- ๐ข In an enterprise environment, understanding how network traffic flows from users to internal applications is essential for performance, security, and compliance.
- ๐ This post explains the complete inbound and outbound flow — covering DNS, Akamai WAF, Firewall, DMZ, and SSL certificate management across enterprise systems.
๐ Table of Contents
๐บ️ Network Flow Diagram
๐น Inbound Flow (User → Application → Database):
๐ User → ๐งญ Akamai DNS → ๐ก️ Akamai WAF → ๐ง Firewall → ๐ฐ DMZ → ๐ก Load Balancer → ๐ฅ️ Web Server → ⚙️ App Server → ๐พ Database
๐น Outbound Flow (Internal App → Internet):
๐ฅ️ VM/App → ๐งญ Internal DNS → ๐ก️ Proxy Server → ๐ช Firewall (SNAT) → ๐ Internet
๐งฐ Setup Phase (One-Time Configurations)
- ๐งญ DNS (Domain Name System): Resolves domain names into IP addresses for user access.
- ๐ A Record: Maps a domain name to an IP address (e.g.,
app.company.com → 104.85.32.11). - ✅ DNS Validation: Verifies domain ownership during SSL or CDN setup using a
TXTrecord. Required once during initial setup and again during SSL renewals (typically once per year for public SSL certificates). - ๐ SSL Certificate Setup: Enables secure HTTPS communication between users and servers.
- ๐ Public SSL (Internet Apps): Managed by Akamai CPS, DigiCert, or Let’s Encrypt for public-facing applications.
- ๐ข Internal SSL (Intranet Apps):
Used for applications accessed inside an organization’s private network. SSL certificates can be issued using internal systems such as:
- ๐งพ Microsoft ADCS: Functions as an internal Certificate Authority (CA) integrated with Active Directory for automated enrollment and renewal. Commonly used by banks, government bodies, and large enterprises running Windows and IIS-based intranet systems.
- ๐ HashiCorp Vault PKI: Automates certificate issuance and management via API or CLI — ideal for DevOps, Kubernetes, and CI/CD environments. Preferred by fintechs and modern enterprises managing dynamic, containerized workloads.
Alternatively, you can deploy CA-issued SSL certificates directly on web servers such as:
- ๐ Apache HTTP Server — configured in
ssl.confor virtual host settings. - ⚙️ NGINX — using
ssl_certificateandssl_certificate_keydirectives. - ๐ช Microsoft IIS — via IIS Manager or PowerShell scripts.
- ๐ฅ️ IBM IHS and F5 / Radware — for SSL termination or offloading.
- ๐ก️ Firewall & DMZ Setup: Core security layers that protect internal systems from public exposure.
Important:
- ๐ก Public SSL / CDN Certificates: DNS validation is required once during initial setup and again during certificate renewal (typically once per year).
- ๐ข Internal SSL Certificates: Certificates issued via Microsoft ADCS or HashiCorp Vault do not require DNS validation — they rely on internal trust mechanisms.
⚙️ Runtime Flow (When Users Access the App)
Inbound Flow (Internet → App)
- ๐ User opens
https://app.company.com - ๐งญ DNS resolves the domain to an Akamai edge IP.
- ๐ก️ Akamai WAF filters malicious or unwanted traffic.
- ๐ง Firewall allows only permitted ports (like 443 for HTTPS).
- ๐ฐ DMZ acts as a security buffer hosting load balancers or edge servers.
- ๐ก Load Balancer (Radware / F5) distributes traffic across backend web servers.
- ๐ฅ️ Web → App → Database — processes the request and sends a response back.
- ↩️ Response path: DB → App → Web → LB → Firewall → Akamai → User.
Outbound Flow (Internal App → Internet)
- ๐งญ Internal DNS resolves internal or external domains.
- ๐ก️ Proxy Server enforces access control and logs requests.
- ๐ช Firewall (SNAT) routes approved traffic securely to the internet.
VM/App → Internal DNS → Proxy → Firewall (SNAT) → Internet๐ Key Terms (Full Forms)
| Term | Full Form | Simple Meaning |
|---|---|---|
| DNS | Domain Name System | Converts website names into IPs |
| WAF | Web Application Firewall | Blocks bad web traffic |
| DMZ | Demilitarized Zone | Safe zone between internet & internal network |
| NAT | Network Address Translation | Maps public to private IPs |
| SNAT | Source NAT | Enables outbound traffic using single public IP |
| PKI | Public Key Infrastructure | Manages SSL certificates |
| LB | Load Balancer | Distributes traffic across servers |
| CDN | Content Delivery Network | Delivers web content faster |
✅ Summary
- DNS validation and SSL setup are initial configuration steps — renewal happens annually for public SSLs.
- Daily traffic automatically flows through the inbound/outbound enterprise network path.
- Akamai manages DNS, WAF, and CDN for external access.
- Firewall and DMZ protect internal servers from external exposure.
- SSL certificates are managed on web servers or load balancers (internally or publicly issued).
- Load Balancers ensure performance, reliability, and redundancy.
No comments:
Post a Comment