My understanding is all modules in the F5 BIG-IP appliance will be in the same physical box.
My question is can I put other F5 modules (specifically F5 ASM module) in different physical box? I worry if the resources usage by F5 ASM can slow down other services.
Anyone has experienced in F5 ASM and architecture for enterprise, please advise and i really appreciate it!!
You can do both. The scenario you see less often is standalone ASM but i have absolutely seen this and there are use cases where this may be good practice. You can have a BIG-IP upstream divert only the necessary traffic to downstream ASM devices and then, depending on architecture, send them back to the original BIG-IPs or other downstream ones, with their VIP as the pool member.
It is probably less complex to have LTM and ASM on the same box in front of your web servers but there are always options.
Whilst older platforms and older TMOS versions had resource considerations when adding on multiple modules, and even had limitations on types/numbers, the new platforms and versions are a lot more flexible.
It all depends on the traffic/architecture where you are. Hopefully this gives you food for thought.
Yes, you can use a different BIG-IP box as an ASM-only device, provided that you have an ASM license for your separate device.
It is actually an F5-recommended architecture for ASM scalability when you load-balance several ASM devices using an LTM.
F5 has released a Deployment Guide describing this architecture: Configuring the BIG-IP LTM with multiple BIG-IPASM devices
You can view the deployment guide PDF here:
Hope this helps,
Could you please share a new valid link to the article?