Why Do I Need a Cloud DMZ?

Demilitarized zone (or DMZ) in networking security parlance is typically used to expose services, like websites, to untrusted networks, like the Internet, in a limited and controlled fashion, while at the same time restricting access to the internal resources. Since these services are externally available, the potential for malicious attacks from perpetrators have made deploying such services behind firewalls a common and essential practice. Firewalls help in inspecting and denying traffic in accordance with a set of policy rules which could be based on addresses, ports, headers or content of messages.

A Firewall typically has three zones-outside/external/public, DMZ and inside/internal/private. Network or security administrators define the firewall security policies such that traffic from outside to inside is not allowed, while traffic from outside to the services in the DMZ is allowed, but restricted to only the serviced TCP/UDP ports.

As cloud adoption grows, so is the need for public Internet facing applications, forcing organizations to explore DMZ architectures. As applications move to the cloud, building these DMZ architectures in the on-premises data centers makes less sense. On-premises DMZs would force the ingress Internet traffic destined to the cloud applications to trombone through the data center increasing overall application latency. Moving DMZ environments to the cloud becomes a logical choice.

The following diagram depicts an example of a cloud DMZ environment in AWS where both the firewall and the load-balancers are used to respectively secure and load-share inbound application traffic arriving through the Internet gateway in the security/hub VPC destined for the applications in the host/spoke VPCs.

Furthermore, public IP address and a fully qualified domain name (FQDN) must be assigned to the DMZ application in order to properly support the ingress Internet traffic. Network address translation (NAT) or reverse proxy is required to translate the Internet-facing public IP address to the internal private IP address of the application workloads.

Oftentimes the need for lower latency forces applications to become geographically distributed in order to be located closer to the user population. Such deployments involve the use of content delivery networks (CDNs).

The ultimate challenge comes from distribution of various applications across multiple public clouds where cloud DMZ architectures need to be repeated catering to the specific capabilities of each of the public cloud providers. Disparate architectures across multiple public cloud providers makes such endeavour a costly and time consuming one.

Alkira Cloud DMZ solution offers enterprises an easy button for deploying cloud DMZ environments for applications residing in one or multiple public clouds, while fully abstracting the complexity of each cloud.