Deployment Model

Learn where to deploy each Prividium component.

This page outlines the recommended deployment model for running a Prividium chain in production. Components are grouped by trust boundary and network tier, following enterprise best practices for security, scalability, and maintainability.

DMZ / API Gateway Tier

Components:

  • Proxy RPC
  • Explorer front-end

Hosting:

  • Deployed in a public subnet behind a secure edge load balancer

Purpose:

  • Acts as the single ingress point for users and apps
  • All JSON-RPC and Explorer requests pass through the Proxy, which enforces access control via policy files
  • Explorer front-end communicates only with the Proxy, avoiding direct access to internal infrastructure

Application Tier (Private Subnet)

Components:

  • Sequencer
  • Prover farm (CPU/GPU workers; auto-scalable)

Hosting:

  • Deployed in private address space, inaccessible from the public Internet

Purpose:

  • Runs all consensus-critical logic
  • Sequencer requires fast access to the state database
  • Provers consume large compute resources but require no inbound access

Data Tier (Private Subnet)

Components:

  • PostgreSQL (state DB)
  • Optional: Blob or object store for off-chain data

Hosting:

  • Self-hosted or managed service inside a dedicated subnet with no Internet exposure

Purpose:

  • Stores the complete L2 state securely
  • Must support encryption, snapshots, and backup policies
  • Only Sequencer and Prover have DB access

Security and Placement Rationale

  • Single ingress, early rejection: All external requests hit the Proxy RPC in the DMZ. Unauthorized requests are filtered before reaching internal systems.
  • Private consensus logic: Sequencer and Prover run in a non-routable subnet. Only internal services can communicate with them.
  • Outbound-only proof posting: The relayer submits proofs to ZKsync Gateway without opening any inbound ports.
  • Data-at-rest controls: Databases and blob stores are isolated and regularly backed up to support compliance and disaster recovery.

Running a Prividium Chain

To run a local Prividium chain, go through the Run Prividium Chain page.

For a full example application running on Prividium, check out this example escrow application.

Architecture Overview

Understand how Prividium works under the hood.

Run Prividium Chain

Get started running a local Prividium chain with ZKsync Stack.

Made with ❤️ by the ZKsync Community