I'm considering purchasing an F5 load balancing device which will proxy inbound HTTP connections to one of five web servers on my internal network. My assumption was that the F5's external interface would face the Internet and the internal interface would face the internal network where the web servers live. Yet several of the illustrations I'm seeing online place the F5 device behind the firewall This arrangement would cause extra traffic to pass through the firewall and also makes the firewall a single failure point, correct?
What's the rationale behind this configuration?
Best Answer
I think the classical:
is mostly left over from the era of expensive hardware-based firewalls. I've implemented such schemes so they work but makes the whole setup more complicated. To eliminate single points of failure (and e.g. allow upgrades of the firewall) you need to either mesh traffic between 2 firewalls and 2 load balancers (either using layer 2 meshes or proper layer 3 routing).
On public clouds one tends to implement something like:
which is frankly good enough.
Happy to see some discussion on the topic.