Modernizing an Anti-Money Laundering Compliance Platform on Azure
Modernizing an Anti-Money Laundering Platform on Azure
Summary: From Manual Azure Deployments to Terraform CI/CD on GitHub Actions
Kinectify, an Anti-Money Laundering (AML) and compliance software, serves financial institutions and gaming companies that need to detect, investigate, and report suspicious activity at scale. As Kinectify's platform grew, a manually managed, single-subscription Azure environment became a bottleneck and liability. The company sought to reduce the risk of exposing sensitive financial data over public endpoints, build an audit trail for infrastructure changes, and overhaul the engineering team's manual deployment process.
Kinectify partnered with Stratus10 to redesign and rebuild their cloud infrastructure from the ground up on Azure. The result is a fully automated, multi-subscription, enterprise-grade platform that is more secure, more reliable, and built to scale, without the operational overhead that was holding the team back.
About Kinectify

Kinectify builds Anti-Money Laundering and compliance software for financial institutions. Their platform helps compliance teams automate the detection of suspicious transactions, manage investigations, and meet regulatory reporting obligations. Operating in a highly regulated industry means that security, data privacy, and auditability are core product requirements.
As Kinectify's customer base grew and the platform took on more sensitive financial data, the gap between what their infrastructure could deliver and what the business actually needed became impossible to ignore.
Challenge
Kinectify's production environment had been built incrementally over time as the company grew, with most infrastructure created manually through the Azure Portal. With over 100 production resources spread across multiple resource groups in a single Azure subscription, there was no standardized separation between application workloads, DevOps tooling, monitoring, and identity management. Everything lived together in the same environment, which now needed clear access boundaries, network segmentation, and overall improved infrastructure organization.
Security Posture
Strengthening security posture was a top priority for a company handling sensitive financial and compliance-related data:
- Databases, caches, and storage accounts were accessible over public endpoints
- Inbound application traffic flowed directly through the Application Gateway without an additional web application firewall layer for inspection and filtering
- Customer-managed encryption keys were not yet implemented, meaning Kinectify had limited control over infrastructure-level access
Operational Hurdles
The team was spending significant time on manual work that should have been automated:
- Infrastructure changes were made through the portal with no version control, no approval process, and no audit trail
- Alerts and monitoring dashboards were hand-built and inconsistent
- Orphaned resources (unused public IPs, old network interfaces, legacy virtual machines) had accumulated with no cleanup process
- The CI/CD pipeline ran on VM-based build agents inside the production subscription itself, meaning a compromised build agent could have had direct access to production data
Without addressing these issues, Kinectify faced growing exposure: a security incident involving customer financial data, a compliance audit finding related to lack of infrastructure change controls, and an engineering team increasingly slowed by manual infrastructure management.
Why Azure
Kinectify was already operating on Azure under an existing enterprise agreement, making it the natural foundation for the modernization effort. Beyond the commercial relationship, Azure offered the specific services Kinectify needed in one place:
- Azure OpenAI for intelligent transaction analysis
- Azure AI Search for investigation workflows
- Azure Cosmos DB for globally distributed data
- Azure Kubernetes Service for container orchestration
The availability of Azure Firewall, Application Gateway with WAF, and native private endpoint support across all PaaS services meant the security architecture Kinectify needed could be built entirely within the platform they already trusted.
Why Kinectify Chose Stratus10
Kinectify needed a partner who understood Azure deeply, not just the individual services, as well as how to design an enterprise-grade architecture that spans multiple subscriptions, enforces security at every layer, and can be maintained and extended by an engineering team over time. Stratus10 brought exactly that. Their Azure specialization meant they could:
- Design a hub-spoke network architecture
- Implement private endpoint connectivity across every data service
- Build a fully automated Infrastructure as Code pipeline
Stratus10 also understood the stakes of working in a regulated industry. The architecture they proposed wasn't just technically sound; it addressed the specific risks Kinectify was carrying: public data exposure, lack of audit trails, no encryption key control, and a CI/CD pipeline running inside production.
What sealed the engagement was Stratus10's ability to take ownership of the full scope, from legacy analysis and architecture design through to application modernization, pipeline automation, and documentation, giving Kinectify a production-ready platform.
The Solution: Multi-Subscription Architecture on Azure
Stratus10 began with a thorough Azure environment review, cataloguing over 100 resources across multiple resource groups and identifying what was in Terraform, what was manually created, and what was orphaned.
Multi-Subscription Architecture
The new architecture is built on five Azure subscriptions, each with a clear responsibility:
- Management: monitoring and observability
- Identity: all managed identities
- Connectivity: network security and traffic management
- Application: workloads and data services
- DevOps: CI/CD infrastructure
This separation means a compromise in one area cannot spread laterally across the entire environment, which was a fundamental shift from the single-subscription model Kinectify had before.
Network Architecture
Stratus10 designed a hub-spoke architecture with three application networks and a dedicated DevOps network, all connected via direct VNet peering:
- All inbound internet traffic flows through Azure Firewall first, which inspects and forwards requests to the Application Gateway via DNAT rules
- The Application Gateway applies WAF v2 security rules before traffic ever reaches the AKS cluster
- Every data service is connected exclusively through private endpoints, with no public internet access
- Azure Traffic Manager sits at the DNS layer, routing users to the firewall's public IP with health-check failover built in
Compute Platform
The compute platform runs on Azure Kubernetes Service with five node pools: system, web, service, agent, and an optional spot pool for cost-optimized workloads. Key security features include:
- AKS workload identity with federated credentials replaced the legacy pod identity model; application components authenticate without stored passwords or secrets
- TLS certificates are managed automatically via cert-manager with Let's Encrypt
- Key Vault secrets are mounted directly into pods via the CSI secrets store driver
Customer-Managed Encryption
For customers requiring the highest level of data protection, Stratus10 implemented optional customer-managed key encryption across every data service: Cosmos DB, Redis, Storage, Service Bus, OpenAI, AI Search, AI Services, and AKS node disks. Each service gets its own dedicated managed identity with scoped Key Vault access, so encryption key permissions are granular and auditable.
