- π’ In an enterprise environment, understanding how network traffic flows from users to internal applications is essential for performance, security, and compliance.
- π This post explains the complete inbound and outbound flow — covering DNS, Akamai WAF, Firewall, DMZ, and SSL certificate management across enterprise systems.
π Table of Contents
πΊ️ Network Flow Diagram
πΉ Inbound Flow (User → Application → Database):
π User → π§ Akamai DNS → π‘️ Akamai WAF → π§ Firewall → π° DMZ → π‘ Load Balancer → π₯️ Web Server → ⚙️ App Server → πΎ Database
πΉ Outbound Flow (Internal App → Internet):
π₯️ VM/App → π§ Internal DNS → π‘️ Proxy Server → πͺ Firewall (SNAT) → π Internet
π§° Setup Phase (One-Time Configurations)
- π§ DNS (Domain Name System): Resolves domain names into IP addresses for user access.
- π A Record: Maps a domain name to an IP address (e.g.,
app.company.com → 104.85.32.11). - ✅ DNS Validation: Verifies domain ownership during SSL or CDN setup using a
TXTrecord. - π SSL Certificate Setup: Enables secure HTTPS communication between users and servers.
- π Public SSL (Internet Apps): Managed by Akamai CPS, DigiCert, or Let’s Encrypt.
- π’ Internal SSL (Intranet Apps):
Used for applications accessed inside an organization’s private network — typically using Microsoft ADCS or HashiCorp Vault PKI for certificate management.
Additionally, internal SSL certificates are often deployed directly on web servers such as:
- π Apache HTTP Server — configured in
ssl.confor virtual host files. - ⚙️ NGINX — defined using
ssl_certificateandssl_certificate_keydirectives. - πͺ Microsoft IIS — managed via IIS Manager or PowerShell scripts.
- π₯️ IBM IHS or F5 / Radware — for SSL termination or offloading at the load balancer level.
- π Apache HTTP Server — configured in
- π‘️ Firewall & DMZ Setup: Protects internal systems from public exposure.
π How CDN & DNS Flow Works
Let’s simplify what happens when someone accesses https://app.company.com and you’re using a CDN like Akamai:
- π§ DNS resolution (First Step)
app.company.com → app.company.com.edgesuite.net# The domain is not directly mapped to your firewall. Instead, it's pointed to Akamai’s CDN hostname (CNAME). This lets Akamai handle global routing, SSL, and caching before hitting your network. - π Akamai Edge IP resolution
app.company.com.edgesuite.net → 104.85.32.11# Akamai DNS picks the nearest edge server IP based on user location. This gives low latency and faster content delivery (geo-DNS routing). - π‘️ User connects to Akamai Edge
Akamai Edge performs:
- WAF (Web Application Firewall) checks
- SSL/TLS termination
- Content caching for faster response
- Origin fetch (only if needed) # The user’s browser never touches your firewall directly. Akamai acts as the “front door” — securing, filtering, and caching content. This is where DDoS protection and certificate validation happen. - π° CDN connects to your enterprise public IP
Akamai Edge → 203.122.10.55# Akamai now makes a backend (origin) call to your organization’s public IP. This IP is provided by your ISP and configured on your enterprise firewall as a VIP (Virtual IP). It represents your app’s public presence on the Internet. - π§ Firewall DNAT Mapping (Public → Private)
203.122.10.55 → 10.10.5.21# The firewall receives the request on the public IP and uses DNAT (Destination NAT) to map it to the private IP of your internal web/app server. This keeps internal servers hidden while maintaining full access control. - π₯️ Private App Server Processing
The request reaches10.10.5.21→ app logic executes → response generated. # This is where your actual business logic runs (Tomcat, WebSphere, NGINX, etc.). The app prepares a response that travels back the same path — but in reverse. - π Response Path (Reverse Flow)
App Server → Firewall SNAT → Akamai Edge → User Browser# The firewall uses SNAT (Source NAT) to mask internal IPs with the public IP. Akamai then caches or delivers the content to the user securely.
π§π» User Browser
↓
π§ DNS → π app.company.com → π app.company.com.edgesuite.net
↓
π Akamai Edge IP (104.85.32.11)
↓
π‘️ Akamai Edge → π§ Firewall Public IP (203.122.10.55)
↓
π’ Firewall DNAT → π₯️ Internal DMZ / Web / App Server (10.10.5.21)
↓
π Response → πͺ Firewall SNAT → π Akamai Edge → π§π» User
π¬ In short:
- π₯ Users never connect directly to your private network.
- π‘️ Requests first hit Akamai’s Edge IPs — acting as a secure global shield for your applications.
- π Akamai forwards clean traffic to your enterprise Public IP (assigned by ISP).
- π§ The Firewall performs DNAT to map the public IP to a Private App Server (10.x.x.x).
- π During the return flow, the Firewall uses SNAT to mask internal IPs before sending responses back to the user.
⚙️ Runtime Flow (When Users Access the App)
Inbound Flow (Internet → App)
- π User opens
https://app.company.com - π§ DNS resolves to Akamai Edge IP.
- π‘️ Akamai WAF filters and forwards clean traffic.
- π§ Firewall performs DNAT to internal private IP.
- π° DMZ hosts load balancer/web proxies.
- π‘ Load balancer distributes traffic to web/app servers.
- π₯️ App processes request and sends response back through the same path.
π Key Terms (Full Forms)
| Term | Full Form | Simple Meaning |
|---|---|---|
| DNS | Domain Name System | Converts website names into IPs |
| WAF | Web Application Firewall | Blocks bad web traffic |
| CDN | Content Delivery Network | Delivers cached web content faster |
| DMZ | Demilitarized Zone | Buffer zone between internet & private network |
| NAT | Network Address Translation | Maps public ↔ private IPs |
| DNAT | Destination NAT | Inbound mapping (public → private) |
| SNAT | Source NAT | Outbound mapping (private → public) |
| PKI | Public Key Infrastructure | Manages SSL certificates |
| LB | Load Balancer | Distributes traffic across servers |
✅ Summary
- DNS only maps names to IPs — it doesn’t store servers.
- CDNs like Akamai act as a smart middle layer for caching and security.
- Public IPs are used on firewalls or load balancers; private IPs stay hidden inside.
- DNAT and SNAT handle IP translation for inbound and outbound traffic.
- SSL ensures secure HTTPS connections both at the CDN and internal layers.
π§ Authored by Pradeep Vishwakarma — Senior Middleware & DevOps Engineer | MiddlewareBox.com
