Chapter 10. Creating other kinds of load balancers
You use the Load-balancing service (octavia) to create the type of load balancer that matches the type of non-HTTP network traffic that you want to manage.
10.1. Creating a TCP load balancer
You can create a load balancer when you need to manage network traffic for non-HTTP, TCP-based services and applications. It is a best practice to also create a health monitor to ensure that your back-end members remain available.
Prerequisites
- A private subnet that contains back-end servers that host a custom application on a specific TCP port.
-
The back-end servers are configured with a health check at the URL path
/. - A shared external (public) subnet that you can reach from the internet.
Procedure
Source your credentials file.
Example
$ source ~/overcloudrc
Create a load balancer (
lb1) on the public subnet (public_subnet).NoteValues inside parentheses are sample values that are used in the example commands in this procedure. Substitute these sample values with ones that are appropriate for your site.
Example
$ openstack loadbalancer create --name lb1 --vip-subnet-id public_subnet
Verify the state of the load balancer.
Example
$ openstack loadbalancer show lb1
-
Before going to the next step, ensure that the
provisioning_statusisACTIVE. Create a
TCPlistener (listener1) on the specified port (23456) for which the custom application is configured.Example
$ openstack loadbalancer listener create --name listener1 --protocol TCP --protocol-port 23456 lb1
Create a pool (
pool1) and make it the default pool for the listener.Example
$ openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener listener1 --protocol TCP
Create a health monitor on the pool (
pool1) that connects to the back-end servers and probes the TCP service port.Example
$ openstack loadbalancer healthmonitor create --delay 15 --max-retries 4 --timeout 10 --type TCP pool1
Add the back-end servers (
192.0.2.10and192.0.2.11) on the private subnet (private_subnet) to the pool.Example
$ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.10 --protocol-port 80 pool1 $ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.11 --protocol-port 80 pool1
Verification
View and verify the load balancer (
lb1) settings.Example
$ openstack loadbalancer show lb1
Sample output
+---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | admin_state_up | True | | created_at | 2022-01-15T11:11:09 | | description | | | flavor | | | id | 788fe121-3dec-4e1b-8360-4020642238b0 | | listeners | 09f28053-fde8-4c78-88b9-0f191d84120e | | name | lb1 | | operating_status | ONLINE | | pools | 627842b3-eed8-4f5f-9f4a-01a738e64d6a | | project_id | dda678ca5b1241e7ad7bf7eb211a2fd7 | | provider | amphora | | provisioning_status | ACTIVE | | updated_at | 2022-01-15T11:12:42 | | vip_address | 198.51.100.11 | | vip_network_id | 9bca13be-f18d-49a5-a83d-9d487827fd16 | | vip_port_id | 69a85edd-5b1c-458f-96f2-b4552b15b8e6 | | vip_qos_policy_id | None | | vip_subnet_id | 5bd7334b-49b3-4849-b3a2-b0b83852dba1 | +---------------------+--------------------------------------+
When a health monitor is present and functioning properly, you can check the status of each member. Use the following command to obtain a member ID:
Example
$ openstack loadbalancer member list pool1
A working member (
b85c807e-4d7c-4cbd-b725-5e8afddf80d2) has anONLINEvalue for itsoperating_status.Example
$ openstack loadbalancer member show pool1 b85c807e-4d7c-4cbd-b725-5e8afddf80d2
Sample output
+---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | address | 192.0.2.10 | | admin_state_up | True | | created_at | 2022-01-15T11:11:09 | | id | b85c807e-4d7c-4cbd-b725-5e8afddf80d2 | | name | | | operating_status | ONLINE | | project_id | dda678ca5b1241e7ad7bf7eb211a2fd7 | | protocol_port | 80 | | provisioning_status | ACTIVE | | subnet_id | 5bd7334b-49b3-4849-b3a2-b0b83852dba1 | | updated_at | 2022-01-15T11:12:42 | | weight | 1 | | monitor_port | None | | monitor_address | None | | backup | False | +---------------------+--------------------------------------+
Additional resources
- loadbalancer in the Command Line Interface Reference
10.2. Creating a UDP load balancer with a health monitor
You can create a load balancer when you need to manage network traffic on UDP ports. It is a best practice to also create a health monitor to ensure that your back-end members remain available.
