Yep, and your answer is the better default answer.
Bastion<->app host<->DB
Bastion can talk to the net.
App host can talk outbound but inbound only accepts bastion and DB.
DB can only talk with app host.
Obviously, you harden everything appropriately... But with this arrangement, it's very difficult to penetrate this sort of network. Think of it as a network that as a whole is default-deny.
Bastion<->app host<->DB
Bastion can talk to the net.
App host can talk outbound but inbound only accepts bastion and DB.
DB can only talk with app host.
Obviously, you harden everything appropriately... But with this arrangement, it's very difficult to penetrate this sort of network. Think of it as a network that as a whole is default-deny.