How to handle servers that do not need to be load balanced?

Question

I have a customer that would like to use F5 BIG-IP 3600 load balancing device between the an Internet route-able segment and a server segment. He has some servers that he wants to load balance and he has other servers that he wants to be able to access directly from the internet without load balancing them. Can he do this even though the non-load balanced servers are on the same segment as the load balanced servers all behind the BIG-IP 3600? Is there any technical reason that he should create two segments, one behind the F5 load balancing device for load balanced servers and another segment not behind the F5 load balancing device for non-load balanced servers?

Thanks

GM

hooleylist · Answer

Hi GM, 
&nbsp;  
&nbsp; Can he do this even though the non-load balanced servers are on the same segment as the load balanced servers all behind the BIG-IP 3600? 
&nbsp;  
&nbsp; Sure.  If the destination host's default gateway isn't LTM, you'd want to use SNAT to ensure responses from the host come back through LTM. 
&nbsp;  
&nbsp; You can use a virtual server without load balancing.  Here's a SOL with more detail: 
&nbsp;  
&nbsp; SOL7229 - Methods of gaining administrative access to nodes through the BIG-IP system 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7229.html 
&nbsp;  
&nbsp; Is there any technical reason that he should create two segments, one behind the F5 load balancing device for load balanced servers and another segment not behind the F5 load balancing device for non-load balanced servers? 
&nbsp;  
&nbsp; As stated above, you don't have to have two separate VLANs on LTM.  But it can be advantageous from a security and access control perspective to have all access to the servers done through virtual servers on LTM. 
&nbsp;  
&nbsp; Aaron

hamish · Answer

For my hosts I usually put them all into DMZ's by platform (Separate VLAN's for Windows/Linux/Unix) and some organisations like to segregate Prod/Non-Prod... Also I tend to segregate by level of auth. e.g. Public/Open servers. Servers that require Auth. It does mean a larger than normal number of DMZ's, but you can craft firewall rules by VLAN quite fictively that way (e.g. Windows servers need certain access back inwards where they require access to AD etc... Not that I advise using internal AD from the DMZ, but some organisations require it). 
&nbsp;  
&nbsp; To access non load-balanced services, use a network VS.  
&nbsp;  
&nbsp; For extra security I also like to have separate external and internal VLAN's on the BigIP (Where you have separate firewalls separating the DMZ from the external nets and DMZ from internal nets. That way you can also ensure VS's are limited where required (e.g. network VS's can be active only on the VLAN connecting to the internal networks for example). You can also configure your network VS's to that access from DMZ to DMZ needs to pass via the firewalls rather than being directly routed across the LTM...  
&nbsp;  
&nbsp; H  
&nbsp;  
&nbsp; H

Forum Discussion

How to handle servers that do not need to be load balanced?

Recent Discussions

Reporting Help Needed

Switch ssl profile based on weak cipher detection via IRULE

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

full-proxy HTTP2

Related Content

Re: NGINX for Azure: Load Balancing

iRules LX Sideband Connection - Handling timeouts

Client-side vs Server-side Load Balancing

Load Balancing in a sequential order

Handling sideband server failure

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS