Scale and Secure Hybrid Cloud Apps with F5

Keeping a dedicated DNS solution for internal apps minimizes the risk of exposing sensitive internal records to potential attacks originating from the public internet. A dedicated external DNS service can focus on protecting public-facing assets, implementing measures like distributed denial of service (DDoS) attack mitigation for external-facing zones.

Internal DNS services can be tailored for low-latency queries and optimized specifically for intra-organization traffic. This is critical for large-scale or latency-sensitive applications. External DNS services can optimize delivery of external-facing applications, providing users with the fastest, most efficient path to the apps they need.

Splitting internal and external DNS allows each service to scale independently based on their traffic patterns and app requirements. External apps can see unpredictable traffic spikes and require scalable DNS services with robust caching and global coverage. Internal apps, in contrast, are at lower risk of seeing similar traffic spikes, thus requiring DNS services optimized for scalability within the infrastructure.

Ensuring compliance with regulatory frameworks (e.g., GDPR, HIPAA) often requires greater control and visibility over DNS queries. Dedicated internal DNS systems can help meet these requirements. Dedicated services for external DNS can provide visibility specifically focused on end-user traffic patterns, domain health, and the success of external-facing applications.

Internal DNS services can support features like internal service discovery tailored to microservices architectures (e.g., SRV or NAPTR records). External DNS services can focus on tasks like global load balancing, CDN integration, or disaster recovery to ensure high availability for end users.

With a clear separation between DNS services, teams can better focus on the needs of internal versus external workloads without conflicting priorities or mixed configurations, simplifying troubleshooting by reducing complexity.

Arranging an environment like this when a team is coming from a single DNS solution can be tricky to say the least. How can a footprint expand without creating undue security or efficiency risks, while still keeping applications online and available? This is an especially pressing question when those external applications handle business-critical workflows that cannot be interrupted.

Deploying new app delivery solutions that encompass both on-premises and cloud assets can create some challenges. Teams need a tool that facilitates the seamless expansion of apps across different environments, ensuring high availability and performance, making sure that apps are always available to users, even on an actively growing network.

A tool like F5 Distributed Cloud App Connect can help make this transition much easier for those teams who’ve decided that a dual DNS solution is right for them. Distributed Cloud App Connect helps teams adjust how public apps are delivered and extends F5 Distributed Cloud Services to apps hosted on F5 BIG-IP. For a team looking to use F5 Distributed Cloud DNS for their public-facing applications, Distributed Cloud App Connect can take care of the discovery, setup, and load balancing processes to make sure the migration is straightforward.

With the service discovery feature in Distributed Cloud App Connect, teams can use Distributed Cloud Services to identify any virtual servers running on BIG-IP, as long as they have extensibility to that BIG-IP server. One of the easiest ways to do this is to deploy a customer edge (CE) device as a virtual machine alongside a BIG-IP deployment, which creates a secure tunnel to the F5 Global Network and enables Distributed Cloud Services to apply to apps on BIG-IP.

Once the connection is created, teams can use Distributed Cloud App Connect to discover any set of virtual servers and create a catalog of applications to manage. Using Distributed Cloud DNS to create a subdomain, and Distributed Cloud App Connect to create a DNS record for the front end as well as an HTTP load balancer for the virtual server hosting the application, enables those public-facing applications to use Distributed Cloud DNS as the dedicated external DNS service. Any back-end services that the virtual server needs to access are only advertised to the front-end, not to public users. This frees F5 BIG-IP DNS to focus on the critical internal workloads that keep organizations running. With applications on BIG-IP discovered by App Connect, teams can also bring security services like F5 Distributed Cloud Web App and API Protection (WAAP) to virtual servers on BIG-IP if they choose.

For a more in-depth look at how these solutions can work together to expand your environment, be sure to watch this article’s accompanying video and read our DevCentral Deep Dive article, where we lay the groundwork for a successful footprint expansion. And if you’re ready to take the next step, contact us to learn how Distributed Cloud DNS can expand your environment and bring users more consistent, high-performing digital experiences.