Forum Discussion
NimbostratusTwo DC and GTM solution
We want to implement GTM for DNS redundancy between DC1 and DC2. Each DC have design public_ip-FWL(NAT)-LTM(VIP_private_ip) What is the best place for GTM before or after firewall? What can we do for GTM respond with public ip address, irule? If we use irule for convert public to private ip will redundancy work between DC1 and DC2? Do we need to migrate public ip address to LTMas easiest solution?
Leonardo_SouzaCirrocumulus
"What is the best place for GTM before or after firewall?"
You could use both, there no limitation, so is up to your decision. Just make sure you use private or public ip to talk with the LTM, based in your decision.
About the other questions, read this solution:
https://support.f5.com/csp/article/K14707
- Hamish
- What is the best place for GTM before or after firewall?
That's up to your own policies. LTM (Which GTM sits on top of) provides firewall functionality. However that usually means you have to maintain rules in multiple places (i.e.your normal firewall and the GTM/LTM).
YMMV- What can we do for GTM respond with public ip address, irule?
Yes. There are a couple of iRules on codeshare that will do that for you.
Note that there is builtin 'translation' capability for wideip's, but that's for internal processing, not for serving addresses. So don't be confused by thinking it's for serving.- If we use irule for convert public to private ip will redundancy work between DC1 and DC2?
I don't see why not, but without knowing exactly your setup/business and security rules, etc then YMMV
- Do we need to migrate public ip address to LTM as easiest solution?
Well... The addresses you service have to be routed to the right place. Whether you need to migrate is another (Long and involved usually) discussion. You could get 3 people in a room on this one and get 4 answers, where none of them are wrong.