The core business logic resides in a monolithic PHP 7.4 application, processing thousands of financial transactions per minute. The mandate was to introduce real-time fraud detection without compromising the p99 latency of the existing transaction API. A synchronous call to a remote model inference service was immediately ruled out; a 200ms-500ms delay for ML model execution would be catastrophic for user experience and would create a tightly coupled point of failure. The transaction commit in the PHP monolith had to remain fast and isolated. This constraint forced an asynchronous, event-driven architecture. The monolith would continue its primary function, but would now emit an event for every transaction, effectively firing-and-forgetting. A separate, decoupled service would then consume this event stream to perform the fraud analysis.
Our initial whiteboard session led to a simple diagram: a PHP producer, a message broker, and a Python consumer that wraps the TensorFlow model. The devil, as always, is in the details of productionizing this flow. The choice of message broker was the first critical decision. While something like Redis Pub/Sub is simple, it offers no persistence guarantees. RabbitMQ was a contender, but its smart-broker/dumb-consumer model felt less suited for what was fundamentally a stream processing problem. We needed replayability for model retraining, high throughput, and horizontal scalability. Apache Kafka was the clear choice, designed from the ground up as a distributed commit log.
The technology stack was now PHP -> Kafka -> Python/TensorFlow. This is an unconventional combination. A pragmatic engineer must justify using PHP in a modern data pipeline. The justification here was purely business-driven: the monolith was stable, profitable, and a complete rewrite was projected to take two years. Augmentation, not replacement, was the only viable path. The challenge, therefore, was not just to connect these components, but to do so in a manner that was robust, type-safe, and maintainable across language barriers.
graph TD
subgraph PHP Monolith
A[Transaction API Controller] --> B{PHP Kafka Producer};
end
subgraph Apache Kafka Cluster
B -- Avro Encoded Event --> C[Topic: 'transactions'];
end
subgraph Inference Service
D[Python Kafka Consumer] -- Polls --> C;
D -- Decodes & Batches --> E[gRPC Client];
E -- Inference Request --> F[TensorFlow Serving];
F -- Fraud Score --> E;
E -- Logs Result --> G[Monitoring/Alerting];
end
style F fill:#f9f,stroke:#333,stroke-width:2px
style C fill:#ccf,stroke:#333,stroke-width:2px
The first step in any cross-language, message-driven architecture is defining a rigid data contract. Without it, you are guaranteed to encounter deserialization errors in production, especially as the PHP and Python teams iterate independently. We chose Apache Avro for our schema definition. Unlike JSON, Avro is a binary format with a schema-first approach. The schema is stored in a Schema Registry, and messages only carry a small schema ID. This provides type safety and schema evolution capabilities, which are critical for long-term maintainability.
Here is the Avro schema for our transaction.avsc file. It’s explicit about data types and includes documentation.
{
"namespace": "com.mycompany.fraud",
"type": "record",
"name": "TransactionEvent",
"doc": "Represents a single financial transaction event.",
"fields": [
{"name": "transactionId", "type": "string", "doc": "Unique identifier for the transaction."},
{"name": "userId", "type": "string", "doc": "The user initiating the transaction."},
{"name": "amount", "type": "double", "doc": "Transaction amount in USD."},
{"name": "currency", "type": "string", "default": "USD"},
{"name": "timestamp", "type": "long", "logicalType": "timestamp-millis", "doc": "UTC timestamp of the transaction."},
{"name": "merchantId", "type": "string"},
{"name": "userIpAddress", "type": "string"},
{"name": "cardLastFour", "type": "string"}
]
}With the contract defined, the next task was building the PHP producer. We used the php-rdkafka extension, a wrapper around the battle-tested librdkafka C library. In a real-world project, simply instantiating the producer and calling produce() is insufficient. Configuration and error handling are paramount.
This is a production-grade TransactionEventProducer class in PHP. Note the configuration details: acks=all ensures the message is acknowledged by all in-sync replicas, providing maximum durability at the cost of some latency. compression.type=zstd is chosen for a good balance of CPU usage and compression ratio.
<?php
declare(strict_types=1);
namespace App\Services\Kafka;
use AvroSchema;
use AvroStringIO;
use AvroIODatumWriter;
use RdKafka\Conf;
use RdKafka\Producer;
use Psr\Log\LoggerInterface;
use App\Services\SchemaRegistry\CachedSchemaRegistryClient;
final class TransactionEventProducer
{
private Producer $producer;
private LoggerInterface $logger;
private CachedSchemaRegistryClient $schemaRegistry;
private string $topicName;
private int $schemaId;
public function __construct(
string $brokers,
string $topicName,
CachedSchemaRegistryClient $schemaRegistry,
LoggerInterface $logger
) {
$this->topicName = $topicName;
$this->logger = $logger;
$this->schemaRegistry = $schemaRegistry;
// Fetch and cache the schema ID for our topic's value subject
// A common mistake is fetching this on every request.
$this->schemaId = $this->schemaRegistry->getLatestSchemaId("{$topicName}-value");
$conf = new Conf();
// Crucial: Set a delivery report callback to handle async success/failure.
