Forum Discussion

Jon_Ole_Nome_46's avatar
Jon_Ole_Nome_46
Icon for Nimbostratus rankNimbostratus
Aug 19, 2013

Multi-homed GTM, how to restrict internal/external DNS queries

I have a set of GTMs with 2 active interfaces - 1 DMZ, 1 internal. I also have 2 subdomains allocated to the GTMs, one for internal Wide IPs and one for external Wide IPs. I want to set it up to only...
application delivery
cloud
deployment
design
devops
iRules
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 26, 2013

Here's a slight twist to get multi-homed records.

  1. Create an "internal" topology region - include all of the local/internal IP subnets.

  2. Create separate internal and external pools for each WIP resource with a common naming extension (ex. int_foo.example.com_pool and ext_foo.example.com_pool).

  3. Create a "drop" pool - no members, preferred LB Method: Fallback IP, Fallback IP: 1.1.1.1, Alternate and Fallback LB Methods set to none.

  4. Assign the external pool to the WIP.

  5. Apply this iRule to all multi-homed WIPs:

    when DNS_REQUEST {
    if { [matchregion [IP::client_addr] internal_network] } {
        if { [catch {
             try to send internal GTM pool
            set pool [findstr [LB::server pool] "ext_" 4]
            pool "int_$pool"
        } error] } {
             internal GTM pool doesn't exist - send nothing
            pool drop_pool
        }
    } 
}

This is really nothing more than a variation on some of the examples above, and probably pretty close to Jason's comments, but can be done completely inside a GTM iRule and will allow you to serve up internal and external DNS entries for the same resources (if they exist).