REFERENCE ARCHITECTURE
Single-region web application
Production-ready pattern for SPAs, e-commerce, and public APIs — Compute, Datastore, Gateway, Sentinel, and Insight in one region.
FoundationalPlan: Pro+Resilience: multi-zona
Diagram
Use cases
- Corporate website
- Customer portal
- SMB SaaS v1
Components
| Layer | Role | Product |
|---|---|---|
| Perimeter | WAF and bot protection | Sentinel |
| Edge | DNS, TLS, routing | Gateway |
| Compute | Web/API containers (multi-AZ) | Compute + Autoscale |
| Network | Private east-west traffic | Fabric |
| Cache | Sessions and hot reads | Datastore (Redis) |
| System of record | Transactional data | Datastore (PostgreSQL) |
| Object storage | User uploads and static assets | Archive |
| Operations | Metrics, logs, alerts | Insight |
Products
Compute
View product docs →Datastore
View product docs →Archive
View product docs →Gateway
View product docs →Sentinel
View product docs →Autoscale
View product docs →Fabric
View product docs →Insight
View product docs →When to use
- Customer-facing web apps and REST APIs with moderate traffic.
- E-commerce, SaaS dashboards, marketing sites with dynamic content.
- Teams migrating from a single VPS or PaaS without multi-region requirements.
When to avoid
- Strict zero-RPO across continents — use multi-region pattern.
- Ten+ independently deployable services — use microservices pattern.
Design notes
Edge first
Terminate TLS at Gateway. Place Sentinel in front of Gateway for WAF and rate limiting before traffic reaches Compute.
State outside Compute
Persist sessions and uploads in Datastore and Archive. Compute remains horizontally replaceable.
Observability by default
Provision Insight on every production project. Wire alerts to your on-call channel.
Blueprint
Use this JSON as a starting point when creating a project via the Tesserra API or console. Replace image URLs, domains, and resource references with your values.
json
{
"nome": "Acme Store",
"modo": "simples",
"ambiente": "prod",
"resiliencia": "multi-zona",
"recursos": [
{
"tipo": "compute",
"nome": "store-web",
"config": {
"subtipo": "web",
"imagem": "ghcr.io/acme/store:latest",
"porta": 3000,
"replicas_min": 2,
"replicas_max": 4
}
},
{
"tipo": "datastore",
"nome": "store-db",
"config": {
"engine": "postgres",
"versao": "16",
"tamanho_gb": 20,
"ha": false
}
},
{
"tipo": "archive",
"nome": "store-media",
"config": {
"subtipo": "arquivos",
"tamanho_gb": 50,
"publico": true
}
},
{
"tipo": "sentinel",
"nome": "store-waf",
"config": {
"modo": "bloquear",
"regras_basicas": true,
"alvo_recurso_id": "store-web"
}
},
{
"tipo": "gateway",
"nome": "store-dns",
"config": {
"dominio": "store.acme.com",
"tls": true,
"alvo_recurso_id": "store-web"
}
},
{
"tipo": "autoscale",
"nome": "store-scale",
"config": {
"alvo_recurso_id": "store-web",
"metrica": "cpu",
"limiar": 70
}
},
{
"tipo": "insight",
"nome": "store-insight",
"config": {
"retencao_dias": 14,
"alertas": true
}
}
]
}Related
E-commerce & high-traffic retail
Catalog API, Redis session cache, media in Archive, Autoscale on traffic, Sentinel at the edge — built for campaigns and seasonal peaks.
Microservices on private Fabric
Multiple Compute services on an isolated Fabric network, public ingress via Gateway, per-service Datastores and Autoscale policies.
Secure edge ingress
Defense-in-depth at the perimeter — Sentinel WAF, Gateway TLS termination, Fabric isolation, and Insight security monitoring.
Startup MVP — first production deploy
Minimum viable stack for a small team: Gateway, Compute, Datastore, and Insight — expand into full patterns as traffic and compliance grow.