Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

GTM (DNS) Monitoring of LTM Virtual Servers with LTM Virtual Server IPs are NAT via Firewall

I'd like to share my experience of a specific scenario in deploying GTM and LTM and open it up to the community if we could find a better way to do this than what I've come up with.

My company recently purchased some F5 LTMs and GTMs and there were a couple of design requirements / constraints that we had to follow.

Scenario & Network Design Requirements:

  1. All Self-IPs and Virtual Servers on the F5 LTM must use private IP addresses and must not use public IP addresses
  2. For applications that are served via F5 LTM Virtual Servers which needs to be accessed over the internet, the public IP will be NAT-ed from an internet facing firewall to the private IP that is configured on the F5 LTM virtual server
  3. GTM will need to be able to monitor the status of Virtual Servers on the LTM using iQuery but when GTM responds to public DNS queries, GTM must return the public IP.

Image Text

As you can see, we already have a problem here because the Virtual Server Discovery will populate the LTM Server Object on the GTM with all the Virtual Servers on the LTM but they're all configured with private IPs. You cannot link these virtual servers to Wide IP Pools and onwards to Wide IPs because then GTM will return private IPs when it receives DNS queries.

The solution that I came up with was to do this:

  1. Establish iQuery between the LTM and GTM and also enable Virtual Server Discovery
  2. Manually create Server objects of product Generic Host for each Virtual Server that needs to be reached over the internet, use the public IP that has been allocated by the Network Team which will be NAT-ed at the Firewall (eg. 1.1.1.1), do not apply any Health monitors, do not fill in the "Translation" field
  3. Manually create Virtual Server objects under the Server object created in #2 above, use the public IP that has been allocated by the Network Team which will be NAT-ed at the Firewall (eg. 1.1.1.1), switch the "Configuration" drop down menu to "Advanced", apply a simple gateway_icmp monitor, in the Dependency List - search for the actual virtual server which will accept the traffic (eg. 10.1.1.1), this virtual server would have been discovered earlier in #1 by Virtual Server Discovery.

This means the diagram now becomes like this:

Image Text

When we do #3 above, what happens is that the GTM will ping the public NAT-ed IP of the Virtual Server (1.1.1.1), the firewall will NAT the IP to the private IP (10.1.1.1), the ping will reach the LTM Virtual Server and if the ping is successful, the object will be green on the GTM. This alone is not enough however as on the LTM, a "Standard" type virtual server will still respond to pings even if all the pool members are unavailable and the virtual server is also unavailable (this is where I think Virtual Server status as updated via iQuery is superior to a normal monitor), so to solve this problem I used the Dependency List option below the Health Monitor section and I chose the corresponding Virtual Server that was discovered by the Virtual Server Discovery (VS1 10.1.1.1).

This way, should all the pool members become unavailable on the LTM, the LTM will update the status of the virtual server to the GTM via iQuery and the GTM will make the 1.1.1.1 Virtual Server object unavailable even if the pings are still successful.

So my question to the community is:

Given the restrictions above, is this the correct way to make GTM give out Public IPs when the Virtual Servers on the LTMs are configured with private IPs?

There was another question on this same topic from 2016 (linked below), but it sort of died out without a resolution: https://devcentral.f5.com/questions/gtm-to-give-away-public-ip-address-while-monitoring-the-private-ltm-vs-49835

Update 15 Mar 2019: I learnt that when adding an LTM that's separated from the GTM via a Firewall that does NAT translation, the GTM will not perform Virutal Server Discovery: https://support.f5.com/csp/article/K9138

0
Rate this Question
Comments on this Question
Comment made 1 week ago by adam88 114

Update 15 Mar 2019: I learnt that when adding an LTM that's separated from the GTM via a Firewall that does NAT translation, the GTM will not perform Virutal Server Discovery: https://support.f5.com/csp/article/K9138

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Have you explored "translation-address" as seen here.

You can rely on the iQuery from GTM to LTM to identify the health status of the individual VS on the LTM. Separate health-checks from GTM to LTM is redundant and doesn't provide any additional benefit. Separate health-checks from GTM to end host/load balancer can be used when you are using non-F5 devices as the end host/load balancer.

0
Comments on this Answer
Comment made 4 weeks ago by adam88 114

Yep, I've checked out the "translation-address", but that's not related to this scenario - that's more on establishing the iQuery in the first place.

Separate health-checks from GTM to LTM is redundant and doesn't provide any additional benefit

This is needed because if I don't apply that gateway_icmp, the GTM regards the Virtual Server IP as "Unknown" even if the Virtual Server defined in the Dependency List is "Available".

0