Context
Industrial architectures frequently place middleware (Kafka brokers, MQTT brokers, API gateways) in a DMZ network between IT and OT zones.
When a network partition occurs, the DMZ becomes unreachable from one or both zones. If durable middleware resides in this boundary, both zones may lose access to the system of record for cross-zone exchange simultaneously.
The BSFG primitive requires that:
- Producers must complete writes without dependency on remote availability.
- Zones must continue operating autonomously during boundary partitions.
Boundary-hosted middleware violates these constraints.
Decision
Durable middleware must reside inside zones, not on the boundary network.
The boundary network may contain only connectivity infrastructure:
- Layer-3 routers
- switches
- firewalls
- optional TLS termination
No component on the boundary may hold authoritative durable state.
Stateless relays (reverse proxies, TLS terminators) are allowed only when loss is acceptable and they hold no queued authoritative data.
Consequences
Benefits:
- Zones remain operational during partitions.
- Durable state has clear ownership.
- Recovery is deterministic via replay from Store Buffers.
Tradeoffs:
- Middleware infrastructure may be duplicated across zones.
- Replication loops between zones must be implemented explicitly.