Forum Discussion

mark_steel_1191's avatar
mark_steel_1191
Icon for Nimbostratus rankNimbostratus
Jan 26, 2013

f5s across web and app tiers / across firewalls

we are using f5's with GTM across two sites for web tier (for Oracle Weblogic apps).

 

we need to provide load balancing for the app tier as well which is inside the inner firewall.

 

is this a valid config in terms of security ? ie the f5s wil be cabled both to dmz and inner vlans with diffent ports / rules.

 

thanks for help - want to avoid buying more load balancers !

 

Mark

 

 

config
design

5 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 26, 2013
    is this a valid config in terms of security ? ie the f5s wil be cabled both to dmz and inner vlans with diffent ports / rules.it is configurable. you may separate web tier and app tier in different route domain. anyway, in term of security perspective, i think using two separate load balancers is better.

     

     

    just my 2 cents.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 26, 2013
    Fair points Nitass. If I can suggest another alternative. Just use the 'web' load balancers to balance to the 'app' servers. It doesn't matter that there is a firewall in the path between the load balancers and app servers. You might need to SNAT but that's about the only downside.

     

     

    I would avoid cabling to two different DMZs and Route Domains myself.
  • Joseph_Ortiz_73's avatar
    Joseph_Ortiz_73
    Icon for Nimbostratus rankNimbostratus
    Feb 01, 2013
    Steve - How do you accomplish using the 'web' load balancers to balance to the 'app' servers? We're using f5 in one-arm configurations, but our environment is getting more complex and I'm having trouble wrapping my head around these different configurations. Thanks.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 01, 2013
    Just create a VS on the server-side VLAN the web servers are part of, with the app servers as Pool Members. You'll need to SNAT to ensure the traffic back from the app servers goes back to the F5's. I appreciate it can be difficult to 'get it' and 'hold it all in your head' sometimes. If I get time I'll post a diagram over the weekend.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 02, 2013

    OK, here's a quick and dirty diagram. Just remember to factor the monitors direct from the F5 in the firewall rules and SNAT on the second VIP (assuming there is a L3 device between the F5 server-side and the firewalls).

     

    http://sdrv.ms/Ys3GZs

     

Related Content