How to handle servers that do not need to be load balanced?

For my hosts I usually put them all into DMZ's by platform (Separate VLAN's for Windows/Linux/Unix) and some organisations like to segregate Prod/Non-Prod... Also I tend to segregate by level of auth. e.g. Public/Open servers. Servers that require Auth. It does mean a larger than normal number of DMZ's, but you can craft firewall rules by VLAN quite fictively that way (e.g. Windows servers need certain access back inwards where they require access to AD etc... Not that I advise using internal AD from the DMZ, but some organisations require it).

 

 

To access non load-balanced services, use a network VS.

 

 

For extra security I also like to have separate external and internal VLAN's on the BigIP (Where you have separate firewalls separating the DMZ from the external nets and DMZ from internal nets. That way you can also ensure VS's are limited where required (e.g. network VS's can be active only on the VLAN connecting to the internal networks for example). You can also configure your network VS's to that access from DMZ to DMZ needs to pass via the firewalls rather than being directly routed across the LTM...

 

 

H

 

 

H