Each stake pool must run at least one block-producing node and one relay node. The block-producing node holds the keys and certificates necessary to issue blocks, but it is not directly connected to the network. For security reasons, it must be connected only to one or more relay nodes controlled by the stake pool operator. Then, the relay nodes connect to other relays on the network. This is configured in the topology.json file together with the server firewall.
For more information please visit: Getting Started with Stake Pool Operations