“Zilla’s extensive protocol support, integrations with AWS services such as Glue Schema Registry and Secrets Manager, as well as robust logging capabilities, gives me confidence it can be a one-stop solution for all of our external MSK integration needs.”
-Gordon Zardoya | Solution Architect, N Brown-Castle Fintech
## Need
[N Brown Group (LON: BWNG)](https://www.nbrown.co.uk/) is a leading UK online retailer specializing in clothing and footwear for underserved customer groups — size 20+ and age 45+. Its portfolio includes brands such as JD Williams, Simply Be, and Jacamo.
With a heritage of over 160 years, N Brown has evolved from a catalog-based business to a fully digital retailer. Today, it combines a multi-brand retail offering with an in-house financial services platform to deliver a seamless online shopping experience.
One of N Brown’s latest digital initiatives is a “by-now-pay-later” offering. As part of this effort, Castle Fintech, N Brown’s financial platforms group, had to integrate with 3rd party credit and payment services.
Traditionally, integrations with external vendors are batched and happen over REST/HTTP; however, Castle Fintech needed them to be event-driven to ensure a highly responsive customer experience.
## Challenge
N Brown’s financial platform's event-driven architecture uses [Amazon’s Managed Streaming for Kafka (MSK)](https://aws.amazon.com/msk/) for messaging and real-time data processing.
As an AWS-managed Kafka offering, MSK has two key benefits N Brown takes advantage of: tight integrations with other AWS services, such as Service Manager and Lambdas, and a heightened security model.
The latter results from MSK clusters running inside Virtual Private Cloud environments inaccessible over the Internet. While this prevents unauthorized MSK access, it also makes it impossible for trusted clients not running inside a cluster’s VPC (or at least in the same AWS account) to connect.
Public Access is an option that can be turned on for MSK brokers, but this exposes them to the Internet, violating MSK’s innate security benefits and [AWS's Well-Architected best practices](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_create_layers.html).
N Brown initially attempted to securely expose their MSK cluster with an AWS Network Load Balancer (NLB) deployed on a public subnet but faced SSL termination issues. Eventually, the Castle Fintech team turned to its AWS account manager, who recommended [Aklivity’s Zilla Plus Proxy](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44?sr=0-2&ref_=beagle&applicationId=AWSMPContessa).
## Solution
[Zilla Plus](https://aklivity-staging.webflow.io/products/zilla-plus) is a multi-protocol edge and service proxy that securely connects clients and services to Amazon MSK. It natively supports the Kafka wire protocol, enabling it to route connectivity between Kafka clients and MSK brokers. Offered as an AMI on [AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44?sr=0-2&ref_=beagle&applicationId=AWSMPContessa), Zilla Plus is an [AWS-certified partner solution](https://partners.amazonaws.com/partners/0010h00001jF7IZAA0/Aklivity#:~:text=FOUNDATIONAL,for%20Amazon%20MSK).
Unlike Public Access, Zilla Plus does not require changes to an underlying MSK cluster, maintaining its private network's privacy and security benefits. Instead, it is deployed in an MSK’s VPC and then works with a public-facing NLB to establish entry and endpoints into the cluster. External clients can then use these entry/endpoints to access the full functionality of MSK — from managing topics to producing/consuming from them. Crucially for N Brown, Zilla also offloads TLS client certificate rejections and propagates TLS client identity for Access Control List (ACL) enforcement by MSK brokers.
“We needed a solution that would allow us to safely expose MSK with support for various authentication options, encryption in transit, and the ability to load-balance traffic across multiple brokers located across the availability zones in our cluster,” says N Brown Solution Architect Gordon Zardoya. “We were thrilled to find that Zilla ticked all the boxes.”
## Results
With Zilla Plus, N Brown quickly set up secure, publicly reachable endpoints for their MSK cluster. These endpoints now support event-driven integrations between their financial platform and external payments, collections, credit bureau, and statement service partners.
“Zilla Plus has reduced our lead time for integration development and rollout,” shares Gordon. “We can now dedicate more time to designing our Kafka topics and schema, which would have been otherwise spent building a middleware layer for integrating 3rd party external networks into our AWS VPCs.”
Kafka-native integrations are only the start for the Castle Fintech team, as many external partners and even internal N Brown groups still do not use Apache Kafka. For the team to exchange data with non-Kafka applications and services, its MSK cluster must be exposed via other APIs and protocols, such as HTTP. By making just a few updates to their existing Zilla Plus deployment, they can do so quickly and ultimately achieve a unified interface to all of their event-driven services and data.
“We are striving for services that provide multiple capabilities to simplify our architecture. Zilla’s extensive protocol support, integrations with AWS services such as Glue Schema Registry and Secrets Manager, as well as robust logging capabilities, gives me confidence it can be a one-stop solution for all of our external MSK integration needs,” concludes N Brown Solution Architect, Gordon Zardoya.