$conf->setDrMsgCb(function ($kafka, $message) {
if ($message->err) {
$this->logger->error('Kafka message delivery failed', [
'error' => rd_kafka_err2str($message->err),
'payload' => $message->payload,
]);
}
});
$conf->set('metadata.broker.list', $brokers);
$conf->set('acks', 'all'); // Guarantees durability.
$conf->set('compression.type', 'zstd');
// Retries for transient network errors.
$conf->set('retries', '3');
$conf->set('retry.backoff.ms', '1000');
$this->producer = new Producer($conf);
}
public function publish(string $key, array $payload): void
{
try {
$encodedPayload = $this->encodeAvro($payload);
$topic = $this->producer->newTopic($this->topicName);
$topic->produce(RD_KAFKA_PARTITION_UA, 0, $encodedPayload, $key);
// Poll for delivery reports. In a web request, this can be short.
// In a CLI worker, this loop would be more central.
$this->producer->poll(0);
} catch (\Exception $e) {
$this->logger->critical('Failed to produce Kafka message', [
'exception' => $e,
'key' => $key,
]);
// Depending on business requirements, this might throw the exception
// to fail the transaction, or just log and continue.
}
}
private function encodeAvro(array $data): string
{
$schema = $this->schemaRegistry->getSchemaById($this->schemaId);
$stringIO = new AvroStringIO();
// Magic Byte (0) + 4-byte Schema ID + Avro binary data
$stringIO->write(pack('C', 0));
$stringIO->write(pack('N', $this->schemaId));
$writer = new AvroIODatumWriter($schema);
$writer->write($data, new \AvroIOBinaryEncoder($stringIO));
return $stringIO->string();
}
public function __destruct()
{
// The most critical part of a producer in a short-lived PHP process.
// This blocks until all outstanding messages are sent or fail.
// A timeout of 10 seconds is a reasonable starting point.
$result = $this->producer->flush(10000);
if (RD_KAFKA_RESP_ERR_NO_ERROR !== $result) {
$this->logger->error('Kafka producer failed to flush messages on shutdown.');
}
}
}The __destruct method containing $this->producer->flush() is non-negotiable in a PHP environment. PHP’s shared-nothing architecture means the script terminates after each request. Without a blocking flush, any messages sitting in librdkafka‘s internal buffer would be lost forever. A common pitfall for teams new to Kafka with PHP is forgetting this and wondering why messages intermittently disappear.
On the other side of the Kafka topic, we have the Python consumer service. Its job is to read messages, deserialize them using the same Avro schema, batch them for efficiency, and send them to a TensorFlow Serving instance for inference.
TensorFlow Serving is a high-performance serving system for machine learning models, designed for production environments. Running our fraud model inside a dedicated server like this gives us model versioning, monitoring, and performance optimizations like request batching out of the box. We launch it via Docker:
# Assuming a pre-trained Keras/TF model is saved at /models/fraud_detector
docker run -p 8500:8500 --name tf_serving \
-v "/path/to/models/fraud_detector:/models/fraud_detector" \
-e MODEL_NAME=fraud_detector -t tensorflow/servingNow for the Python consumer code. This script is designed to run as a long-lived service. It uses the confluent-kafka-python library, which also wraps librdkafka.
import os
import logging
import time
import grpc
import numpy as np
from confluent_kafka import Consumer, KafkaError, KafkaException
from confluent_kafka.avro import AvroConsumer
from confluent_kafka.avro.serializer import SerializerError
from tensorflow_serving.apis import predict_pb2
from tensorflow_serving.apis import prediction_service_pb2_grpc
# --- Configuration ---
KAFKA_BROKERS = os.getenv("KAFKA_BROKERS", "kafka:9092")
SCHEMA_REGISTRY_URL = os.getenv("SCHEMA_REGISTRY_URL", "http://schema-registry:8081")
KAFKA_TOPIC = "transactions"
CONSUMER_GROUP_ID = "fraud-detection-service"
TF_SERVING_HOST = os.getenv("TF_SERVING_HOST", "localhost:8500")
MODEL_NAME = "fraud_detector"
MODEL_SIGNATURE_NAME = "serving_default"
BATCH_SIZE = 64
BATCH_TIMEOUT_SECONDS = 5.0
# --- Logging Setup ---
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
class FraudInferenceService:
def __init__(self):
self.consumer = self._create_consumer()
self.tf_serving_stub = self._create_tf_serving_stub()
logging.info("FraudInferenceService initialized.")
