Firewall and Load Balancer in Private Network

This article provides information how firewalls and/or load balancers can be deployed in shared infrastructure.

Contents

Firewalls or load balancers can be deployed in shared infrastructure using Private Network to connect to any Leaseweb service within a data center, which is also connected to Private Network.

The firewall or load balancer must be configured in Routed with NAT mode. The firewall or load balancer translates the public IP addresses to Private IP addresses (Private Network IPs) to forward or receive traffic to/from a Leaseweb service with Private Network.

The Leaseweb services behind the firewall or load balancer must have a default route to inside IP (Private Network IP) to send and receive traffic to/from the firewall or load balancer.

This setup does not require the firewall or load balancer to be in the same rack with the Leaseweb services. They can be all in different racks within the same data center.

Public IP addresses will have to be allocated to the firewall or load balancer, the number of IP addresses depend on the NAT type.

One to one NAT→ the amount of public IP addresses that need to be assigned to a firewall or load balancer equals the amount of servers that are behind the firewall or load balancer.

One to many NAT → one Public address is needed for a number of servers behind the firewall or load balancer.

Leaseweb services will also be delivered with public IP addresses, which cannot be used in relation with the firewall or load balancer, but they are required for our automation to work.

For Dedicated servers, we recommend that the public switch port to be closed (this can be done easily in the Customer portal), however when there is need for eg. OS installation or Rescue mode, then the public switch port can be opened.

Remote management can be used to manage the firewall or load balancer.

Firewall or Load balancer configuration

We provide three (3) options

1. Initial configuration and management by the customer
2. Initial configuration by Leaseweb, management by customer
3. Initial configuration and management by Leaseweb

Initial configuration and management by customer

The customer is responsible for the configuration and management of the device(s). Leaseweb provides access to the device.

Customer configures and manages the device.

Initial configuration by Leaseweb, management by customer

Leaseweb does the initial configuration according to the customer’s wishes. ( Customer answers to the firewall or load balancer questionnaire).

After initial configuration, customer is responsible for any changes and management of the device.

Initial configuration and management by Leaseweb.

Leaseweb does the initial configuration according to the wishes of the customer (Customer answers to firewall or load balancers questionnaire)

Leaseweb offers Network Management Packs, if the customer wants Leaseweb to manage the device. For more information, please see the article about Network Management Packs. 

Network Connectivity

The firewall or load balancer is connected to the Top of the Rack Public switch, Top of the Rack Private Switch and Remote Management switch.

The Top of the rack Public switch offers uplink port speed of 1 Gbps.

The Top of the Rack Private switch offers 100Mbps or 1 Gbps Private Network.

Ports above 1 Gbps either in Public or Private Network are currently not available.

The Remote Management switch is used to provide management access for the customer.

Data packs

The firewall or load balancer is offered with its own data packs (Data traffic or Bandwidth)

Data traffic → the minimum commitment is 30TB

Bandwidth 95% → the minimum commitment is 100Mbps

Bandwidth unmetered → 100Mbps or 1Gbps

Eligible firewalls or load balancers models

The firewall models that are eligible for this set up are:

1. Juniper SRX 345
2. Fortigate FG-100F
3. Fortigate FG-200F

The load balancer model that is eligible for this set up is:

1. A10Networks TH1040