© Aviatrix, 2023.
The Virtual DMZ in practice
While this design works great in theory, it often fails in practice. Why? Because in public cloud, it is difficult or impractical to
force Internet access into a consolidated point. New applications are constantly deployed in cloud, and many can bypass the
virtual DMZ for a whole host of reasons: loose governance, oversight, human error, and so forth.
In other scenarios, cloud security teams must yield default Internet access to DevOps teams or customers who require more
agility, flexibility, or self-governance than the virtual DMZ can provide. This weakens or breaks the overall design. The diagram
below depicts a more realistic scenario in public cloud, where the virtual DMZ is not the only available path to the Internet,
thereby enabling malicious activity in the network.
Virtual DMZ: Ideal Traffic Pa�ern
Internet
Internet
DMZ 1
App Group
1
App Group 2
App Group
3
App Group 4
App Group 5
DMZ 2
Virtual DMZ: Real World Traffic Pa�ern
Internet
Internet
DMZ 1
App Group
1
App Group 2
App Group 3
App Group 4
App Group 5
DMZ 2
Internet
Internet
Internet