Terraform CI/CD: Infrastructure as Code with GitHub Actions
Kinectify's entire infrastructure is defined in Terraform across seven modular stacks (Foundation, Network, Data, Platform, Security, Monitoring, and Application). Rather than deploying that Terraform through Azure DevOps, Stratus10 built the Terraform CI/CD pipeline on GitHub Actions, sequencing all seven stacks through a single automated workflow.
- Build agents run on self-hosted AKS runners in the isolated DevOps subscription, authenticating to Azure via OIDC with no stored credentials
- Production deployments require manual approval with a timeout gate
- Every infrastructure change is a Git commit with a full approval history, giving Kinectify the audit trail their compliance posture demands
- Centralized monitoring through Log Analytics and Application Insights with automated metric and activity log alerts provides full visibility across all five subscriptions
Results & Benefits
Infrastructure Coverage
- Went from a single unstructured subscription with resources spread across 10+ resource groups to a clean 5-subscription architecture with clearly defined resource group boundaries
- Over 100 production resources were catalogued, assessed, and migrated or replaced, with every resource in the new environment defined in Terraform from day one, compared to a legacy environment where a significant portion of resources had no IaC coverage
- 20+ orphaned resources (unused public IPs, network interfaces, legacy disks, test identities) were identified and eliminated, directly reducing unnecessary cloud spend
- 30+ alerts and monitoring rules that existed only as manual portal configurations were rebuilt as code, ensuring they survive environment rebuilds and are consistent across environments
Security Posture
- Reduced the public attack surface to zero publicly reachable data services; all 10+ PaaS services are now accessible exclusively through private endpoints
- Replaced a flat single-VNet network with a hub-spoke architecture spanning 4 VNets, 7 NSGs, and a centralized Azure Firewall; every inbound request is now inspected before reaching the application
- Eliminated stored credentials from the CI/CD pipeline entirely by moving to OIDC-based authentication, removing a class of credential-leak risk that existed with the legacy Azure DevOps VM agent setup
- Moved build agents out of the production subscription into an isolated DevOps subscription, reducing the blast radius of a compromised build environment to "isolated DevOps network only"
Operational Efficiency
- Reduced environment provisioning from a multi-day manual process to a fully automated pipeline that deploys all 7 infrastructure layers sequentially with a single trigger
- Every infrastructure change now goes through a validated, linted, planned, and approved pipeline, replacing ad-hoc portal changes with a repeatable process that produces a full audit trail in Git
- Introduced multi-environment support (development, staging, production) with fully isolated networking per environment, where previously only a single production environment existed
- Consolidated monitoring from scattered manual dashboards and inconsistently configured alerts across multiple resource groups into a single Log Analytics workspace with automated alerts covering all 5 subscriptions
Developer Experience
- Replaced VM-based Azure DevOps agents (requiring image gallery maintenance, VMSS management, and SSH key rotation) with containerized GitHub Actions runners on AKS, reducing CI/CD infrastructure maintenance overhead significantly
- Introduced workload identity federation for all AKS services, eliminating the need to rotate or manage secrets for service-to-service authentication across 20+ microservice identities
Across infrastructure, security, operations, and developer experience, the numbers point to the same shift: Kinectify traded a manually managed, single-subscription environment for one where every change is automated, reviewable, and auditable by design. The architecture doesn't just close the gaps that existed before; it gives Kinectify room to grow its compliance platform without re-opening them.
Azure Services Used
- Azure Kubernetes Service - Application runtime with 5 node pools
- Azure Application Gateway (WAF v2) - Web application firewall and load balancing
- Azure Firewall - Inbound traffic inspection and DNAT
- Azure Traffic Manager - DNS-level routing and health-check failover
- Azure Cosmos DB - Primary application database
- Azure Cache for Redis - Session and data caching
- Azure Storage - Blob and queue storage, SFTP import
- Azure Service Bus - Asynchronous messaging
- Azure SignalR Service - Real-time communication
- Azure Key Vault - Secrets, certificates, and CMK key management
- Azure OpenAI - Intelligent transaction analysis
- Azure AI Search - Investigation and search workflows
- Azure AI Services - Cognitive capabilities
- Azure Translator - Multi-language compliance support
- Azure Maps - Geospatial data enrichment
- Azure Log Analytics - Centralized log aggregation across all subscriptions
- Azure Application Insights - Application performance monitoring
- Azure Managed Identities - Secretless authentication for all services
- Azure Bastion - Secure administrative access
- Azure NAT Gateway - Controlled outbound connectivity for DevOps network
- GitHub Actions - Terraform CI/CD orchestration and self-hosted AKS runners
Ready to Modernize Your Azure Environment?
If your team is running a manually managed, single-subscription Azure environment, the gap between what it can deliver and what your business needs will only grow. Stratus10's Azure DevOps Consulting Services team can help you design a secure, multi-subscription architecture and automate the CI/CD pipeline behind it, whether that's on GitHub Actions, Azure DevOps, or whichever tool fits your team.
Contact us to learn more and get started.
Reach out to schedule a free consultation with one of our engineering leaders.