Tuesday, May 5, 2020

Which is the better design for accessibility to a server from both LAN and WAN?

Configuration A:

Server with name name.domain.tld has IP 10.1.0.2 on the same or a separate subnet as internal clients. Internal DNS resolves to this private IP and internal clients connect to the server using its private IP. External DNS resolves to the public IP, which is statically NATed to the server's private IP at the edge device.

Configuration B:

Server with name name.domain.tld again. Server is on a different subnet than internal clients. Internal DNS and external DNS both resolve the name to the public IP. Requests from both internal and external clients traverse a firewall which statically NATs both requests to the private IP.

---

Quick+dirty illustration: https://imgur.com/MPFX1AR

---

I favor configuration B - it makes more sense to me. I've never liked split-brain scenarios when it seems they're easily avoidable. But I work in the SMB space which means two things: 1. I don't get to see much public facing configuration done by others, so I don't have a good sense of what's standard and 2. When I do see public facing configuration done by others, they don't even bother segregating publicly-accessible systems at all, so I can't really ever gauge what's correct by what I see others doing.

Seems to me that in most SMB cases, either configuration will work about as well as the other. But are there pros and cons to each? Or is one configuration the clear-cut better or correct method? Or is there a 3rd method of which I'm not even thinking?



No comments:

Post a Comment