Prerequisites
- A private subnet that contains back-end servers that host one or more applications configured to use UDP ports.
- A shared external (public) subnet that you can reach from the internet.
- The back-end servers are configured with a UDP health check.
- No security rules that block ICMP Destination Unreachable messages (ICMP type 3).
Procedure
Source your credentials file.
Example
$ source ~/overcloudrc
Create a load balancer (
lb1) on a private subnet (private_subnet).NoteValues inside parentheses are sample values that are used in the example commands in this procedure. Substitute these sample values with ones that are appropriate for your site.
Example
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Verify the state of the load balancer.
Example
$ openstack loadbalancer show lb1
-
Before going to the next step, ensure that the
provisioning_statusisACTIVE. Create a listener (
listener1) on a port (1234).Example
$ openstack loadbalancer listener create --name listener1 --protocol UDP --protocol-port 1234 lb1
Create the listener default pool (
pool1).Example
$ openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener listener1 --protocol UDP
Create a health monitor on the pool (
pool1) that connects to the back-end servers by using UDP (UDP-CONNECT).Example
$ openstack loadbalancer healthmonitor create --delay 5 --max-retries 2 --timeout 3 --type UDP-CONNECT pool1
Add load balancer members (
192.0.2.10and192.0.2.11) on the private subnet (private_subnet) to the default pool.Example
$ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.10 --protocol-port 1234 pool1 $ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.11 --protocol-port 1234 pool1
Verification
View and verify the load balancer (
lb1) settings.Example
$ openstack loadbalancer show lb1
Sample output
+---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | admin_state_up | True | | created_at | 2022-01-15T11:11:09 | | description | | | flavor | | | id | 788fe121-3dec-4e1b-8360-4020642238b0 | | listeners | 09f28053-fde8-4c78-88b9-0f191d84120e | | name | lb1 | | operating_status | ONLINE | | pools | 627842b3-eed8-4f5f-9f4a-01a738e64d6a | | project_id | dda678ca5b1241e7ad7bf7eb211a2fd7 | | provider | amphora | | provisioning_status | ACTIVE | | updated_at | 2022-01-15T11:12:42 | | vip_address | 198.51.100.11 | | vip_network_id | 9bca13be-f18d-49a5-a83d-9d487827fd16 | | vip_port_id | 69a85edd-5b1c-458f-96f2-b4552b15b8e6 | | vip_qos_policy_id | None | | vip_subnet_id | 5bd7334b-49b3-4849-b3a2-b0b83852dba1 | +---------------------+--------------------------------------+
When a health monitor is present and functioning properly, you can check the status of each member. Use the following command to obtain a member ID:
Example
$ openstack loadbalancer member list pool1
A working member (
b85c807e-4d7c-4cbd-b725-5e8afddf80d2) has anONLINEvalue for itsoperating_status.Example
$ openstack loadbalancer member show pool1 b85c807e-4d7c-4cbd-b725-5e8afddf80d2
Sample output
+---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | address | 192.0.2.10 | | admin_state_up | True | | created_at | 2022-01-15T11:11:09 | | id | b85c807e-4d7c-4cbd-b725-5e8afddf80d2 | | name | | | operating_status | ONLINE | | project_id | dda678ca5b1241e7ad7bf7eb211a2fd7 | | protocol_port | 1234 | | provisioning_status | ACTIVE | | subnet_id | 5bd7334b-49b3-4849-b3a2-b0b83852dba1 | | updated_at | 2022-01-15T11:12:42 | | weight | 1 | | monitor_port | None | | monitor_address | None | | backup | False | +---------------------+--------------------------------------+
Additional resources
- loadbalancer in the Command Line Interface Reference
10.3. Creating a QoS-ruled load balancer
You can apply a Red Hat OpenStack Platform (RHOSP) Networking service (neutron) Quality of Service (QoS) policy to virtual IP addresses (VIPs) that use load balancers. In this way, you can use a QoS policy to limit incoming or outgoing network traffic that the load balancer can manage. It is a best practice to also create a health monitor to ensure that your back-end members remain available.
