Forum Discussion

Cirrostratus

Feb 19, 2024

GTM Design | LTM+ ASM+GTM on same VM

Dears, I am planning to publish the same service through two sites by LTM and ASM. Each site has two F5 VMs (LTM and ASM). The customer is required to make the two sites active-active, we recomm...

security

Amine_Kadimi
Feb 21, 2024
Hi,

My answers based on a few similar projects:

1- You can have one GTM, but it won't provide true NS redundancy. Best practice I've seen is to have at least two NS geographically separated, each NS pointing to a GTM cluster (2VMs per site to provide in-site F5 redundancy). Other advanced architecture have more NS but same number of F5s by adding secondary ISP link to the mentioned GTMs

2- In theory you can have the three modules in the same VM (I recommend 16GB of RAM) but in practice it's better to have GTM in a separated VM and separated subnet.

3- There's two parts: where to position GTM? and how to handle DNS requests? For the first I usually prefer to have DNS as close as possible to the WAN edge router. For the second, you usually delegate a subdomain, or if managing all your domain by GTM you can point the entire domain to your GTM listeners

4- Two IPs, one for each ISP

Amine_Kadimi

MVP

Feb 21, 2024

Hi,

My answers based on a few similar projects:

1- You can have one GTM, but it won't provide true NS redundancy. Best practice I've seen is to have at least two NS geographically separated, each NS pointing to a GTM cluster (2VMs per site to provide in-site F5 redundancy). Other advanced architecture have more NS but same number of F5s by adding secondary ISP link to the mentioned GTMs

2- In theory you can have the three modules in the same VM (I recommend 16GB of RAM) but in practice it's better to have GTM in a separated VM and separated subnet.

3- There's two parts: where to position GTM? and how to handle DNS requests? For the first I usually prefer to have DNS as close as possible to the WAN edge router. For the second, you usually delegate a subdomain, or if managing all your domain by GTM you can point the entire domain to your GTM listeners

4- Two IPs, one for each ISP

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

GTM Design | LTM+ ASM+GTM on same VM

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 2

GTM design question: GTM/LTM LTM/ASM multisite deployment iquery requirements

Regarding design LTM

GTM and LTM design

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS