Our ever-changing digital landscape requires thinking outside the box when it comes to combining solutions to keep applications available, reliable, secure, and performing well on a global scale.
To that end, it makes sense to address this challenge from a simple point that most of us are familiar with: DNS workloads. More specifically, internal DNS workloads and external DNS workloads.
“Deploying an on-prem DNS solution for internal app workloads and a cloud DNS solution for external app workloads can be a best practice.”
While they’re similar in nature, having one single toolset to address both is not always the most efficient or secure practice. Asking too much of a DNS solution can lead to inefficiencies, security risks, increased latency, and excessive demands on compute resources. But one solution doesn’t have to address the demands of both workloads. Indeed, having a DNS service that exclusively handles internal application workloads alongside a solution dedicated to exclusively external application workloads means that those solutions can focus their resources on doing one job exceptionally well.
This is why having an on-prem DNS solution for internal app workloads and a cloud DNS solution to handle external app workloads can be a best practice for teams looking to separate the demands on their infrastructure. Leveraging two separate DNS solutions means never having to worry about micro-managing disparate traffic flows through one device. Let the solutions do what they do best to ask less of them overall.
Here is why dividing DNS workloads between internal and external resources can make sense.
1. Security
Keeping a dedicated DNS solution for internal apps minimizes the risk of exposing sensitive internal records to potential attacks originating from the public internet. A dedicated external DNS service can focus on protecting public-facing assets, implementing measures like distributed denial of service (DDoS) attack mitigation for external-facing zones.
2. Performance optimization
Internal DNS services can be tailored for low-latency queries and optimized specifically for intra-organization traffic. This is critical for large-scale or latency-sensitive applications. External DNS services can optimize delivery of external-facing applications, providing users with the fastest, most efficient path to the apps they need.
3. Scalability
Splitting internal and external DNS allows each service to scale independently based on their traffic patterns and app requirements. External apps can see unpredictable traffic spikes and require scalable DNS services with robust caching and global coverage. Internal apps, in contrast, are at lower risk of seeing similar traffic spikes, thus requiring DNS services optimized for scalability within the infrastructure.
4. Compliance and visibility
Ensuring compliance with regulatory frameworks (e.g., GDPR, HIPAA) often requires greater control and visibility over DNS queries. Dedicated internal DNS systems can help meet these requirements. Dedicated services for external DNS can provide visibility specifically focused on end-user traffic patterns, domain health, and the success of external-facing applications.
5. Tailored management and features
Internal DNS services can support features like internal service discovery tailored to microservices architectures (e.g., SRV or NAPTR records). External DNS services can focus on tasks like global load balancing, CDN integration, or disaster recovery to ensure high availability for end users.
6. Operational simplicity
With a clear separation between DNS services, teams can better focus on the needs of internal versus external workloads without conflicting priorities or mixed configurations, simplifying troubleshooting by reducing complexity.
Arranging an environment like this when a team is coming from a single DNS solution can be tricky to say the least. How can a footprint expand without creating undue security or efficiency risks, while still keeping applications online and available? This is an especially pressing question when those external applications handle business-critical workflows that cannot be interrupted.
Getting there
Deploying new app delivery solutions that encompass both on-premises and cloud assets can create some challenges. Teams need a tool that facilitates the seamless expansion of apps across different environments, ensuring high availability and performance, making sure that apps are always available to users, even on an actively growing network.
A tool like F5 Distributed Cloud App Connect can help make this transition much easier for those teams who’ve decided that a dual DNS solution is right for them. Distributed Cloud App Connect helps teams adjust how public apps are delivered and extends F5 Distributed Cloud Services to apps hosted on F5 BIG-IP. For a team looking to use F5 Distributed Cloud DNS for their public-facing applications, Distributed Cloud App Connect can take care of the discovery, setup, and load balancing processes to make sure the migration is straightforward.
With the service discovery feature in Distributed Cloud App Connect, teams can use Distributed Cloud Services to identify any virtual servers running on BIG-IP, as long as they have extensibility to that BIG-IP server. One of the easiest ways to do this is to deploy a customer edge (CE) device as a virtual machine alongside a BIG-IP deployment, which creates a secure tunnel to the F5 Global Network and enables Distributed Cloud Services to apply to apps on BIG-IP.
Once the connection is created, teams can use Distributed Cloud App Connect to discover any set of virtual servers and create a catalog of applications to manage. Using Distributed Cloud DNS to create a subdomain, and Distributed Cloud App Connect to create a DNS record for the front end as well as an HTTP load balancer for the virtual server hosting the application, enables those public-facing applications to use Distributed Cloud DNS as the dedicated external DNS service. Any back-end services that the virtual server needs to access are only advertised to the front-end, not to public users. This frees F5 BIG-IP DNS to focus on the critical internal workloads that keep organizations running. With applications on BIG-IP discovered by App Connect, teams can also bring security services like F5 Distributed Cloud Web App and API Protection (WAAP) to virtual servers on BIG-IP if they choose.
Stick around for more
For a more in-depth look at how these solutions can work together to expand your environment, be sure to watch this article’s accompanying video and read our DevCentral Deep Dive article, where we lay the groundwork for a successful footprint expansion. And if you’re ready to take the next step, contact us to learn how Distributed Cloud DNS can expand your environment and bring users more consistent, high-performing digital experiences.
About the Authors
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...