Prerequisites
- A private subnet that contains back-end servers that have been configured with an HTTP application on TCP port 80.
-
The back-end servers are configured with a health check at the URL path
/. - A shared external (public) subnet that you can reach from the internet.
- A QoS policy that contains bandwidth limit rules created for the RHOSP Networking service.
Procedure
Source your credentials file.
Example
$ source ~/overcloudrc
Create a network bandwidth QoS policy (
qos_policy_bandwidth) with a maximum 1024 kbps and a maximum burst rate of 1024 kb.NoteValues inside parentheses are sample values that are used in the example commands in this procedure. Substitute these sample values with ones that are appropriate for your site.
Example
$ openstack network qos policy create qos_policy_bandwidth $ openstack network qos rule create --type bandwidth-limit --max-kbps 1024 --max-burst-kbits 1024 qos-policy-bandwidth
Create a load balancer (
lb1) on the public subnet (public_subnet) by using a QoS policy (qos-policy-bandwidth).Example
$ openstack loadbalancer create --name lb1 --vip-subnet-id public_subnet --vip-qos-policy-id qos-policy-bandwidth
Verify the state of the load balancer.
Example
$ openstack loadbalancer show lb1
-
Before going to the next step, ensure that the
provisioning_statusisACTIVE. Create a listener (
listener1) on a port (80).Example
$ openstack loadbalancer listener create --name listener1 --protocol HTTP --protocol-port 80 lb1
Create the listener default pool (
pool1).Example
$ openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener listener1 --protocol HTTP
Create a health monitor on the pool that connects to the back-end servers and tests the path (
/).Example
$ openstack loadbalancer healthmonitor create --delay 15 --max-retries 4 --timeout 10 --type HTTP --url-path / pool1
Add load balancer members (
192.0.2.10and192.0.2.11) on the private subnet (private_subnet) to the default pool.Example
$ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.10 --protocol-port 80 pool1 $ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.11 --protocol-port 80 pool1
Verification
View and verify the listener (
listener1) settings.Example
$ openstack loadbalancer list
Sample output
+---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | admin_state_up | True | | created_at | 2022-01-15T11:11:09 | | description | | | flavor | | | id | 788fe121-3dec-4e1b-8360-4020642238b0 | | listeners | 09f28053-fde8-4c78-88b9-0f191d84120e | | name | lb1 | | operating_status | ONLINE | | pools | 627842b3-eed8-4f5f-9f4a-01a738e64d6a | | project_id | dda678ca5b1241e7ad7bf7eb211a2fd7 | | provider | amphora | | provisioning_status | ACTIVE | | updated_at | 2022-01-15T11:12:42 | | vip_address | 198.51.100.11 | | vip_network_id | 9bca13be-f18d-49a5-a83d-9d487827fd16 | | vip_port_id | 69a85edd-5b1c-458f-96f2-b4552b15b8e6 | | vip_qos_policy_id | cdfc3398-997b-46eb-9db1-ebbd88f7de05 | | vip_subnet_id | 5bd7334b-49b3-4849-b3a2-b0b83852dba1 | +---------------------+--------------------------------------+
In this example the parameter,
vip_qos_policy_id, contains a policy ID.
Additional resources
- loadbalancer in the Command Line Interface Reference
10.4. Creating a load balancer with an access control list
You can create an access control list (ACL) to limit incoming traffic to a listener to a set of allowed source IP addresses. Any other incoming traffic is rejected. It is a best practice to also create a health monitor to ensure that your back-end members remain available.
Prerequisites
- A private subnet that contains back-end servers that are configured with a custom application on TCP port 80.
-
The back-end servers are configured with a health check at the URL path
/. - A shared external (public) subnet that you can reach from the internet.
