Forum Discussion

saddiq_bilal's avatar
saddiq_bilal
Icon for Altocumulus rankAltocumulus
Jun 27, 2025
Solved

Same load balancer for all traffic

Hello all,   We are designing an architecture for our customer and configuring a single physical F5 for external (public IP) , DMZ vips and internal VIPs. i need your help to understand the risk as...
application delivery
security
  • Aswin_mk's avatar
    Aswin_mk
    Jun 27, 2025

    Hi,

     

    As per suggested design, you will have a physical Load balancer for internal, DMZ and external VIPs. I have feedback in the security side. The single load balancer for all application leading into security risks(Increased Attack Surface) and A single point of failure for all zones. a feedback on this as

    Ø  Implement route domains(isolates network traffic) and partitions based on zones to logically separate routing between the zones(Logically separate the load balancer into 3).

    Ø  Lock down Self IPs using port lockdown(Never expose Self IPs directly to the internet/internal – for restrict management plan access)

    Ø  You have to use the  security modules 

    o   Use AFM (Advanced Firewall Manager) for zone-specific firewall rules. Enable DOS.

    o   Use ASM/WAF for protecting web applications, especially in DMZ/external services.

     

    BR
    Aswin

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
Jun 27, 2025

You could possibly face lateral movement without any security control. Specially due to miss configuration.

You could separate Dmz and int VIPs to different route domains and partitions in the same BIGIP. Having both network and logical segmentation.