Firewall and Load Balancer in Private Network – Overview

Firewall and Load Balancer in Private Network – Overview

This article provides information how firewalls and/or load balancers can be deployed in shared infrastructure.

Firewalls or load balancers can be deployed in shared infrastructure using Private Network to connect to any Leaseweb service within a data center, which is also connected to Private Network.

The firewall or load balancer must be configured in Routed with NAT mode. The firewall or load balancer translates the public IP addresses to Private IP addresses (Private Network IPs) to forward or receive traffic to/from a Leaseweb service with Private Network.

Routed (without NAT) mode and Transparent mode will not work and may cause an outage.

The Leaseweb services behind the firewall or load balancer must have a default route to inside IP (Private Network IP) to send and receive traffic to/from the firewall or load balancer.

This setup does not require the firewall or load balancer to be in the same rack with the Leaseweb services. They can be all in different racks within the same data center.

92176501

Public IP addresses will have to be allocated to the firewall or load balancer, the number of IP addresses depend on the NAT type.

One to one NAT→ the amount of public IP addresses that need to be assigned to a firewall or load balancer equals the amount of servers that are behind the firewall or load balancer.

One to many NAT → one Public address is needed for a number of servers behind the firewall or load balancer.

Leaseweb services will also be delivered with public IP addresses, which cannot be used in relation with the firewall or load balancer, but they are required for our automation to work.

For Dedicated servers, we recommend that the public switch port to be closed (this can be done easily in the Customer portal), however when there is need for example: OS installation or Rescue mode, then the public switch port can be opened.

Remote management can be used to manage the firewall or load balancer.

Firewall and load balancer in the same setup is currently not supported. Please contact our sales department for a solution.

Firewall or Load balancer configuration

We provide three (3) options – expand the below for details:

1. Initial configuration and management by the customer

The customer is responsible for the configuration and management of the device(s). Leaseweb provides access to the device.

Customer configures and manages the device.

2. Initial configuration by Leaseweb, management by customer

The customer is responsible for the configuration and management of the device(s). Leaseweb provides access to the device.

Customer configures and manages the device.

3. Initial configuration and management by Leaseweb

Leaseweb does the initial configuration according to the wishes of the customer (Customer answers to firewall or load balancers questionnaire)

Leaseweb offers Network Management Packs, if the customer wants Leaseweb to manage the device. For more information, please see the article about Network Management Packs

Network Connectivity

The firewall or load balancer is connected to the Top of the Rack Public switch, Top of the Rack Private Switch and Remote Management switch.

  • The Top of the rack Public switch offers uplink port speed of 1 Gbps.
  • The Top of the Rack Private switch offers 100Mbps or 1 Gbps Private Network.
  • Ports above 1 Gbps either in Public or Private Network are currently not available.
  • The Remote Management switch is used to provide management access for the customer.

Data packs

The firewall or load balancer is offered with its own data packs (Data traffic or Bandwidth)

  • Data traffic → the minimum commitment is 30TB
  • Bandwidth 95% → the minimum commitment is 100Mbps
  • Bandwidth unmetered → 100Mbps or 1Gbps

Eligible firewalls or load balancers models

The firewall models that are eligible for this set up are:

  1. Juniper SRX 345
  2. Fortigate FG-100F
  3. Fortigate FG-200F

The load balancer model that is eligible for this set up the A10Networks TH1040.