Procedure
Source your credentials file.
Example
$ source ~/overcloudrc
Create a load balancer (
lb1) on the public subnet (public_subnet).NoteValues inside parentheses are sample values that are used in the example commands in this procedure. Substitute these sample values with ones that are appropriate for your site.
Example
$ openstack loadbalancer create --name lb1 --vip-subnet-id public_subnet
Verify the state of the load balancer.
Example
$ openstack loadbalancer show lb1
-
Before going to the next step, ensure that the
provisioning_statusisACTIVE. Create a listener (
listener1) with the allowed CIDRs (192.0.2.0/24and198.51.100.0/24).Example
$ openstack loadbalancer listener create --name listener1 --protocol TCP --protocol-port 80 --allowed-cidr 192.0.2.0/24 --allowed-cidr 198.51.100.0/24 lb1
Create the listener default pool (
pool1).Example
$ openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener listener1 --protocol TCP
Create a health monitor on the pool that connects to the back-end servers and tests the path (
/).Example
$ openstack loadbalancer healthmonitor create --delay 15 --max-retries 4 --timeout 10 --type HTTP --url-path / pool1
Add load balancer members (
192.0.2.10and192.0.2.11) on the private subnet (private_subnet) to the default pool.Example
$ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.10 --protocol-port 80 pool1 $ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.11 --protocol-port 80 pool1
Verification
View and verify the listener (
listener1) settings.Example
$ openstack loadbalancer listener show listener1
Sample output
+-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2022-01-15T11:11:09 | | default_pool_id | None | | default_tls_container_ref | None | | description | | | id | d26ba156-03c3-4051-86e8-f8997a202d8e | | insert_headers | None | | l7policies | | | loadbalancers | 2281487a-54b9-4c2a-8d95-37262ec679d6 | | name | listener1 | | operating_status | ONLINE | | project_id | 308ca9f600064f2a8b3be2d57227ef8f | | protocol | TCP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2022-01-15T11:12:42 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | 192.0.2.0/24 | | | 198.51.100.0/24 | +-----------------------------+--------------------------------------+
In this example the parameter,
allowed_cidrs, is set to allow traffic only from 192.0.2.0/24 and 198.51.100.0/24.To verify that the load balancer is secure, ensure that a request to the listener from a client whose CIDR is not in the
allowed_cidrslist; the request does not succeed.Sample output
curl: (7) Failed to connect to 203.0.113.226 port 80: Connection timed out curl: (7) Failed to connect to 203.0.113.226 port 80: Connection timed out curl: (7) Failed to connect to 203.0.113.226 port 80: Connection timed out curl: (7) Failed to connect to 203.0.113.226 port 80: Connection timed out
Additional resources
- loadbalancer in the Command Line Interface Reference
10.5. Creating an OVN load balancer
You can use the Red Hat OpenStack Platform (RHOSP) client to create a load balancer that manages network traffic in your RHOSP deployment. The RHOSP Load-Balancing service supports the neutron Modular Layer 2 plug-in with the Open Virtual Network mechanism driver (ML2/OVN).
Prerequisites
The ML2/OVN provider driver must be deployed.
ImportantThe OVN provider only supports Layer 4 TCP and UDP network traffic and the
SOURCE_IP_PORTload balancer algorithm. The OVN provider does not support health monitoring.- A private subnet that contains back-end servers that host a custom application on a specific TCP port.
- A shared external (public) subnet that you can reach from the internet.
Procedure
Source your credentials file.
Example
$ source ~/overcloudrc
Create a load balancer (
lb1) on the private subnet (private_subnet) using the--provider ovnargument.NoteValues inside parentheses are sample values that are used in the example commands in this procedure. Substitute these sample values with ones that are appropriate for your site.
Example
$ openstack loadbalancer create --name lb1 --provider ovn --vip-subnet-id private_subnet
Verify the state of the load balancer.
