two different route domains for the vserver lan and pool lan
In order to reduce a possible attack from the internet where a remote client could enter the server LAN through the vserver IP and from there attack the private LANs, it was decided to separate the vserver LAN and the real nodes LAN through two different route domains in a parent-child relationship. I don’t understand how this can actually reduce the risk, since at the application level, you still get to the final servers, but I can clearly understand that it increases the complexity of configuration and troubleshooting on the F5 in case of problems. Also, the nodes are virtual machines and are accessed through trunk interfaces. In addition, the F5 is not directly connected to the internet, but behind a FW. I wanted to ask you if this can be considered a best practice for implementing F5 or not. Thank you in advance for any possible answer.