Documentation Index

Fetch the complete documentation index at: https://docs.lobstersoftware.com/llms.txt

Use this file to discover all available pages before exploring further.

DMZ architecture

Prev Next

The DMZ (Demilitarized Zone) is an optional security layer that sits between the public internet and your internal Lobster Data Platform system. It acts as a controlled gateway for all incoming traffic. The DMZ is also referred to as a reverse proxy, as it performs similar functions: receiving external requests, forwarding them in a controlled manner, and returning responses while concealing the internal system.


When to use a DMZ

A DMZ is recommended for any Lobster Cloud system that exchanges data with external partners or receives incoming connections from outside your organization.

NOTE

  • DMZ servers do not require their own database. They have no access to the Lobster Data Platform server's database.

  • For details on the DMZ, its configuration, and how it works, see DMZ Server.


Core functions

Public access point

The DMZ serves as the only publicly accessible endpoint of your Lobster Cloud system. External partners and customers connect to the DMZ without any direct contact with the internal Lobster Data Platform server.

Security isolation

The DMZ operates with its own dedicated AWS Security Group. The internal Lobster Data Platform system uses a different security group with stricter access rules. This separation ensures that even if the DMZ were compromised, the internal system and database remain protected.

Supported protocols

The DMZ processes incoming data traffic through the following standardized protocols. The internal Lobster Data Platform system may be temporarily unavailable, for example during a maintenance window or a restart. In that case, the DMZ buffers incoming data. Once the internal system is available again, the DMZ forwards the buffered data automatically. This prevents data loss during planned or unplanned interruptions.

Protocol

Typical use case

Data buffering

HTTPS

Web services, API calls, browser-based access.

No

SFTP

Secure file transfer with external partners.

Yes

FTP

File transfer (not recommended for security reasons).

Yes

AS2

EDI communication with trading partners (fixed on Port 443).

No

OFTP2

Automotive and manufacturing industry file exchange.

Yes

SSH

Secure shell access (restricted, upon request).

Yes


Authentication proxy

The DMZ securely forwards authentication requests to the internal Lobster Data Platform system. Internal authentication mechanisms are never exposed directly to the internet. This enables secure access to the platform without compromising the internal authentication infrastructure.

Data validation

The DMZ checks incoming data against defined rules before forwarding it to the internal system. Data for which no corresponding processing channel exists is rejected at the DMZ level. This reduces the risk of unexpected or non-compliant data reaching the internal system.


Architecture

A standard system with DMZ consists of the following components:

Component

Network segment

Description

DMZ Server

Public subnet

Receives all incoming traffic. Publicly accessible via static IP. Has own security group.

Lobster Data Platform Server

Public subnet

Processes all jobs, profiles, and data integrations. Communicates with the DMZ via internal ports, thus remaining hidden.

Database (RDS)

Private subnet

PostgreSQL database. Accessible only by the Lobster Data Platform Server. No external access is possible.

Traffic flow

Step

Description

1

An external partner sends data to your system's public IP address or DNS.

2

Traffic passes through the DMZ Security Group. Optionally, only authorized IP addresses and ports are permitted. See section Firewall policy.

3

The DMZ validates the incoming data and forwards it to the internal Lobster Data Platform Server.

4

The Lobster Data Platform Server processes the data and stores results.

5

The response follows the reverse path back through the DMZ to the external partner.


DMZ sizing

The DMZ Server sizing (see Cloud sizing) depends on your edition. The DMZ is designed as a lightweight component focused on routing, buffering, and validation rather than heavy data processing. For details, see Cloud sizing.

In the High Availability architecture, two DMZ servers are deployed for production.

IMPORTANT

One DMZ server operates as the active endpoint (Primary DMZ). The second remains as Secondary DMZ. It takes over automatically if the Primary DMZ fails. Route 53 health checks control this failover.


Important notes

Topic

Details

DMZ and platform access

The DMZ also serves the Lobster Data Platform web interface on Port 443. If a DMZ is active, you log in to the platform via the DMZ server.

Port 443 for AS2

AS2 communication uses Port 443 through the DMZ. This port is fixed and cannot be changed.

No independent resizing

The DMZ server cannot be resized independently. Your edition determines the sizing.

Ordering a DMZ

A DMZ can be added to your system at any time. Contact your Lobster Sales representative for a quote.