In my personal use, my OOB simply sit on a segmented VLAN that does not share any routing overlay or address space with my DC. It’s on a seperate VLAN to mitigate STP, DHCP overlap etc.

The use of OOB and iDRAC is to remotely administer your server/hypervisor should there be a problem (and sometimes also serves to help patch and firmware update kit). It doesn’t need to necessarily be internet facing, and I would discourage publicly exposing SSH to your hypervisor wherever possible.

In corporate environments, there are other methods to connect to the iDRAC (assuming all network isn’t down). You could use a VPN to connect to the corporate network, a jump box (via Azure Virtual Desktop or AWS Workspace) to name a few I’ve used.

https://docs.extrahop.com/9.4/configure-i-drac/

https://1gbits.com/blog/understanding-idrac-port/

It doesn’t matter which network you put iDRAC on, public or private. It’s your choice. You can have it on your main subnet and access the iDRAC like you would on any other device on your network.

OOB is a precautionary configuration only. Of course, you wouldn’t want to expose iDRAC to the Internet.

Set the iDRAC by enabling it, setting the password, IP, subnet and gateway. Then use a browser to connect and interact with the server as if you had a keyboard, mouse (gasp) and video screen connected to it.

iDRAC is just miniPC with access to the server hardware. You can plug that PC in whatever network or use VLAN. In datacenter/corporate infa they are connected to the separated network with very limited access to it.

It needs to be accessed from the internet, as well as the production network of course.

that’s generally a horrible idea.

The OOB management port let’s you access the console of the hardware via the network, rather than having to physically attach a mouse and keyboard. That’s the short version.

It is a separate IP address, in any business setting it will be on a separate network. In any decently secured environment, it will not be accessible directly from the Internet. It would normally be accessible only via a VPN or by being on-site.

So, OOB network is a different network used for management in case the production network goes down. It needs to be accessed from the internet, as well as the production network of course.

It doesn’t have to be a separate network. OOB management is more about being able to manage the hardware if the operating system has failed. So if you have to hard reboot a server, or otherwise see the console, but you don’t have to physically be in front of the machine.

Does that mean that two different edge devices need to be placed in the network, with two public IP addresses? (Firewall + Router) ?

No, it can have a different IP on the same network, though in business settings it’s generally a separate network.

Let’s say I have 5 servers running Linux or Windows Server, no virtual machines, will I be able to remotely access the server from the iDRAC interface? is it only through SSH or like RDP?

The iDRAC interface is like using a KVM remotely. It’s a remote keyboard and monitor for the server. You’re not connecting to the server from the iDRAC, the iDRAC Iis just ask alternate access method for the server in question.

Does the Dell server have to be like a hypervisor with VMs within, from me to manage them?

No. Again, it’s like you’re sitting in front of the server with a keyboard and monitor.

To access the management interface from the internet from a web browser I need port forwarding from public IP to the local management network correct?

DO NOT EVER EXPOSE IDRAC/OOB INTERFACES TO THE INTERNET. You clearly aren’t familiar with this, and exposing iDRACs to the Internet is a huge security issue. They are NOT well secured, and they give practically full access to the server. They say physical access is total access…iDRAC access isn’t far off from that.

Apart from the edge devices, do I need a routing device between the production and management network to access the production servers?

If they’re on different networks, yes.