It's possible to put the Application servers on different subnet than the Front End Servers

Question

It is possible to put the Application servers on a different subnet than the Front End Servers in SharePoint 2013,

What are the advantages and drawbacks, noting that this is an Internet facing application

Answer 1

Yes. It is perfectly possible to do that irrespective of what edition of SharePoint you are using.

Its more of network related configuration where you need to ensure that the application server and the web front end servers are able connect to each other for all the specific ports where Service Applications and Your Web Applications are running.

The router/firewall needs to allow "ONLY" the necessary ports between the subnets used by SharePoint. Typically you would like to have these ports open between the subnets but not limited to :-

TCP/135 ,
TCP/445 – Microsoft DS ,
UDP/137 – Netbios name ,
Dynamic Ports – 49152 to 65535 for RPC random ports for Reporting services.
32843,32844 (SP Web Services over http and https)

Additionally, the lesser the network distance (*hops) between the app server and wfe subnet , the better overall latency results you will have. Engage your IT/Network guys for this.

From security perspective , it acts as a point of isolation - that incase your WFE's are compromised it will still take the attacker some additional effort to compromise the entire farm. Preferrably do not host the central admin on the WFE. But still I think they are various ways your application servers can be still be compromised from a rooted WFE.

Differenting only on the basis of subnet is not considered as "once-and-for-all" lockdown.