Big-IP DNS - LTM Design Clarification
Problem statement: User must go through FW NAT'd address for application after being directed by GTM
2 Datacenters (DC1 and DC2) 2 GTM's in DC1 (External self-ip 1.1.1.1) (internal self-ip 10.100.1.1) 1 GTM in DC2 (External Self-ip 9.9.9.9) (internal self-ip 10.200.1.1) Allow Custom Ports: TCP/UDP 53 only
2 LTM's in DC1 (Self-IP 10.100.1.1) 2 LTM's in DC2 (Self-IP 10.200.1.1) Allow Custom Ports: TCP iquery(4353) and ssh(22)
** GTM's in front of FW, LTM's behind the firewall.
Establish Trust between GTM and LTM on internal address. Do not enable auto-discovery LTM Virtual Server (vs_dnstest01) on internal address, lets say 10.100.100.1/24 with NAT on firewall, let's say 1.1.1.50
**Manually add LTM VS to GTM pool by using NAT'd address 1.1.1.50
LDNS: add A records for DC1 and DC2 GTM self-ip for vs_dnstest01 to DC1 GTM and DC2 GTM example: dnstest.myco.com A 1.1.1.1 dnstest.myco.com A 9.9.9.9
WideIP: dnstest.myco.com (LTM VS pool members from LTM in DC1 and DC2) LB: Global Availability (always prefer DC1)
Here is my assumption to which I need clarification:
Client: queries dnstest.myco.com GTM: Responds with IP from WideIP pool to use 1.1.1.50 and send to DC1 LTM Client: access app on LTM via the FW NAT'd address (1.1.1.50) (FW Policy allowing 80/443 traffic)
Are there any concern or issues with adding the LTM Virtual Servers to the GTM pool using the public address? My assumption is as long as the GTM can query the status of the LTM and LTM virtual servers through the FW the pool will be up and traffic will be processed.