For On-premise deployment we generally recommend setting up the API Gateway cluster inside the DMZ to run the API proxy applications and communicate to the gateway restricted to only between the API Web management console, the MMC and the service implementations themselves via another firewall and load balancer.
This is a hybrid configuration, with the API Gateway hosted on CloudHub where the API proxy applications are deployed on CloudHub with API Gateway runtime.
For cloud deployments, the options depend on whether VPC is part of the infrastructure. For a configuration with VPC, some CloudHub workers can be dedicated to run API proxy applications and be left outside the VPC, with the CloudHub workers that service implementations are deployed on will be inside the VPC and act like they are part of the internal network.
For any design reason, like limit of number VPC connections or If VPC is not expected to be used, then generally API proxy applications will not be needed. The service implementation applications on CloudHub will be deployed onto API Gateway runtime.