and memory constraints to prevent excessive resource consumption.
  • Scaling policies: Define autoscaling behavior based on metrics.
  • Health probes: Configure liveness and readiness checks for Kubernetes.
  • Service mesh integration: Use Istio for advanced traffic management without code changes.
Monitoring provides visibility into system behavior:
  • Metrics: Track request rates, response times, error rates, and resource utilization.
  • Structured logging: Produces machine-parsable log entries with centralized aggregation.
  • Distributed tracing: Tracks requests as they flow through multiple services.
  • Audit trails: Capture security-relevant events for compliance.
Protocol support includes both synchronous and asynchronous patterns: Synchronous protocols:
  • REST APIs using HTTP/HTTPS with JSON or XML payloads
  • SOAP web services based on WSDL definitions
  • GraphQL for flexible client-specified queries
  • gRPC for high-performance remote procedure calls
Asynchronous messaging:
  • Azure Service Bus for enterprise messaging patterns
  • Apache Kafka for event streaming
  • RabbitMQ for flexible routing
  • ActiveMQ for JMS-based integration

Open-source philosophy

The Grand Central platform’s commitment to open-source technology reflects strategic decisions around innovation, flexibility, and talent availability. Open source benefits - benefits include:

Innovation and collaboration

Community-driven enhancements bring diverse perspectives, rapid feature evolution, shared best practices, and collective problem-solving across organizational boundaries

Avoiding vendor lock-in

Standard technologies enable skills transfer, portable solutions across cloud providers, multiple vendor support options, and long-term strategic flexibility

Developer talent access

Large talent pools for popular technologies, extensive documentation, abundant training resources, and strong community support through forums and user groups

Connectivity architecture

Grand Central provides secure, scalable connectivity patterns designed specifically for banking environments, ensuring enterprise-grade security and compliance.

Multi-layer security

Defense-in-depth approach with multiple security layers and controls

Banking standards

Compliance with banking security standards and regulatory requirements

Hybrid architecture

Support for cloud, on-premises, and hybrid connectivity patterns

High availability

Enterprise-grade uptime and disaster recovery capabilities

Azure cloud connectivity architecture

The platform uses Microsoft Azure’s enterprise-grade security and networking capabilities. The following sections describe the access patterns for different system types.

EBP client access

EBP client traffic enters the platform through the following layers:
  • Web application firewall (WAF) - provides the first line of defense, filtering malicious traffic and attacks before they reach application services. The WAF enforces Layer 7 DDoS protection and traffic filtering, SSL/TLS termination and inspection, rate limiting and throttling, and geographic access controls.
  • Azure Kubernetes Service (AKS) - hosts the container orchestration platform running EBP services. AKS provides secure multi-tenant isolation, automatic scaling capabilities, and integrated security controls for containerized workloads.
  • BaaS tenancy - ensures secure multi-tenant environments for banking services. Each tenant operates in logical isolation with dedicated resources, preventing cross-tenant data leakage and maintaining strict security boundaries.

External system access

External systems connect to Grand Central using the following mechanisms:
  • TLS/mTLS encryption - secures all external system connectivity with mutual authentication. Both client and server certificates are verified, ensuring bidirectional trust before any data exchange occurs.
  • VPN connectivity - establishes secure tunnel communication for point-to-point integrations. VPN gateways provide encrypted connectivity for fintech partners and Open Banking systems requiring dedicated network paths.
  • Network Access Control Lists (ACL) - enforce fine-grained network access policies. IP allowlisting restricts connectivity to authorized external systems only, with granular controls for each integration partner.
External integration patterns include API-based connections with OAuth 2.0, file transfer protocols (SFTP/FTPS), message queue connectivity, and webhook endpoints with signature validation.

Grand Central internal processing

Internal traffic flows through these components:
  • Request flow - follows a strict security path: WAF → API Management → Network Security Groups → AKS Runtime → NSG → NAT Gateway. Each hop enforces additional security controls and logging.
  • Network Security Groups (NSG) - provide micro-segmentation within the Grand Central tenancy. Traffic between components is restricted to explicitly allowed paths only, preventing lateral movement and limiting blast radius.
  • API Management (APIM) - enforces centralized policy controls including authentication verification, rate limiting, request transformation, and comprehensive audit logging for all API interactions.
  • Container security - protects the AKS runtime environment with image scanning, runtime threat detection, and security policy enforcement at the pod level.
  • NAT gateway - manages outbound traffic from the Grand Central tenancy, providing static IP addresses for backend system connectivity and simplified network ACL management.

