How to proxy two separate networks together via another network?

Question

Apologies in advance if this sounds a bit newbie as I am still a bit new to networking side of things. I wanted to get an an opinion if this solution would work.

I have two networks Alpha & Gamma. Both networks cannot be directly connected due to policies. But I have a service in Alpha that needs to talk to Gamma (both ways).

So there is a another network, Beta that is trusted by Gamma and is also allowed to connect to Alpha from a policy perspective.

So I was thinking to just do a simply HAProxy hosted in Beta who will route traffic from an ip in Alpha to a specific ip in Gamma (and vice versa). A VPN could also help make this more flexible than specific IPs but I only have specific IPs to connect at the moment (<10) and not in the hundreads.

The proxy would handle both HTTP(80) and HTTPS(443) traffic, in addition to some custom TCP port traffic.

Was there a better solution to this?

Answer 1

Probably the best practice (if possible) would be to move your service from "Alpha" to another, separate network. And put 2 firewalls between this and Alpha & Gamma. This is a concept similar to DMZ.

Consider a worst case scenario - what if your service gets compromised? That way a malicious user from Gamma network gained access to your whole Alpha network if you have service there. Even if you proxy it via HAProxy, he can still execute arbitrary commands on your server on Alpha network via HTTP(S) doorway. If you put the service in separate network even if it's compromised he still needs to penetrate your firewalls to reach other services.