The LeZa proxy is the gateway to your application and should be the only public access point (unless you know what you are doing). This means that the proxy should be inside the private network containing your application. Although there is a way to configure your application and the LeZa gateway on different networks this requires a bit more work. We highly recommend for the purposes of efficiency and security you keep all instances inside the same private network.