Currently, we have the issue where we have two codebases (API & Website) calling the same database (along with some duplicate business logic) and we want to streamline this so all requests are routed via our API. We have a public REST API, and we have a website. Some functionality of the website is achievable through the public API, but some will need to come from a private API that only our secure backend can access.

Our website will be re-created as an embedded web app that can be put anywhere and calls our public API's (think a lightweight react/vue project). However, for the official web app running under our domain we will need extra special privileges, such as doing specific admin-related tasks that only we should be able to do (thus requiring a private API). This has led me to create the architecture below:

This architecture achieves the following:

• Single source of truth (our API) that talks to the database.
• Only the Web App under our domain has any concept of the private API, and even if the code was inspected requests would be opaque as they are just be routed to a secure backend.
• Allows us to roll out future first-party projects that can use the same secure backend.

Is this a good approach? Are there some big pitfalls I'm missing? Also I plan on making the Official Web App & the Secure Backend two separate code bases as ideally we would like to swap out the official web app (frontend) with some other arbitrary first-class project and expect it to operate in a similar fashion. It should also be noted the private API will be part of the same codebase as the public API, just with private endpoints exposed so it can access a lot of the business rules it needs to.

Thanks. (Also please excuse my incorrect use of GCP icons).