Multi-tenant environment: Multiple external vlan and one internal VLAN

Question

Hi
I want to build a multi-tenant web hosting environment. To make things simple, I want to keep multiple external vlans (single vlan and /24/customer) and one internal vlan only. The servers are situated behind another internal firewall zones. I would like to keep one interface of internal firewall connecting logically to my LB on internal vlan and ingress interface with servers with sub interfaces configured. The SNAT pool can be automaped or we can use SNAT pool of internal vlan subnet range. The pool members for each customer belongs to separate /24. Ther question is if it is possible to have traffic from multiple external vlans and going to single internal vlan for both forward and reverse traffic from servers. Below is the sample configuration for one customer. For every other customer, we have separate external subnet and separate pool members subnet.&nbsp;
Customer will type www.abc.com on their browser 
ABC.com (Registered to public IP/DNS)                 (157.1.1.1) &nbsp;
Perimeter Firewall:
Interface facing external                             public IP ?
Interface facing to internal network                  10.10.10.1&nbsp;
Will hit on perimeter firewall and get translated to 10.10.10.10 (VIP for abc.com). Firewall will forward traffic to internal interface facing LB.&nbsp;
LB
LB external interface                               10.10.10.254
VIP (abc.com)                                       10.10.10.10 (Tagged interface to carry multiple external vlans each for one customer)
Internal Interface                                  192.168.1.254 (This interface can be built as untagged interface and switch port will be access port)
Pool Members (Cust web servers):                    (2.2.2.10-2.2.2.13) &nbsp;
A static route to be added to reach network 2.2.2.0/24 via 192.168.1.1
SNAT automap can be used which will vary interface address .254 but it is restricted to 65000 sessions. We can reserve 10 IPs from 192.168.1.0/24 network to use as SNAT Pool by monitoring total number of sessions.&nbsp;
Internal Firewall &nbsp;
interface facing LB                                   192.168.1.1
Interface facing servers       2.2.2.1&nbsp;
Servers to have static route to reach 192.168.1.0/24 network via 2.2.2.1&nbsp;

mahmoud_eldeeb_ · Answer

Hello,
What is the software version?&nbsp;

wesleyjack · Answer

Hello syediman,&nbsp;
"The[ir] question is if it is possible to have traffic from multiple external vlans and going to single internal vlan for both forward and reverse traffic from servers."&nbsp;
We have several data centers with F5s operating in a similar fashion.  Multiple external VLANs to multiple internal VLANs (however one VLAN in specific is most used).  We use SNAT pools, but since you only have one Internal automap should be okay.  No issue with carrying multiple VLANs, we actually carry both external and internal on the same trunk.  (F5-on-a-stick)  Static route to get to 2.2.2.0/24 is a must.&nbsp;

mahmoud_eldeeb_ · Answer

automap is enough&nbsp;

Forum Discussion

Multi-tenant environment: Multiple external vlan and one internal VLAN

3 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

Multi-Stores Citrix environment BIG-IP APM

iRules Development Environment

Create isolated environment for internal and external networks

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB