The following diagram shows a typical deployment for an example product using a layered architecture with an API gateway and a backend. The external and internal webapp deployments can be deployed in different application servers, separated by an optional firewall. A separate web-application-firewall should be placed between the public internet and the external webapp, and should handle SSL encryption.
The Tomcats are typically dockerized.
A separate internal deployment can be set up for all asynchronous processing, such as jobs. This allows for a clear separation of 'online' API call processing, and 'offline' batch processing, and ensures greater flexibility in upgrades, horizontal scaling and deployment restarts.
The File/Object-storage-system is used to store files generated by the system, and files that are uploaded by the users (typically in the KYC-process). The Download-API accesses the File/Object-storage-system via the internal-webapp, once access has been granted to the file (using one level of indirection). In its simplest form this can be a regular file system or something more scalable like Amazon S3 or similar. The file content is streamed properly between external-webapp and internal-webapp, ensuring that the file content does not need to be fully loaded into memory.
The internal-webapp communicates with all external services, such as PSPs, email / SMS service providers, currency exchange rate providers, etc.