# Network topology recommendations Data One offers multiple deployment options. Data One services can run on a variable number of nodes, depending on available resources and environment-specific performance constraints. It is recommended that all such nodes, plus the database nodes and any storage server nodes hosting shared file systems used by Data One, are located in one or more separate subnets, accessible only to administrators, with just the required firewall traversal routes allowed. For more information on Data Mover own firewall traversal route requirements please refer to [Ceman firewall](/data-one-installation-manager/install-data-mover-+-data-watcher-+-data-shaper/performing-initial-installation-and-master-configuration/configuring-firewall-rules.md). For more information about DMZ traversal please refer to the sections on the DMZ Gateway component throughout the documentation. The above recommendations are NOT enforced by the product at runtime. They are provided here as a reminder of basic security best practices, generally aimed at reducing the attack surface. All the network topology hardening activities applicable to Data One are in charge of the customer’s own system administration team. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.primeur.com/data-one-installation-manager/topology-patterns/network-topology-recommendations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.