One of the measures to create a secure infrastructure is to build a DMZ. DMZ or demilitarized zone is a term based on military usage but more appropriately known as perimeter network or a demarcation zone. DMZ is a physical or logical subnetwork that contains and exposes an organization’s external services to a larger, untrusted network, usually the Internet. The main purpose of a DMZ is to add an additional layer of security. With a DMZ and intruder only has access to hardware in the DMZ, rather than the whole network.
So in my knowledge, the APEX server should be in the intranet and it only would accept http or https connections from an HTTP Server that would be in the firewalled DMZ.
What I recommend is to use a supported and updated HTTP Server (usually Apache 2) and use it to reverse proxy the traffic the APEX server.
To reverse proxy the traffic I add these lines to the httpd.conf:
These statements say to APEX that whenever It receives a call to a Location started with “/apex” then it must redirect the call to the host “myapexserver”. The same also happens to the images Location “/i”
This configuration can also be used with the SSL (mod_ssl) that comes with Apache and would allow you to provide secure traffic between your servers and the internet users. Just add it to your ssl.conf file instead of httpd.conf.