Actually you can forward your logs from Heavy Forwarder directly to Splunk Cloud. I guess this would be the recommended architecture for this case.
Do you have any network restrictions for communication between your server and Splunk Cloud? If this is the case, maybe you should deploy a Heavy Forwarder instead an Universal Forwarder on DMZ. I have not tested sending logs between two forwarders, but I guess this is possible.