How to design tiers of ASP.NET MVC web application if it is to be hosted in DMZ with no direct access to database (tcp port 1433 blocked by firewall)?

Question

Consider the following network security setup:

       Users         Internet
         |        
  ====Firewall==== Port 80, 443 only
         |              
     Web Server      DMZ - ASP.NET MVC + Web API
         |          
  ====Firewall==== Port 80, 443 only
         |         
     "App" Server   WCF or ASP.NET Web API ??
         |           
      Database      Internal network

I have seen the above network setup at many client premises. The IT infrastructure team doesn't allow web server in DMZ to establish direct connection to SQL Server hosted in internal network over port 1433. Irony is I've seen web.config lying around on web server with plain text DB passwords which they're OK with.

Usually I've seen and worked on solutions where a WCF is hosted on the "App" server (as it can be used on HTTP ports) as shown in the diagram. WCF becomes the only way for web frontend to interact with DB. One "benefit" of using WCF is that it returns strongly typed objects which are easy to consume from the ASP.NET MVC frontend.

Questions:

1. WCF is used because it allows data transfer on 80 or 443 and returns strongly typed objects. Is it a good choice?
2. Should ASP.NET Web API be used instead? If so, how to achieve strong typing with complex objects graphs? Are JSON.net and inbuilt serializers sufficient for the job?
3. Is there a better solution?

Please note that we cannot use ASP.NET Core at present.

Since this is a recurring problem, I'd really like to hear from community if there is better solution than using WCF.

Answer 1

I have just done a system with the same issue, DB access is restricted to an App server.

The method we chose to employ was an Mvc front end and a Web Api back end hosted on the App Server.

To get the strong typing that you would typically get over WCF, we opted for a tool called Refit: https://github.com/paulcbetts/refit. It allows you to turn an interface with a pre-configured url template into an object you can inject via a normal DI container, making it very testable and removing a lot of the boilerplate HttpClient code. This works really well with a WebApi back end.

Answer 2

Build IIS Reverse Proxy to your DMZ area and you do not need two separate servers (web+app). When reverse proxy routes all relevant traffic to your web server, you can run it in internal network.

    Users           Internet
     |        
====Firewall====  Port 80, 443 only
     |              
IIS Reverse Proxy     DMZ 
     |          
====Firewall====  Port 80, 443 only
     |         
  Web Server        ASP.NET MVC
     |           
  Database       Internal network