The following diagram shows a typical single layer deployment for an example product with backend API. The external and internal webapp deployments can be combined into one webapp unit and deployed into one application server. A separate web-application-firewall should be placed between the public internet and the webapp, and should handle SSL encryption.
A separate webapp deployment can be set up for all asynchronous processing, such as jobs. This allows for a clear separation of 'online' API call processing, and 'offline' batch processing, and ensures greater flexibility in upgrades, horizontal scaling and deployment restarts.
The File/Object-storage-system is used to store files generated by the system, and files that are uploaded by the users (typically in the KYC-process). The Download-API accesses the File/Object-storage-system, once access has been granted to the file. In its simplest form this can be a regular file system or something more scalable like Amazon S3 or similar. The file content is streamed properly ensuring that the file content does not need to be fully loaded into memory.
The webapp communicates with all external services, such as PSPs, email / SMS service providers, currency exchange rate providers, etc.