Infrastructure Overview
Gatelithix Gateway runs on Google Cloud Platform with strict PCI DSS 4.0.1 segmentation between the core project and the PCI CDE zone. All services are deployed as stateless Cloud Run containers.
Architecture Diagram
Service Overview
| Service | Project | Min Instances | Max Instances | Ingress | Memory | Purpose |
|---|---|---|---|---|---|---|
| API Gateway | Core | 1 | 10 | Internal + LB | 512Mi | Public API, AuthN/AuthZ, rate limits, routing |
| Token Vault | PCI | 1 | 5 | Internal Only | 256Mi | PAN encryption/tokenization, PCI CDE |
| Stripe Connector | Core | 0 | 5 | Internal Only | 256Mi | Stripe PSP integration |
| NMI Connector | Core | 0 | 5 | Internal Only | 256Mi | NMI PSP integration |
| FluidPay Connector | Core | 0 | 5 | Internal Only | 256Mi | FluidPay PSP integration |
| Admin Portal | Core | 0 | 3 | Internal + LB | 256Mi | Merchant management dashboard |
| Docs Site | Core | 0 | 2 | Internal + LB | 256Mi | Developer documentation |
Network Architecture
VPC Design
The infrastructure uses two separate VPCs connected via VPC peering:
- Core VPC (
core-vpc):10.0.0.0/20primary,10.0.16.0/24database,10.0.17.0/24Redis,10.0.32.0/28serverless connector - PCI VPC (
pci-vpc):10.1.0.0/20primary,10.1.16.0/24database,10.1.17.0/24Redis,10.1.32.0/28serverless connector
Firewall Rules
A deny-all baseline is inherited from the VPC module. Explicit allow rules permit only minimum required traffic:
| Rule | Direction | Source/Destination | Port | Purpose |
|---|---|---|---|---|
core-vpc-allow-pci-egress | Egress | 10.1.0.0/20 | 443 | Core to PCI CDE cross-zone calls |
pci-vpc-allow-core-ingress | Ingress | 10.0.0.0/20 | 443 | Accept calls from core VPC |
core-vpc-allow-psp-egress | Egress | 0.0.0.0/0 | 443 | Connectors to PSP APIs |
pci-vpc-allow-psp-egress | Egress | 0.0.0.0/0 | 443 | PCI to PSP APIs (tagged) |
pci-vpc-allow-restricted-apis | Egress | 199.36.153.4/30 | 443 | Google restricted API access |
VPC Peering
Bidirectional peering (core-to-pci and pci-to-core) connects the two VPCs. Custom route exchange is disabled — only auto-subnet routes are shared. This ensures the PCI zone cannot reach arbitrary core resources and vice versa; traffic is limited to Cloud Run service-to-service calls via Serverless VPC Connectors.
Data Flow
A typical payment request flows through the system as follows:
- Client sends HTTPS request to
api.gatelithix.com(port 443) - Cloud Load Balancer terminates TLS, applies Cloud Armor WAF rules (OWASP CRS: SQLi, XSS, LFI, RFI, RCE), rate limiting (1000 req/min per IP)
- API Gateway authenticates the request (Auth0 JWT or API key), validates idempotency key, checks rate limits in Redis
- Gateway creates a
PaymentIntentin Core Cloud SQL and determines the target connector via the routing engine - If the request includes raw card data, Gateway proxies to the Token Vault via VPC peering to tokenize the PAN
- Vault encrypts the PAN using Cloud KMS HSM, stores the encrypted PAN in PCI Cloud SQL, and returns a gateway token
- Gateway calls the selected Connector (Stripe, NMI, or FluidPay) with the token or processor token
- Connector calls the PSP API and returns a normalized response
- Gateway updates the PaymentIntent status and publishes a
payment.eventsmessage to Pub/Sub - Pub/Sub triggers merchant webhook delivery via the
webhook-outboundsubscription
PCI CDE Boundary
In Scope (PCI Project)
| Component | Justification |
|---|---|
| Token Vault (Cloud Run) | Processes, encrypts, and stores PANs |
| PCI Cloud SQL | Stores encrypted cardholder data |
| Cloud KMS HSM | HSM-backed encryption keys for PAN encryption and fingerprinting |
| PCI VPC | Network boundary for CDE segmentation |
| PCI Secret Manager | Stores PCI database credentials |
Out of Scope (Core Project)
| Component | Justification |
|---|---|
| API Gateway | Never sees raw PANs (proxies to vault for tokenization) |
| Connectors | Use gateway tokens or processor tokens, never raw PANs |
| Core Cloud SQL | Stores payment intents, merchants, billing — no cardholder data |
| Redis | Caches idempotency keys and rate limits — no cardholder data |
| Pub/Sub | Event messages contain payment intent IDs, never PANs |
| Admin Portal / Docs | No cardholder data access |
Segmentation Controls
- Separate GCP projects: Core and PCI workloads run in isolated GCP projects with independent IAM policies
- VPC peering with deny-all: Default firewall denies all traffic; explicit allow rules for port 443 only
- INTERNAL_ONLY ingress: Vault Cloud Run service rejects all external traffic
- Cross-project IAM: Gateway service account is explicitly granted
roles/run.invokeron the vault service - KMS key restriction: Only the vault service account has
cryptoKeyEncrypterDecrypterandsignerVerifierroles