We have an architecture currently of:
www-->DMZ(web server1 MVC5 app-->web server2 WCF service)
However, a requirement has arisen for web server2 to contact a WebAPI 2.0 service which is hosted internally:
www-->DMZ(web server1 MVC5 app-->web server2 WCF service)-->Internal Network(WebAPI 2.0 service).
What is the best practice way to secure the web api service and expose its api to only the calling application on web server2 in the DMZ?
