To meet various DoD and NIST guidance, the following architecture guidance should be followed for US Federal and DoD deployments. This architecture is also recommended for clients needing to meet other industry compliance such as SOC or ISO/IEC 27001. The Web App role servers, database servers, and Agent Role servers should each be on different subnets with a firewall between them. The Web App Role servers should be placed in a DMZ, instead of inside the enclave. The agents can be placed in the enclave on-premise or in the cloud where needed. Firewall rules should be used to limit where user traffic from containers can go, according to DoD allow by exception policy.
The Web App Role servers should not be directly publicly exposed. Instead, there should be a reverse proxy in front of the servers that meets the various DoD requirements, such as DoS rate limiting, Web Application Firewall (WAF), and other requirements. DoD/Federal networks typically have an F5 or other appliance in the security stack dedicated to providing reverse proxy services to resources inside the network. These appliances are typically capable of providing access to internal resources using different methods and they have vendor specific terminology for those methods. However, the appliance must be configured to act as a standard reverse proxy with WAF features enabled.
Web Application Firewalls (WAF) should be used to mitigate various risks. WAFs can induce issues with false positives, so alerts should be investigated and the rules should be tweaked as needed. WAFs generally allow you to specify whether the body of the request should be inspected, or just the request URL and headers. Inspection of just the URL and headers is generally safe with standard OWASP rules. Body inspection can cause issues, especially with user uploads and downloads.