The DMZ (Demilitarized Zone) is an optional security layer that sits between the public internet and your internal Lobster Data Platform system. It acts as a controlled gateway for all incoming traffic. The DMZ is also referred to as a reverse proxy, as it performs similar functions: receiving external requests, forwarding them in a controlled manner, and returning responses while concealing the internal system.
When to use a DMZ
A DMZ is recommended for any Lobster Cloud system that exchanges data with external partners or receives incoming connections from outside your organization.
NOTE
DMZ servers do not require their own database. They have no access to the Lobster Data Platform server's database.
For details on the DMZ, its configuration, and how it works, see DMZ Server.
Core functions
Public access point
The DMZ serves as the only publicly accessible endpoint of your Lobster Cloud system. External partners and customers connect to the DMZ without any direct contact with the internal Lobster Data Platform server.
Security isolation
The DMZ operates with its own dedicated AWS Security Group. The internal Lobster Data Platform system uses a different security group with stricter access rules. This separation ensures that even if the DMZ were compromised, the internal system and database remain protected.
Supported protocols
The DMZ processes incoming data traffic through the following standardized protocols. The internal Lobster Data Platform system may be temporarily unavailable, for example during a maintenance window or a restart. In that case, the DMZ buffers incoming data. Once the internal system is available again, the DMZ forwards the buffered data automatically. This prevents data loss during planned or unplanned interruptions.
Protocol | Typical use case | Data buffering |
|---|---|---|
HTTPS | Web services, API calls, browser-based access. | No |
SFTP | Secure file transfer with external partners. | Yes |
FTP | File transfer (not recommended for security reasons). | Yes |
AS2 | EDI communication with trading partners (fixed on Port 443). | No |
OFTP2 | Automotive and manufacturing industry file exchange. | Yes |
SSH | Secure shell access (restricted, upon request). | Yes |
Authentication proxy
The DMZ securely forwards authentication requests to the internal Lobster Data Platform system. Internal authentication mechanisms are never exposed directly to the internet. This enables secure access to the platform without compromising the internal authentication infrastructure.
Data validation
The DMZ checks incoming data against defined rules before forwarding it to the internal system. Data for which no corresponding processing channel exists is rejected at the DMZ level. This reduces the risk of unexpected or non-compliant data reaching the internal system.
Architecture
A standard system with DMZ consists of the following components:
Component | Network segment | Description |
|---|---|---|
DMZ Server | Public subnet | Receives all incoming traffic. Publicly accessible via static IP. Has own security group. |
Lobster Data Platform Server | Public subnet | Processes all jobs, profiles, and data integrations. Communicates with the DMZ via internal ports, thus remaining hidden. |
Database (RDS) | Private subnet | PostgreSQL database. Accessible only by the Lobster Data Platform Server. No external access is possible. |
Traffic flow
Step | Description |
|---|---|
1 | An external partner sends data to your system's public IP address or DNS. |
2 | Traffic passes through the DMZ Security Group. Optionally, only authorized IP addresses and ports are permitted. See section Firewall policy. |
3 | The DMZ validates the incoming data and forwards it to the internal Lobster Data Platform Server. |
4 | The Lobster Data Platform Server processes the data and stores results. |
5 | The response follows the reverse path back through the DMZ to the external partner. |
DMZ sizing
The DMZ Server sizing (see Cloud sizing) depends on your edition. The DMZ is designed as a lightweight component focused on routing, buffering, and validation rather than heavy data processing. For details, see Cloud sizing.
In the High Availability architecture, two DMZ servers are deployed for production.
IMPORTANT
One DMZ server operates as the active endpoint (Primary DMZ). The second remains as Secondary DMZ. It takes over automatically if the Primary DMZ fails. Route 53 health checks control this failover.
Important notes
Topic | Details |
|---|---|
DMZ and platform access | The DMZ also serves the Lobster Data Platform web interface on Port 443. If a DMZ is active, you log in to the platform via the DMZ server. |
Port 443 for AS2 | AS2 communication uses Port 443 through the DMZ. This port is fixed and cannot be changed. |
No independent resizing | The DMZ server cannot be resized independently. Your edition determines the sizing. |
Ordering a DMZ | A DMZ can be added to your system at any time. Contact your Lobster Sales representative for a quote. |