Axual Architecture & Components
Architecture
In the diagram above, the gray rectangles represent distinct Kubernetes clusters. Component squares with a shadow drop are deployed with multiple instances, for example, a Kafka Connect cluster.
The red box in the lower right represents the Axual Runtime components.
Interactions
Self Service interactions
All interactions with the Governance Layer start with an HTTPS request to the API Gateway.
1 The request arrives at the API Gateway.
2 API Gateway checks authentication and authorization with Keycloak.
3 Keycloak is connected with an Identity Provider (LDAP, EntraID, etc) via OpenID Connect (OIDC).
4 The Keycloak configuration is stored in a database.
5 After interacting with Keycloak, some request bodies are modified (for example, for Topic Browse) to contain everything needed to interact with the Platform UI, Platform Manager (API) and Topic Browse.
6 Platform Manager creates and configures Kafka topics by creating a Kafka AdminClient, and stores schemas in Schema Registries.
7 Platform Manager stores the details in a database.
8 Topic Browse can query topic data of all managed clusters and present it to the end user.
9a, 9b On first startup of the platform, API Gateway starts a wizard process on the Organization Module of Platform Manager to create a Tenant and admin user in Keycloak. This is a one-time process after which the OM can be disabled.
Kafka interactions
10 A producer or consumer application can reach the Apache Kafka cluster using Kafka protocols on Kafka listeners.
11 Optionally, applications use Schema Registry over HTTPS.
12 Schema Registry stores schemas on a topic.
13 Some applications without Kafka protocol support can use the REST Proxy instead.
14 REST Proxy in turn connects to Kafka.
15, 16 Axual Connect (Kafka Connect) can quickly move data from or into Kafka, and from or into external systems like MQ or a data lake.
17 Security details of Connectors are stored inside Vault.
18 Credentials are written to Vault by Platform Manager.
19 Axual Distributor reads data from Kafka.
20 Distributor writes data into another cluster that is synchronous with the source cluster.
Other interactions
21 The Metrics Exposer gathers metric data from Prometheus and exposes the data for dashboard creation outside the ESP infrastructure.
22 Metrics Exposer calls go through API Gateway before reaching Platform Manager.
Component overview
Streaming Components
-
B - Brokers, Apache Kafka
-
RP - REST Proxy
-
SR - Schema Registry, Apicurio Schema Registry
-
SR - Schema Registry, Schema Registry (Legacy)
Governance Components
-
AG - API Gateway
-
PM - Platform Manager
-
TB - Topic Browse
-
UI - Platform UI
-
KC - Keycloak
-
DB - Database Support
-
V - Vault
-
ME - Metrics Exposer
Runtime Components
-
AC - Axual Connect
-
KSML - KSML Provisioner
Network Interactions
This section lists the internal network connections as depicted on the architecture diagram above.
