Protected IP protected application reference architecture

The Protected IP protected application Access Gateway architecture extends the Firewall architecture to add IP specific address restrictions.
In this architecture the application is only accessible by specific IP addresses or machine names. For example, members of the Access Gateway cluster.
This architecture meets the following requirements:

  • Protects the protected web resource by hiding the internal URL from external clients.
  • Firewalls protected unauthorized requests.
  • Routing and IP address restrictions protect against unauthorized internal access.

Benefits and drawbacks

Benefits Drawbacks
  • External access denied
  • Internal application URL not resolvable externally
  • Application can be accessed only from select hosts. For example Access Gateway
  • Requires multiple firewalls (External/DMZ and DMZ/internal)
  • Requires secondary (internal) DNS server
  • Requires routing and IP address rules to allow or deny access to protected web resource


In this architecture unauthorized protected web application access is denied by a combination of firewall (external access) and IP address restrictions (internal access).



Component Description
External internet External URL External URL used by clients to access Access Gateway on behalf of the protected web resource.
DNS DNS server providing DNS resolution for external URL.
Between external internet and DMZ Firewall Firewall separating DMZ housing Access Gateway and the external internet.
DMZ Access Gateway Access Gateway cluster, located in the DMZ, uses multiple DNS servers to resolve internal and external URLs.
Between internal internet and DMZ Firewall Firewall separating DMZ housing Access Gateway and the internal internet.
Internal network Router/bridge with rules Routing rules and IP access rules allowing, or disallowing access to a specific resource (protected web application)
Internal DNS and URL Internal DNS server serving internal URL representing protected web resource in Access Gateway.
Application Protected web resource (application)

Related topics

Common Access Gateway flows

DNS use

High availability

Access Gateway deployment prerequisites