Just after some general advise on an MPLS design decision.
A large enterprise is to have a MPLS infrastructure that contained multiple data centres, and branch offices. The data centres would have firewalls, but the branch offices would not. The data centres would each have a DMZ. One front-end DC that is for delivering websites and web services, while the other DC provided back office services to branch offices that reside on the MPLS. All sites and DC's would be situated in the same VRF, and have inbound/outbound web traffic presented via a central internet connection.
Does anyone see any flaws with this plan? Or alternative considerations? Security implications etc?
Im stuck between consolidating back-office (user traffic) and inbound web/web service traffic, or having a direct internet connection into the data centre which provides web/web services etc, while the back office data centre uses the centralised internet connection.
In my mind, brining web traffic into a centralised internet firewall, which then places traffic into one VRF that is shared with the enterprise employees, before then being routed to a data centre MPLS site, then via another firewall before finally landing on the data centre DMZ, doesn't seem right in my mind.
In my mind, an MPLS is a trusted network (I.e. Firewall inside interface)
Any thoughts, advise etc would be much appreciated.