Worth Reading: Off-Path Firewall with Traffic Engineering
I have blog post ideas sitting in my to-write queue for over a decade. One of them is why would you need a VRF (and associated router) between virtual servers and a firewall?
Andrea Dainese answered at least part of that question in his Off-Path firewall with Traffic Engineering blog post. Enjoy!
IMO PBR or policy-based routing is only a valid solution if it could be done in hardware. You might overload little switch's or router's CPU with PBR.
Absolutely agree. PBR is usually implemented with the same lookup hardware as ACLs, so there's pretty high chance that a platform that can do packet filters in hardware could also do simple PBR in hardware.
Even better, as the IP address of the backup server is usually well-known, you could easily turn this into a pure routing challenge. See https://www.ipspace.net/kb/Internet/ScalablePolicyRouting/ for details.
Cool, thanks for sharing. This is one of the most relevant subjects for me at the moment. Check out this series of excellent and detailed posts about using BGP communities to decide to firewall or not to firewall. My favourite bit is detailed in part 2, where they create an optimal path so you only have to traverse a single firewall instead of two firewalls. https://stubarea51.net/2021/11/08/utilizing-bgp-communities-for-traffic-steering-part-1-firewalls/ https://stubarea51.net/2022/03/20/bgp-communities-for-traffic-steering-part-2-state-management-across-data-centers/ https://stubarea51.net/2022/06/12/bgp-communities-part-3-customer-bgp-traffic-engineering-communities/ https://stubarea51.net/2022/07/24/bgp-communities-part-4-active-active-datacenter/
Ideally I'd do something like this for all services, but if you have a considerable amount of firewalled subnets you'll end up with a considerable amount of VRF's (and BGP sessions between L3 switches and firewalls for all of those VRF's).
Some more idea's I have are related to integrating firewalls with VXLAN or MPLS, but I haven't grokked this direction yet.
Does the ipSpace Data Center course help with answering questions in this problem space?
> Does the ipSpace Data Center course help with answering questions in this problem space?
I don't think so. You're trying to solve a tough routing problem, and that's not what we focused on in the data center course. We discussed something similar in the last Design Clinic and I could expand on that in one of the future sessions.