We have discussed previously that, from a security perspective, we need to restrict the traffic flows in the DC based on the application traffic flow requirements. Let us also assume that all internet users in the organization need access to the internet, and the addresses need to undergo a NAT at the firewall to go to the internet. Note that some organizations might not want to use NAT to access the internet, as it allows all users direct access to the internet. Such organizations force the users through a proxy server for internet access and use two separate firewalls for the external and internal zones. The recommended layout in a real enterprise would be similar to the one shown in the following figure: