I am bootstrapping a startup and I'm having some difficulty conceptually with figuring out, how a front-end server in the network DMZ is supposed to communicate with my internal back-end servers that handle business logic and data processing.
I have the following diagram that I've made to try and explain what I'm thinking of:
The point of the DMZ, I have read, is that it is what is exposed to the public, rather than the internal devices, so that if devices in the DMZ are compromised, nothing in the internal zone is compromised. But if the devices in the DMZ can just query internal devices over the LAN, doesn't that break the premise of the DMZ, and expose the internal devices, in the event that the DMZ devices are compromised? Or is that acceptable? If that DOESN'T break the concept or security of the DMZ, then I can just do that, but if it does, how is my front-end server supposed to ask the back-end server for data in response to user queries?
