Due to security requirements we have a couple of DMZs in our environment, within which "secure servers" exist, one of which even does so behind a dedicated firewall (i.e. double-bastion).
We're looking at leveraging replication/vlabs for fresher dev & UAT environments which technically work great, but (specifically for UAT which would require some user access so masquerading etc. is perfect) however, because the mapped IP addresses effectively sit on the production network, that brings the environment outside of any fw rules and so causes our security people to get very twitchy
Is there a way of leveraging vlabs such that the "production" network that is forwarded/masqueraded into the isolated network can exist within a protected (fire-walled) subnet, even if we just spin up a new subnet with same FW rules in order to maintain vm->vm isolation, or is this one of those circumstances where the "production" network actually has to be the same subnet as the B&R server (which I know is the case for certain elements of B&R deployment but can't for now remember what those are).
Hopefully my question makes sense!