| Category | Sender | Receiver | Data exchanged | Protocols |
|---|---|---|---|---|
Governance |
PM |
KC |
User information (token) |
HTTPS |
PM |
DB |
Platform metadata for topics, applications, environments, users and their roles |
JDBC |
|
PM |
IM |
Topic configuration with ACLs and schemas used to describe data on topics (metadata) |
HTTPS |
|
KC |
DB |
Keycloak configuration |
JDBC |
|
TB |
B |
Topic messages (content) |
Kafka Protocol over mTLS/SASL |
|
TB |
SR |
Schemas used to describe data on topics |
HTTPS |
|
PM |
SR |
Apply Schemas used to describe data on topics |
HTTPS |
|
PM |
B |
Topic configuration with ACLs (metadata) |
Kafka Protocol over mTLS/SASL |
|
KC |
IDP |
Identity verification |
HTTPS |
|
PM |
Vault |
Persist/Load Secrets, private keys, certs |
HTTPS |
|
TB |
PM |
Topic authorization metadata |
HTTPS |
|
AG |
PM |
Gateway to PM interactions |
HTTPS |
|
AG |
TB |
Gateway to TB interactions |
HTTPS |
|
AG |
TB |
Gateway to UI interactions |
HTTPS |
|
AG |
ME |
Gateway to ME interactions |
HTTPS |
|
AG |
KC |
Gateway to KC interactions |
HTTPS |
|
Streaming |
B |
B |
Kafka broker related data. Kafka messages (replication) |
Kafka Protocol |
SR |
B |
Persist/Load Schemas used to describe data on topics, read from Kafka topics |
Kafka Protocol over mTLS |
|
RP |
B |
Kafka messages |
Kafka Protocol over mTLS |
|
RP |
SR |
Schemas, schema IDs |
HTTPS |
|
Distributor |
D |
B |
Read Kafka topics |
Kafka Protocol over mTLS |
D |
B |
Write to external cluster Kafka topics |
Kafka Protocol over mTLS |
|
Axual Connect |
PM |
AC |
Control requests to govern Connectors |
HTTPS |
AC |
Vault |
Secrets, private keys, certs (retrieval by AC) |
HTTPS |
|
AC |
B |
Kafka messages (connector config and other AC related messages) |
Kafka Protocol over mTLS |
|
KSML |
PM |
KP |
Control requests to govern KSML Applications |
HTTPS |
KSML |
B |
Topic messages (content) |
Kafka Protocol over mTLS/SASL |
|
KSML |
SR |
Schemas used to describe data on topics |
HTTPS |
|
KP |
KubeApiserver |
Create/Monitor KSML Application deployments |
HTTPS |
|
Axual MCP |
MCP |
AG |
Govern Axual platform through natural language |
HTTPS |
Port Requirements
This section lists the default ports required by each component.
| Component | Port | Protocol | Purpose |
|---|---|---|---|
API Gateway (AG) |
8080 |
HTTP |
API |
8086 |
HTTP |
Management |
|
Keycloak (KC) |
8080 |
HTTP |
Authentication |
8443 |
HTTPS |
Authentication (TLS) |
|
9000 |
HTTP |
Internal health |
|
Keycloak Database (DB) |
3306 |
JDBC |
MySQL |
Metrics Exposer (ME) |
9080 |
HTTP |
API |
8086 |
HTTP |
Management |
|
Platform Manager (PM) |
8080 |
HTTP |
API |
8086 |
HTTP |
Management |
|
Platform Manager Database (DB) |
3306 |
JDBC |
MySQL |
Vault (V) |
8200 |
HTTP |
Secrets API |
8201 |
HTTPS |
Internal replication |
|
Platform UI (UI) |
8080 |
HTTP |
Web interface |
Topic Browse (TB) |
8080 |
HTTP |
API |
8086 |
HTTP |
Management |
|
Schema Registry — Apicurio (SR) |
8080 |
HTTP |
Registry API |
8443 |
HTTPS |
Registry API (TLS) |
|
8081 |
HTTP |
Auth Proxy |
|
8086 |
HTTP |
Management |
|
Kafka Broker (B) |
9091 |
Kafka |
Internal replication |
9092 |
Kafka |
Internal TLS listener |
|
9093 |
Kafka |
Internal SASL listener |
|
9095 |
Kafka |
External TLS listener |
|
9096 |
Kafka |
External SASL listener |
|
9404 |
HTTP |
Prometheus metrics |
|
8443 |
HTTPS |
Kafka Agent |
|
REST Proxy (RP) |
18111 |
HTTPS |
API |
8081 |
HTTP |
Management |
|
Axual Connect (AC) |
11000 |
HTTP |
Connect API |
5555 |
HTTP |
Prometheus metrics |
|
KSML Provisioner (KP) |
8000 |
HTTP |
Provisioner API |
2112 |
HTTP |
Prometheus metrics |
|
Strimzi Cluster Operator |
8080 |
HTTP |
Operator API |
Latest Axual Platform Component Versions
Details concerning new features, security updates or major bugfixes can be found in the Release Notes.