def _create_consumer(self):
consumer_conf = {
'bootstrap.servers': KAFKA_BROKERS,
'group.id': CONSUMER_GROUP_ID,
'schema.registry.url': SCHEMA_REGISTRY_URL,
# Start from the earliest offset if no committed offset is found.
# Important for new deployments to process historical data.
'auto.offset.reset': 'earliest',
# We will commit offsets manually for more control.
'enable.auto.commit': False
}
return AvroConsumer(consumer_conf)
def _create_tf_serving_stub(self):
channel = grpc.insecure_channel(TF_SERVING_HOST)
return prediction_service_pb2_grpc.PredictionServiceStub(channel)
def _prepare_features_for_model(self, message_batch):
# This is highly model-dependent.
# Here we simulate extracting features and converting them to a NumPy array.
# In a real system, this involves feature engineering.
features = []
for msg in message_batch:
val = msg.value()
# Example feature: transaction amount
features.append([float(val.get('amount', 0.0))])
return np.array(features, dtype=np.float32)
def run_inference(self, features):
request = predict_pb2.PredictRequest()
request.model_spec.name = MODEL_NAME
request.model_spec.signature_name = MODEL_SIGNATURE_NAME
# The input tensor name 'input_1' must match the model's signature.
request.inputs['input_1'].CopyFrom(
tf.make_tensor_proto(features, shape=features.shape)
)
try:
result = self.tf_serving_stub.Predict(request, timeout=2.0) # 2-second timeout
# Process result, assuming output tensor is named 'output_1'
scores = tf.make_ndarray(result.outputs['output_1'])
return scores
except grpc.RpcError as e:
logging.error(f"gRPC call to TensorFlow Serving failed: {e.status()}")
return None
def consume_loop(self):
self.consumer.subscribe([KAFKA_TOPIC])
logging.info(f"Subscribed to topic: {KAFKA_TOPIC}")
message_batch = []
last_batch_time = time.time()
try:
while True:
try:
msg = self.consumer.poll(timeout=1.0)
if msg is None:
# Check if we should process a timed-out batch
if message_batch and (time.time() - last_batch_time > BATCH_TIMEOUT_SECONDS):
logging.info(f"Processing batch due to timeout ({len(message_batch)} messages).")
self._process_batch(message_batch)
message_batch = []
continue
if msg.error():
if msg.error().code() == KafkaError._PARTITION_EOF:
# Not an error, just end of partition.
continue
else:
raise KafkaException(msg.error())
message_batch.append(msg)
if len(message_batch) >= BATCH_SIZE:
logging.info(f"Processing batch due to size ({len(message_batch)} messages).")
self._process_batch(message_batch)
message_batch = []
last_batch_time = time.time()
except SerializerError as e:
# A pitfall here is crashing the consumer on a single bad message.
# Log the poison pill and continue.
logging.error(f"Message deserialization failed: {e}. Skipping message.")
# A robust implementation would move this message to a dead-letter queue.
except KeyboardInterrupt:
logging.info("Shutdown signal received.")
finally:
self.consumer.close()
logging.info("Kafka consumer closed.")
def _process_batch(self, message_batch):
# 1. Prepare features
features = self._prepare_features_for_model(message_batch)
# 2. Run inference
scores = self.run_inference(features)
if scores is not None:
# 3. Process results (e.g., log, alert, etc.)
for i, msg in enumerate(message_batch):
transaction_id = msg.value().get('transactionId')
fraud_score = scores[i][0]
if fraud_score > 0.9:
logging.warning(f"High fraud score detected: {fraud_score:.4f} for transaction {transaction_id}")
else:
logging.info(f"Processed transaction {transaction_id} with score {fraud_score:.4f}")
# 4. Commit offsets AFTER successful processing
# This provides at-least-once processing guarantees.
self.consumer.commit(asynchronous=False)
logging.info("Committed Kafka offset for batch.")
else:
logging.error("Skipping offset commit due to inference failure.")
# Here, we don't commit. The messages will be re-processed after a restart.
# This is where idempotency becomes important downstream.
if __name__ == "__main__":
service = FraudInferenceService()
service.consume_loop()
This consumer implementation addresses several production realities. It processes messages in batches to improve the efficiency of the gRPC call to TensorFlow Serving. It uses a timeout to ensure that smaller, lingering batches are still processed. Manual offset committing (enable.auto.commit=False) is used to ensure we only acknowledge messages after they have been successfully processed by the model, providing at-least-once delivery semantics. A critical detail is the try/except SerializerError block; in a polyglot system, a malformed message from the producer should not be allowed to crash the entire consumer fleet.
This architecture successfully decoupled the core transaction processing from the fraud detection workload. The PHP monolith remains fast, and the inference workload can be scaled independently by simply running more instances of the Python consumer service, which Kafka will automatically balance across the topic partitions.
The current implementation, however, is not without its limitations and areas for future improvement. The end-to-end observability is weak. To trace a single transaction from the API call through Kafka to the final inference, we would need to implement distributed tracing, propagating trace context through Kafka message headers. Furthermore, the at-least-once guarantee means that in the event of a consumer crash after inference but before the offset commit, a transaction could be processed twice. While this is acceptable for fraud logging, if the service were to take a more direct action (e.g., locking an account), the downstream system would need to be idempotent. Finally, a proper dead-letter queue (DLQ) mechanism is missing. Messages that fail deserialization repeatedly should be routed to a separate topic for manual inspection, rather than just being logged and skipped.
