Ahmed Shalabi

Selected Work

Twelve architecture case studies — the Balady ecosystem and earlier engagements, each with a pattern-level diagram and the trade-offs behind it.

Domain-Driven Design

Commercial License Revamp

Decomposed a legacy government licence monolith into a modern microservices target across several DDD bounded contexts on Camunda BPMN/DMN — now the agreed target architecture across engineering.

Spring BootCamunda BPMN/DMNRabbitMQPostgreSQLKubernetesELK · Prometheus · Grafana
Read case study Event-driven · Resilience

Debts Hub

Centralized debts substrate gating Balady service issuance on outstanding-debt resolution. Replaced REST-based confirmations with event-driven messaging for stronger delivery guarantees, eliminating a class of failure.

Spring BootRabbitMQPostgreSQLBI / ETL replication
Read case study Strangler Fig · Hybrid-cloud

DMS Migration (Hybrid-Cloud)

Multi-terabyte, multi-million-record migration from on-premise file storage to cloud object storage (in-region) using Strangler Fig with per-document backend-flag tracking — zero-downtime cutover.

Cloud object storageOn-prem file storageRelational metadata storeAPI gatewaySecure site-to-site tunnel
Read case study Payments · Mission-critical

Balady Billing System

Canonical microservices ensemble for government-integrated payment processing, points conversion, and wallet management — saga-style compensation, dual-verification on every callback, and circuit breakers on every external dependency.

ApigeeSpring BootKafkaOracle 19cRedis ClusterKubernetes
Read case study Super-app · Security

Balady+ Mini-Apps Platform

Container-based mini-apps with a permission-bridge runtime, a multi-stage CI/CD pipeline, and a two-tier identity model (basic OTP / high-assurance SSO) with per-app, mini-app-scoped encryption keys.

KubernetesImage & malware scanningHigh-assurance SSOPermission-bridge runtimeTwo-tier identity
Read case study Platform · Event-driven

Reference Data Management

Single governed source-of-truth for translations and cross-system code mappings. Transactional outbox + RabbitMQ Streams for cache-invalidation only; MongoDB + Redis read-through; BFF page-level aggregation; mobile offline bundle.

MongoDBRedisRabbitMQ Streams.NET BFFOutbox pattern
Read case study CQRS read model · Real-time monitoring

Commercial Licenses Dashboard

Real-time monitoring platform for government employees across Saudi municipalities. A replayable event stream feeds two purpose-built read models — search/KPIs and spatial — so each query class runs on the engine best suited to it.

ElasticsearchArcGIS ServerRabbitMQ StreamsGovernment SSO.NET
Read case study Notifications · Multi-channel

Notification Hub

Centralized notification platform — ingest → templating → per-channel dispatch (SMS / mobile / web) with persist-before-dispatch invariants, bounded retry, and per-channel queue isolation.

MongoDBRabbitMQSMS / FCM / WebSocket
Read case study Data platform

Centralized DB Decomposition

Platform-level proposal decomposing a shared database into per-business-domain stores via Debezium CDC + Kafka, with phased migration and Grafana / Prometheus monitoring.

DebeziumKafkaPostgreSQLGrafana · Prometheus
Read case study Merchants · AI · GIS

Campaign Central

Centralized campaign management for Balady Business merchants — lifecycle, subscriptions, AI-driven recommendations (mediated by a Sanitisation Service for PDPL compliance), POI + GIS integration, notifications, analytics.

Per-domain databasesRabbitMQGIS / POISanitisation Service
Read case study GIS · PDPL compliance

POI Platform & Event Distribution Hub

Centralized Points-of-Interest system with multi-precision geohash + Redis geospatial cache. The EDH counter-proposal routes change events through Apigee for PDPL filtering, consent validation, attribute redaction, and commercial-terms enforcement.

ESRI GeodatabaseRedis GeospatialMulti-precision geohashKafkaApigee
Read case study Banking · Webhook security

Balady BNPL Integration

Buy-Now-Pay-Later integration with a leading Saudi bank in the Unified Payment Page. Multi-provider architecture with signed-webhook security stack (HMAC-SHA256, IP allow-list, replay protection, idempotency) and encrypted single-use presigned URLs.

ASP.NET CoreRedis HARabbitMQApigeeHMAC-SHA256
Read case study