RightCapital Cloud Architecture Overview

This overview provides a high-level understanding of the system architecture, request data flow, and core code repositories from a backend developer’s perspective.

System Landscape

RightCapital employs a front-end/back-end separated and cloud-native architecture, deployed on AWS.

Multi-cluster Isolation: Three independent clusters run Production, Minor, and Support environments.
Auto-scaling: Uses KEDA for Pod scaling and Karpenter for node scaling.
Infrastructure as Code (IaC): Terraform manages cloud resources, while Helm manages application deployment.
Comprehensive Monitoring: Integrated with Datadog, Sentry, CloudWatch, Pingdom, StatusGator, and PagerDuty.

Traffic Ingress

Two key ingress components handle traffic before it reaches backend services:

Lambda@Edge

Running on CloudFront edge nodes, the devops/lambda-edge repository provides:

Authentication: Supports Basic Auth, Azure AAD, and Bypass Rules (by path, env, UA, etc.).
Route Rewriting & Redirection: (e.g., /api/* → retail.api.rightcapital.*).
Security: CSP injection and security response headers (X-Frame-Options, HSTS, X-Content-Type-Options).
Error Handling: Custom 404/403 responses.

AAD OAuth Proxy

A Traefik Ingress middleware (devops/aad-oauth-proxy) providing Azure AD OAuth authentication for Retail API and Admin API, enabling Employee SSO.

Frontend Services

The frontend uses a static asset + edge computing architecture. During deployment, static files are synced to S3 (independent buckets per environment) via aws s3 sync. Access is provided via CloudFront CDN, with Lambda@Edge handling edge computing.

app/web: ARC, serving Advisors and Households.
app/mobile: Mobile application serving Households.
admin-center/web: Admin Center serving Employees.

Backend Services

The backend is primarily built on PHP/Laravel (using the latest stable version), running on AWS EKS. It utilizes php-fpm for HTTP API requests and php-cli for queue workers and cron jobs.

Core Repositories

PHP/Laravel based:

web-service/api: Retail API
admin-center/api: Admin API
web-service/calculation-api: Calculation API
integrations/morningstar: Morningstar integration
integrations/collector: Collector service (gradually migrating to Lambda)
php-libs/packages: Monolithic repository for internal dependency libraries

Non-PHP Services:

calculation/engine (CalcEngine): Built in C++, this is the core financial planning calculation engine predicting 90-year retirement, investment, tax, and estate planning via Monte Carlo simulations.
app/ocr: TypeScript stack, currently maintained mainly by frontend engineers.
integrations/file-based-integration-lambda: TypeScript stack, maintained by the Integration Team.
web-service/pdf-printer: Puppeteer-based wrapper for PDF generation.

Note: Platform integrations call internal services of Retail API and Admin API using Basic Auth.

DevOps & Infrastructure

RightCapital uses GitOps for infrastructure version control. Tech Stack: Terraform + Helm + Helmfile + GitLab CI/CD.

Core Repositories

devops/terraform: Primary cloud infrastructure provisioning.
devops/kube-infra: EKS cluster infrastructure, including:
- Compute: Karpenter, KEDA
- Networking: Traefik (Ingress), AWS LB Controller
- Storage: AWS EFS CSI Driver
- Security: cert-manager, Cluster RBAC
- Monitoring/Backup: Datadog Agent, Velero
- Internal Tools: SQS Operator, RDS Snapshot Manager, Cronitor monitoring.

CI/CD configurations are located in each repository’s .gitlab-ci.yml. Shared configurations use the ci-components repository.

Cluster Architecture

The architecture utilizes three isolated clusters for environment separation:

Production Cluster (prod)
- VPC CIDR: 172.31.0.0/16
- Purpose: Production environment.
Minor Cluster (minor)
- VPC CIDR: 172.30.0.0/16
- Purpose: Staging, UAT, Develop environments, and Review Apps.
Support Cluster (support)
- VPC CIDR: 172.27.0.0/16
- Purpose: Supporting services (GitLab, RudderStack, Dagster, Engine Workbench).

Sources

RightCapital 云上架构 Overview (Notion)