DMZ (Demilitarized Zone) is a network segment positioned between the public internet and the internal corporate network. Servers that must be reachable from outside — web servers, mail servers, VPN gateways — are placed in the DMZ.
The DMZ is shielded by at least two firewalls: one facing the internet, one facing the internal network. If a server in the DMZ is compromised, the attacker has no direct access to the internal network. This architecture pattern is a classic example of defence in depth. In modern cloud environments, security groups and private subnets serve a comparable function.