Good Afternoon, We are trying to implement an F5 appliance in the DMZ and I am probably not thinking about this correctly. We think that the Data Interfaces (5.0 / 6.0) are LACP together into the DMZ switches. The tenant we would like to deploy is fronting two web servers in the DMZ. The web servers themselves have firewall fules to talk to the back-end servers. Does the tenent or appliance need access to the internal network as well for load balancing purposes? I am trying to find a good guide on this but I am missing some Google-Fu right now.
If the web servers route to internal resources via the firewall, then no issues as F5 is out of the path. However, if you are doing something like routing through the F5 and source NATing then of course the IP seen would be the F5. So depends on architecture.
Hi @HerrDrachen ,
To be able to help , Review with me ...
I have draw this diagram according your post and included info :
Am I correct in this flow ?
Feel free to correct me , use this website to draw your design ( https://excalidraw.com/ )
What is the access that you mean ??
Looking forward hearning from you soon 🙂
Here is a simple layout of the F5, network, vmware and VMs. The client would hit the F5, go through the switches to the VMware Hosts, hit the VMs that are in the pool, do what it has to do and then come back out the F5.
Hi @HerrDrachen ,
your Question here is :
if f5 bigip appliance need access to reach ( VM 1 , VM 2 ) ?
The answer (yes) but if the "DMZ Vmware" depending on Access rules which look like firewall policies rules.
So in this case you need to open access from (f5 bigip appliance selfip) on the internal vlan to reach ( VM1 and VM2 ) Pool members through DMZ VMware.
Note you need to configure ( SNAT auto map on virtual server configuration properities ).
this is my primary analysis , please let me know if I miss somthing and clarify it more for me