The following diagrams shows a typical deployment for an example product using a layered architecture with an API gateway and a backend. The external and internal webapp deployments can be deployed in different application servers, separated by an optional firewall. A separate web-application-firewall should be placed between the public internet and the external webapp, and should handle SSL encryption.
The Tomcats are typically dockerized.
A separate internal deployment can be setup for all asynchronous processing, such as jobs. This allows for a clear separation of 'online' API call processing, and 'offline' batch processing, and ensures greater flexibility in upgrades, horizontal scaling and deployment restarts.
The File/Object-storage-system is used to store files generated by the system, and files that are uploaded by the users (typically in the KYC-process). The Download-API directly accesses the File/Object-storage-system once the internal-webapp has granted access to the file (using one level of indirection). In its simplest form this can be a shared file system or something like Amazon S3 or similar.
The internal-webapp communicates with all external services, such as PSPs, email / sms service providers, currency exchange rate providers, etc.