Forum Discussion

tolinrome_13817's avatar
tolinrome_13817
Icon for Nimbostratus rankNimbostratus
Feb 24, 2014

Load Balancing different interfaces

The way I have the BigIP is connected directly to the DMZ interface and then all proxying goes back through the firewall to hosts on the inside interface. But, can the F5 in this particular setup also allow us to load balance inside services as well? I would think so since it would just load balance the requests between the members in the pool (even if they’re on another physical interface), but I’m not sure. I’m not sure if it needs to be directly connected to the inside for this. Any suggestions or comments? Thanks.

 

application delivery
deployment
design
LTM
management
  • Christopher_Boo's avatar
    Christopher_Boo
    Feb 25, 2014

    You have the LTM in front of the firewall? My LTMs load balance both internal and DMZ, but all interfaces are behind the firewall. Be careful with your routing, as you can definitely get into trouble. I have no experience with it, but I'd look at route domains to keep DMZ and internal separate. Also be mindful of the problems your firewall can cause. Unless you manage both, it can turn into a lot of finger pointing when there is a problem.

     

    In a perfect world, if I'm load balancing internal and DMZ VIPs, I'd prefer separate LTMs.

     

    Chris

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 24, 2014

    Yes, you can absolutely load balance between services internally (assuming the pool members to route TO the BIG-IP). The one thing you'll most certainly need to do though is to apply a SNAT profile to these internal VIPs to force return routing.

     

  • Christopher_Boo's avatar
    Christopher_Boo
    Icon for Cirrostratus rankCirrostratus
    Feb 25, 2014

    You have the LTM in front of the firewall? My LTMs load balance both internal and DMZ, but all interfaces are behind the firewall. Be careful with your routing, as you can definitely get into trouble. I have no experience with it, but I'd look at route domains to keep DMZ and internal separate. Also be mindful of the problems your firewall can cause. Unless you manage both, it can turn into a lot of finger pointing when there is a problem.

     

    In a perfect world, if I'm load balancing internal and DMZ VIPs, I'd prefer separate LTMs.

     

    Chris