All browser-based frontends of an on-prem/hybrid/BYOC MAM Solution follow the same architecture pattern:
All communication between the browser and the backend must go via the endpoint from which the web application has been loaded to the browser. This serves two purposes:
All modern browsers prevent cross-origin requests by default. This could be addressed by using the proper CORS configuration on the backend side. However, when multiple frontends want to connect to the same backends, CORS configuration of these backend either gets more and more complicated; or you open up security holes. Therefore, CORS configuration needs to be avoided in an on-prem/hybrid/BYOC MAM solution.
In on-prem/hybrid/BYOC environments frontends and backend usually are located in different networks or network segments with a firewall in between. Opening up the firewall for all backends is not only cumbersome, it also increases the security risks as many backend endpoints are directly reachable from the user network. The reverse proxy can restrict access to the required backends tailored to the need of the frontend and thus does not need to expose the full API of the backend.
In a Kubernetes-based environment the reverse proxy functionality is provided by the ingress controllers which are in place in all on-prem/hybrid/BYOC MAM installations. In other scenarios standard components like nginx can be used to serve this purpose.