Backend system connectivity

Backend systems connect to Grand Central through these options:
  • Azure Private Link - establishes secure, private connectivity to customer backend systems without exposing traffic to the public internet. Private endpoints eliminate public IP exposure and reduce attack surface.
  • Network ACL - controls granular traffic filtering for backend integrations. Access rules restrict connectivity based on source IP, destination port, and protocol, enforcing zero-trust network principles.
  • VPN gateway - extends site-to-site VPN connectivity for secure network integration. Customer backend networks connect seamlessly to the Grand Central environment over encrypted tunnels.
  • End-to-end TLS/mTLS - ensures all backend communications remain encrypted. Certificate-based authentication verifies both Grand Central and backend system identities before establishing connections.

Network security architecture

Defense in depth applies a multi-layer protection strategy across the following areas:Perimeter security - controls at the network edge include:
  • Web Application Firewall (WAF)
  • DDoS protection (Layer 7 via WAF; Layer 3/4 available as add-on)
  • Geographic access controls
  • Rate limiting and throttling
Network security - internal network controls include:
  • Network Security Groups (NSG)
  • Virtual Private Networks (VPN)
  • Private endpoints and links
  • Network segmentation
Application security - application-level controls include:
  • API authentication and authorization
  • Certificate-based authentication
  • Token validation and management
  • Input validation and sanitization
Data security - data protection includes:
  • Encryption in transit and at rest
  • Key management services
  • Database encryption
  • Backup encryption
Identity and access management covers the following:Authentication methods - supported methods include:
  • Multi-factor authentication (MFA)
  • Certificate-based authentication
  • OAuth 2.0 and OpenID Connect
  • SAML integration
Authorization controls - access is governed by:
  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • Resource-level permissions
  • API-level authorization policies
Identity providers - integration options include:
  • Azure Active Directory integration
  • External identity provider support
  • Federated identity management
  • Just-in-time (JIT) access
Compliance and governance address the following:Banking regulations - the platform supports:
  • PCI DSS compliance
  • SOX compliance
  • Basel III requirements
  • Local banking regulations
Security standards - alignment includes:
  • ISO 27001/27002
  • NIST Cybersecurity Framework
  • SOC 2 Type 1 (Type 2 planned)
  • FedRAMP (where applicable)
Audit and monitoring - capabilities include:
  • Comprehensive audit logging
  • Real-time security monitoring
  • Compliance reporting
  • Incident response procedures
Data protection is implemented as follows:Encryption standards - encryption includes:
  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for sensitive data
  • Hardware Security Module (HSM) integration
Data classification - controls include:
  • Sensitive data identification
  • Data retention policies
  • Data sovereignty compliance
  • Privacy controls (GDPR, CCPA)
Backup and recovery - capabilities include:
  • Encrypted backup storage
  • Cross-region replication
  • Point-in-time recovery
  • Disaster recovery procedures

Connectivity patterns

Cloud-native connectivity

API Gateway integration, container-to-container communication, service mesh architecture, and cloud-native security controls

Hybrid connectivity

VPN site-to-site connections, ExpressRoute private circuits, hybrid identity integration, and on-premises data synchronization

Legacy system integration

Protocol transformation (REST ↔ SOAP), message queue integration, file-based data exchange, and database direct connectivity

Partner ecosystem

B2B API connectivity, third-party fintech integration, Open Banking compliance, and marketplace connectivity

Summary

Grand Central iPaaS provides a modern approach to banking integration that balances productivity, flexibility, security, and operational standards. Its composable architecture enables rapid assembly of integrations from reusable components, while its open-source foundation provides access to innovation and avoids vendor lock-in. The platform supports both low-code and pro-code development to accommodate different skill levels and requirements. Built-in governance and operational capabilities ensure integrations remain secure, performant, and compliant. Benefits include:
  • Accelerated integration delivery through pre-built components and templates
  • Reduced operational overhead through built-in monitoring and management
  • Enhanced security through Zero Trust architecture and defense-in-depth strategies
  • Improved developer productivity through modern tooling and real-time feedback
  • Strategic flexibility through open-source technologies and standard protocols

Next steps

Security architecture

Explore Zero Trust security and compliance frameworks

Network connectivity

Learn about secure connectivity patterns and options

High availability

Discover resilience and disaster recovery capabilities