$ openstack loadbalancer show lb1
-
Before going to the next step, ensure that the
provisioning_statusisACTIVE. Create a listener (
listener1) that uses the protocol (tcp) on the specified port (80) for which the custom application is configured.NoteThe OVN provider only supports Layer 4 TCP and UDP network traffic.
Example
$ openstack loadbalancer listener create --name listener1 --protocol tcp --protocol-port 80 lb1
Create the listener default pool (
pool1).NoteThe only supported load-balancing algorithm for OVN is
SOURCE_IP_PORT.Example
$ openstack loadbalancer pool create --name pool1 --lb-algorithm SOURCE_IP_PORT --listener listener1 --protocol tcp
ImportantOVN does not support the health monitor feature for load-balancing.
Add the back-end servers (
192.0.2.10and192.0.2.11) on the private subnet (private_subnet) to the pool.Example
$ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.10 --protocol-port 80 pool1 $ openstack loadbalancer member create --subnet-id private_subnet --address 192.0.2.11 --protocol-port 80 pool1
Verification
View and verify the load balancer (
lb1) settings.Example
$ openstack loadbalancer show lb1
Sample output
+---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | admin_state_up | True | | created_at | 2022-01-15T11:11:09 | | description | | | flavor | | | id | 788fe121-3dec-4e1b-8360-4020642238b0 | | listeners | 09f28053-fde8-4c78-88b9-0f191d84120e | | name | lb1 | | operating_status | ONLINE | | pools | 627842b3-eed8-4f5f-9f4a-01a738e64d6a | | project_id | dda678ca5b1241e7ad7bf7eb211a2fd7 | | provider | ovn | | provisioning_status | ACTIVE | | updated_at | 2022-01-15T11:12:42 | | vip_address | 198.51.100.11 | | vip_network_id | 9bca13be-f18d-49a5-a83d-9d487827fd16 | | vip_port_id | 69a85edd-5b1c-458f-96f2-b4552b15b8e6 | | vip_qos_policy_id | None | | vip_subnet_id | 5bd7334b-49b3-4849-b3a2-b0b83852dba1 | +---------------------+--------------------------------------+
Run the
openstack loadbalancer listener showcommand to view the listener details.Example
$ openstack loadbalancer listener show listener1
Sample output
+-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2022-01-15T11:13:52 | | default_pool_id | a5034e7a-7ddf-416f-9c42-866863def1f2 | | default_tls_container_ref | None | | description | | | id | a101caba-5573-4153-ade9-4ea63153b164 | | insert_headers | None | | l7policies | | | loadbalancers | 653b8d79-e8a4-4ddc-81b4-e3e6b42a2fe3 | | name | listener1 | | operating_status | ONLINE | | project_id | 7982a874623944d2a1b54fac9fe46f0b | | protocol | TCP | | protocol_port | 64015 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2022-01-15T11:15:17 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | None | +-----------------------------+--------------------------------------+
Run the
openstack loadbalancer pool showcommand to view the pool (pool1) and load-balancer members.Example
$ openstack loadbalancer pool show pool1
Sample output
+----------------------+--------------------------------------+ | Field | Value | +----------------------+--------------------------------------+ | admin_state_up | True | | created_at | 2022-01-15T11:17:34 | | description | | | healthmonitor_id | | | id | a5034e7a-7ddf-416f-9c42-866863def1f2 | | lb_algorithm | SOURCE_IP_PORT | | listeners | a101caba-5573-4153-ade9-4ea63153b164 | | loadbalancers | 653b8d79-e8a4-4ddc-81b4-e3e6b42a2fe3 | | members | 90d69170-2f73-4bfd-ad31-896191088f59 | | name | pool1 | | operating_status | ONLINE | | project_id | 7982a874623944d2a1b54fac9fe46f0b | | protocol | TCP | | provisioning_status | ACTIVE | | session_persistence | None | | updated_at | 2022-01-15T11:18:59 | | tls_container_ref | None | | ca_tls_container_ref | None | | crl_container_ref | None | | tls_enabled | False | +----------------------+--------------------------------------+
Additional resources
- loadbalancer in the Command Line Interface Reference
