The DMZ (Demilitarized Zone) is an optional security layer that sits between the public internet and your internal Lobster Data Platform system. It acts as a controlled gateway for all incoming traffic. The DMZ is also referred to as a reverse proxy, as it performs similar functions: receiving external requests, forwarding them in a controlled manner, and returning responses while concealing the internal system.
Info
DMZ servers do not require their own database and have no access to the LDP server's database.
When to use a DMZ
A DMZ is recommended for any Lobster Cloud system that exchanges data with external partners or receives incoming connections from outside your organization.
Info
Detailed information about the DMZ, its configuration and how it works can be found here DMZ Server
Core functions
Public access point
The DMZ serves as the only publicly accessible endpoint of your Lobster Cloud system. External partners and customers connect to the DMZ without any direct contact with the internal Lobster Data Platform server.
Security isolation
The DMZ operates with its own dedicated AWS Security Group. The internal Lobster system has a different security group with stricter access rules. This separation ensures that even if the DMZ were compromised, the internal system and database remain protected.
Supported protocols
The DMZ processes incoming data traffic through the following standardized protocols. If the internal Lobster system is temporarily unavailable (for example, during a maintenance window or a restart), the DMZ buffers incoming data. Once the internal system is available again, the buffered data is forwarded automatically. This prevents data loss during planned or unplanned interruptions.
Protocol | Typical use case | Data buffering |
|---|---|---|
HTTPS | Web services, API calls, browser-based access | No |
SFTP | Secure file transfer with external partners | Yes |
FTP | File transfer (not recommended for security reasons) | Yes |
AS2 | EDI communication with trading partners (fixed on Port 443) | No |
OFTP2 | Automotive and manufacturing industry file exchange | Yes |
SSH | Secure shell access (restricted, upon request) | Yes |
Authentication proxy
The DMZ securely forwards authentication requests to the internal Lobster system. Internal authentication mechanisms are never exposed directly to the internet. This enables secure access to the platform without compromising the internal authentication infrastructure.
Data validation
The DMZ checks incoming data against defined rules before forwarding it to the internal system. Data for which no corresponding processing channel exists is rejected at the DMZ level. This reduces the risk of unexpected or non-compliant data reaching the internal system.
Architecture
A standard system with DMZ consists of the following components:
Component | Network segment | Description |
|---|---|---|
DMZ Server | Public subnet | Receives all incoming traffic. Publicly accessible via static IP. Has own security group. |
Lobster Data Platform Server | Public subnet | Processes all jobs, profiles, and data integrations. Communicates with the DMZ via internal ports, thus remaining hidden. |
Database (RDS) | Private subnet | PostgreSQL database. Accessible only by the Lobster Data Platform Server. No external access possible. |
Traffic flow
Step | Description |
|---|---|
1 | An external partner sends data to your system's public IP address or DNS. |
2 | Traffic passes through the DMZ Security Group. Optionally, only authorized IP addresses and ports are permitted. See section Firewall Policy. |
3 | The DMZ validates the incoming data and forwards it to the internal Lobster Data Platform Server. |
4 | The Lobster Data Platform Server processes the data and stores results. |
5 | The response follows the reverse path back through the DMZ to the external partner. |
DMZ sizing
The DMZ server sizing depends on your edition. The DMZ is designed as a lightweight component focused on routing, buffering, and validation rather than heavy data processing. You can find all the information you need at Editions and Sizing.
In the High Availability architecture, two DMZ servers are deployed for production.
Important
One DMZ server operates as the active endpoint, while the second remains on standby and automatically takes over if the primary DMZ fails. This failover is automatically controlled via DNS health checks.
Important notes
Topic | Details |
|---|---|
DMZ and platform access | The DMZ also serves the Lobster Data Platform web interface on Port 443. If a DMZ is active, you log in to the platform via the DMZ server. |
Port 443 for AS2 | AS2 communication uses Port 443 through the DMZ. This port is fixed and cannot be changed. |
No independent resizing | The DMZ server cannot be resized independently. Your edition determines the sizing. |
Ordering a DMZ | A DMZ can be added to your system at any time. Contact your Lobster Sales representative for a quote. |