Network Architecture for AFM

Question

Hi, &nbsp;
We have a pair of Big IP F5 ADC (LTM + AFM), and would like to know where i should place the device in the network. &nbsp;
The idea is to use the LTM feature to load balance application servers and AFM module as data center firewall to allow access only from dedicated user subnet to the application servers and at the same time restrict access from the same user subnet to the DB servers under the server farm switch. I am attaching network layout and would appreciate if anyone can help me with the placement of the Big IP F5 device in the network.&nbsp;
Regards, &nbsp;
Abbas Mirza  &nbsp;
&nbsp;

brad_parker · Answer

I can't tell if your picture is L2 or L3 or both. Which switch stack you plug into is up to you but I would suggest making your BigIP the default gateway for the networks you plan on putting behind it. Your BigIP can participate in a VPC trunk so you can cable it with switch redundancy as well.

Forum Discussion

Network Architecture for AFM

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

can you help with getting a BigIP virtual edition serial key

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

F5 Architecture Track Sessions - AppWorld 2026

Multi-Cluster, Multi-Cloud Networking for K8S with F5 Distributed Cloud – Architecture Pattern

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Kubernetes architecture options with F5 Distributed Cloud Services

Mastering API Architectures Ebook from NGINX

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS