I'm trying to get the best picture for my infraestructure. I came across a business case where my app server (far beyond DMZ and protected by 3 levels of firewalls) needs to talk with other (external and public) server.
I can open the firewalls in order to allow the communication with just the URL I wanted, but I don't think this is a good practice.
Looking for a clever solution I've found a pattern where the app server ask for the resource to a server located in the DMZ, this avoid the "direct" internet connection for my server. The server in the DMZ will start the conversation and forward the data to the app server. This seem to be safer, but it's very weird and, to my taste, error prone.
Is there a good solution for this? Is it just enought to open the firewall only output traffic to a specific server?
Thank you all in advance.