With network tiering we mean segregating the components (database, application, frontend, “clients”) in the network, where each layer is only able to talk to the layer net to it.

Currently this kind of network tiering is not supported by Zabbix, as the front end requires direct access to the database.

Another issue is that agents/proxies needs to talk directly to the Zabbix server, instead of going through the Front end.

If we could get the possibility to let agents and proxies communicate with the server through the front, it would be great. But we would also like to see the Front end communicate with the database through the server.

With these changes, we could put the front ends in a true DMZ, the servers in the first network layer behind the DMZ, and then the database in another layer behind again.

See attached picture, where the Zabbix front end is placed in the DMZ, the Zabbix server is in the next network layer and finally the database in another layer.

This architecture is quite common, and facilitates minimal openings in the firewall between the network layers.