I'd like to share my experience of a specific scenario in deploying GTM and LTM and open it up to the community if we could find a better way to do this than what I've come up with.
My company recently purchased some F5 LTMs and GTMs and there were a couple of design requirements / constraints that we had to follow.
Scenario & Network Design Requirements:
As you can see, we already have a problem here because the Virtual Server Discovery will populate the LTM Server Object on the GTM with all the Virtual Servers on the LTM but they're all configured with private IPs. You cannot link these virtual servers to Wide IP Pools and onwards to Wide IPs because then GTM will return private IPs when it receives DNS queries.
The solution that I came up with was to do this:
This means the diagram now becomes like this:
When we do #3 above, what happens is that the GTM will ping the public NAT-ed IP of the Virtual Server (188.8.131.52), the firewall will NAT the IP to the private IP (10.1.1.1), the ping will reach the LTM Virtual Server and if the ping is successful, the object will be green on the GTM. This alone is not enough however as on the LTM, a "Standard" type virtual server will still respond to pings even if all the pool members are unavailable and the virtual server is also unavailable (this is where I think Virtual Server status as updated via iQuery is superior to a normal monitor), so to solve this problem I used the Dependency List option below the Health Monitor section and I chose the corresponding Virtual Server that was discovered by the Virtual Server Discovery (VS1 10.1.1.1).
This way, should all the pool members become unavailable on the LTM, the LTM will update the status of the virtual server to the GTM via iQuery and the GTM will make the 184.108.40.206 Virtual Server object unavailable even if the pings are still successful.
So my question to the community is:
Given the restrictions above, is this the correct way to make GTM give out Public IPs when the Virtual Servers on the LTMs are configured with private IPs?
There was another question on this same topic from 2016 (linked below), but it sort of died out without a resolution:
Update 15 Mar 2019:
I learnt that when adding an LTM that's separated from the GTM via a Firewall that does NAT translation, the GTM will not perform Virutal Server Discovery:
Update 15 Mar 2019: I learnt that when adding an LTM that's separated from the GTM via a Firewall that does NAT translation, the GTM will not perform Virutal Server Discovery: https://support.f5.com/csp/article/K9138
Have you explored "translation-address" as seen here.
You can rely on the iQuery from GTM to LTM to identify the health status of the individual VS on the LTM. Separate health-checks from GTM to LTM is redundant and doesn't provide any additional benefit. Separate health-checks from GTM to end host/load balancer can be used when you are using non-F5 devices as the end host/load balancer.
Yep, I've checked out the "translation-address", but that's not related to this scenario - that's more on establishing the iQuery in the first place.
Separate health-checks from GTM to LTM is redundant and doesn't provide any additional benefit
This is needed because if I don't apply that gateway_icmp, the GTM regards the Virtual Server IP as "Unknown" even if the Virtual Server defined in the Dependency List is "Available".