Protected IP protected application reference architecture
The Protected IP protected application Access Gateway architecture extends the Firewall architecture to add IP specific address restrictions.
In this architecture the application is only accessible by specific IP addresses or machine names. For example, members of the Access Gateway cluster.
This architecture meets the following requirements:
- Protects the protected web resource by hiding the internal URL from external clients.
- Firewalls protected unauthorized requests.
- Routing and IP address restrictions protect against unauthorized internal access.
Benefits and drawbacks
In this architecture unauthorized protected web application access is denied by a combination of firewall (external access) and IP address restrictions (internal access).
|External URL used by clients to access Access Gateway on behalf of the protected web resource.
|DNS server providing DNS resolution for external URL.
|Between external internet and DMZ
|Firewall separating DMZ housing Access Gateway and the external internet.
|Access Gateway cluster, located in the DMZ, uses multiple DNS servers to resolve internal and external URLs.
|Between internal internet and DMZ
|Firewall separating DMZ housing Access Gateway and the internal internet.
|Router/bridge with rules
|Routing rules and IP access rules allowing, or disallowing access to a specific resource (protected web application)
|Internal DNS and URL
|Internal DNS server serving internal URL representing protected web resource in Access Gateway.
|Protected web resource (application)