How do servers in the DMZ of a network communicate with internal servers, i.e. back-end servers that handle data processing?

security networking load-balancing dmz

I am bootstrapping a startup and I'm having some difficulty conceptually with figuring out, how a front-end server in the network DMZ is supposed to communicate with my internal back-end servers that handle business logic and data processing.

I have the following diagram that I've made to try and explain what I'm thinking of:

Possible network architecture

The point of the DMZ, I have read, is that it is what is exposed to the public, rather than the internal devices, so that if devices in the DMZ are compromised, nothing in the internal zone is compromised. But if the devices in the DMZ can just query internal devices over the LAN, doesn't that break the premise of the DMZ, and expose the internal devices, in the event that the DMZ devices are compromised? Or is that acceptable? If that DOESN'T break the concept or security of the DMZ, then I can just do that, but if it does, how is my front-end server supposed to ask the back-end server for data in response to user queries?


The point is that the internal firewall only allows specific traffic between DMZ servers and internal servers. If a DMZ server is compromised, it will only be able to contact (f.e.) one server on one TCP port, not any server on any service.

Related

smartd error [ATA error count increased]
Office 365 Exchange shared contacts
HP ComWare - Detecting mac/hardware address of CONNECTED interface
RDS active session timeout popup?
AWS target group reports unhealthy, but application is healthy
Hosting Azure Active Directory and retiring on-prem AD
How to securely erase damaged hard drive
HSTS and Wordpress redirection to www and non-www and https - avoid multiple redirections?
Delete a single folder within Contacts for a Exchange 2013 Mailbox
ubiquity customization
Plot inside a loop in MATLAB
UIVisualEffectView with mask layer