Cloud DMZ Architecture Overview
Yes, a DMZ (Demilitarized Zone) in the cloud can include both a public subnet and a private subnet. This configuration helps to separate internet-facing resources from internal application layers that require added security.
DMZ Subnet Responsibilities
- Public Subnet: Load balancers, web servers, bastion hosts. Directly accessible from the internet.
- Private Subnet: Backend services like APIs, internal app servers, or firewalls. No direct internet access.
Traffic Flow
- User sends request to public IP on the DMZ Public Subnet (e.g., via a Load Balancer).
- Load Balancer forwards request to app servers in the DMZ Private Subnet.
- App servers in the DMZ Private Subnet may access internal services in the Internal VPC.
Network Diagram
Firewall Rules
1. DMZ Public Subnet → DMZ Private Subnet
| Type |
Protocol |
Port Range |
Source |
Description |
| HTTP |
TCP |
80 |
sg-dmz-public |
Allow web traffic from public to private |
| HTTPS |
TCP |
443 |
sg-dmz-public |
Allow secure traffic |
| Custom TCP |
TCP |
8080 |
sg-dmz-public |
For custom app ports |
2. DMZ Private Subnet → Internal VPC
| Type |
Protocol |
Port Range |
Source |
Description |
| MySQL |
TCP |
3306 |
sg-dmz-private |
Allow DB queries |
| HTTPS |
TCP |
443 |
sg-dmz-private |
Access to internal APIs |
| Custom TCP |
TCP |
8443 |
sg-dmz-private |
Optional app ports |
Optional: NACL Rules
DMZ Private Subnet NACL
| Rule # |
Type |
Protocol |
Port Range |
Source CIDR |
Allow/Deny |
| 100 |
HTTP |
TCP |
80 |
10.0.1.0/24 |
ALLOW |
| 110 |
HTTPS |
TCP |
443 |
10.0.1.0/24 |
ALLOW |
Internal VPC Subnet NACL
| Rule # |
Type |
Protocol |
Port Range |
Source CIDR |
Allow/Deny |
| 100 |
MySQL |
TCP |
3306 |
10.0.2.0/24 |
ALLOW |
| 110 |
HTTPS |
TCP |
443 |
10.0.2.0/24 |
ALLOW |
Leave a Reply