What is the real function and use of a DMZ on a network? For example a Database would exist in the DMZ for your web server in the DMZ that is publicly accessible But that database would be shielded from remote public connections, and only people on the trusted private network could reach the database
Ideal system architecture for sensitive data access through DMZ Reverse Proxy@DMZ -> API Gateway@DMZ -> App@Internal -> (Data Access Service@Internal) -> DB@Internal Basically, API gateways are simple applications with few dependencies, and thus offering a much smaller attack surface that the main app Whether a data access service is needed is questionable
To DMZ, or not to DMZ - Information Security Stack Exchange The DMZ is a containment area so that a subverted server does not gain immediate access to your most valuable data (which will be presumably kept in the inner network) Your AD and SQL servers are meant to be used only by machines from your network, not by machines from the outside, so you put them in the inner network