Forum Discussion

saddiq_bilal's avatar
saddiq_bilal
Icon for Altostratus rankAltostratus
Jun 27, 2025
Solved

Same load balancer for all traffic

Hello all,

 

We are designing an architecture for our customer and configuring a single physical F5 for external (public IP) , DMZ vips and internal VIPs. i need your help to understand the risk associated with it and feedback for the setup. The all VMs will place in a single Vlans. Please provide your expert suggestions.

 

Thanks

 

 

 

application delivery
security
  • Aswin_mk's avatar
    Aswin_mk
    Jun 27, 2025

    Hi,

     

    As per suggested design, you will have a physical Load balancer for internal, DMZ and external VIPs. I have feedback in the security side. The single load balancer for all application leading into security risks(Increased Attack Surface) and A single point of failure for all zones. a feedback on this as

    Ø  Implement route domains(isolates network traffic) and partitions based on zones to logically separate routing between the zones(Logically separate the load balancer into 3).

    Ø  Lock down Self IPs using port lockdown(Never expose Self IPs directly to the internet/internal – for restrict management plan access)

    Ø  You have to use the  security modules 

    o   Use AFM (Advanced Firewall Manager) for zone-specific firewall rules. Enable DOS.

    o   Use ASM/WAF for protecting web applications, especially in DMZ/external services.

     

    BR
    Aswin

3 Replies

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Cumulonimbus rankCumulonimbus
    Jun 27, 2025

    You could possibly face lateral movement without any security control. Specially due to miss configuration.

    You could separate Dmz and int VIPs to different route domains and partitions in the same BIGIP. Having both network and logical segmentation.

  • Aswin_mk's avatar
    Aswin_mk
    Icon for MVP rankMVP
    Jun 27, 2025

    Hi,

     

    As per suggested design, you will have a physical Load balancer for internal, DMZ and external VIPs. I have feedback in the security side. The single load balancer for all application leading into security risks(Increased Attack Surface) and A single point of failure for all zones. a feedback on this as

    Ø  Implement route domains(isolates network traffic) and partitions based on zones to logically separate routing between the zones(Logically separate the load balancer into 3).

    Ø  Lock down Self IPs using port lockdown(Never expose Self IPs directly to the internet/internal – for restrict management plan access)

    Ø  You have to use the  security modules 

    o   Use AFM (Advanced Firewall Manager) for zone-specific firewall rules. Enable DOS.

    o   Use ASM/WAF for protecting web applications, especially in DMZ/external services.

     

    BR
    Aswin