Skip to content

Load Balancer

The following HowTo describes how you can configure a Load Balancer (LB) with OpenStack OSC using a Floating IP. Please note the Disclaimer. Many more LB configuration examples can be found in the Octavia Basic Cookbook.

It can be advantageous to use a Floating IP address when setting up the VIP of a Load Balancer to ensure that you retain control over the IP assigned as a Floating IP in case the Load Balancer needs to be destroyed, moved, or recreated.

Note

Note that Load Balancing is not possible with iPv6 using the following method, as Floating IPs do not work with iPv6.

HTTP LoadBalancer Configuration

  • The backend servers 192.0.2.10 and 192.0.2.11 in the private-subnet were configured with an HTTP application on TCP Port 80.
  • These backend servers were configured with a Health Check under the URL path "/healthcheck". See Octavia Basic Cookbook HTTP Health Monitors.
  • The Neutron network public is a shared external network created by the cloud operator and accessible via the internet.
  • An HTTP LoadBalancer accessible from the internet via a Floating IP is to be configured, distributing web requests to the backend servers and checking the path "/healthcheck" to ensure backend availability.

Solution:

  • Create the Load Balancer lb1 in the private-subnet.
  • Create a Listener listener1.
  • Create the Pool pool1 as the default pool for listener1.
  • Create a Health Monitor on pool1 that tests the path "/healthcheck".
  • Add members 192.0.2.10 and 192.0.2.11 in the private-subnet to pool1.
  • Create a free floating IP address in public.
  • Associate this Floating IP with the VIP port of lb1.

CLI Commands:

openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet
# Re-run the following until lb1 shows ACTIVE and ONLINE statuses:
openstack loadbalancer show lb1
openstack loadbalancer listener create --name listener1 --protocol HTTP --protocol-port 80 lb1
openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener listener1 --protocol HTTP
openstack loadbalancer healthmonitor create --delay 5 --max-retries 4 --timeout 10 --type HTTP --url-path /healthcheck pool1
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.10 --protocol-port 80 pool1
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.11 --protocol-port 80 pool1
openstack floating ip create public
# The following IDs should be visible in the output of previous commands
openstack floating ip set --port <load_balancer_vip_port_id> <floating_ip_id>

HTTPS Terminated Load Balancer

  • On the backend servers 192.0.2.10 and 192.0.2.11 in the private-subnet, an HTTP application is configured on TCP Port 80
  • A TLS certificate (server.crt), the private key (server.key), and a CA certificate (ca-chain.crt) for the domain www.example.com have been provided by a certification authority such as LetsEncrypt
  • The private key must not be encrypted with a password
  • The goal is to configure a TLS-terminated HTTPS Load Balancer that is accessible via the internet and encrypts incoming connections. Requests from the Load Balancer to the backend servers are forwarded unencrypted to the backend servers
  • The certificates are stored securely in OpenStack Barbican Key Management

HTTPS Terminated Load Balancer Configuration

  • Creation of a PKCS12 file containing server.crt, server.key, and ca-chain.crt
  • Creation of a Barbican Secret (tls_secret1) to store the PKCS12 file
  • Creation of the Load Balancer lb2 in the private-subnet
  • Creation of an LB Listener named listener2 with the TERMINATED_HTTPS protocol, using tls_secret1 as its default TLS container
  • Creation of the Pool pool2 as the default pool for listener2
  • Adding backends 192.0.2.10 and 192.0.2.11 from private-subnet to pool2
  • Requesting a Floating IP address from public
  • Associating the Floating IP with the VIP port of the Load Balancer lb2

Generating an HTTPS Load Balancer with the CLI

# Create a P12 archive
openssl pkcs12 -export -inkey server.key -in server.crt -certfile ca-chain.crt -passout pass: -out server.p12

# Store the Secret in Barbican
openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)"

# Create LoadBalancer
openstack loadbalancer create --name lb2 --vip-subnet-id public

# Repeat the following command until lb2 shows ACTIVE and ONLINE status
openstack loadbalancer show lb2

# Create Listener for the LoadBalancer
openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener2 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1

# Create Pool
openstack loadbalancer pool create --name pool2 --lb-algorithm ROUND_ROBIN --listener listener2 --protocol HTTP

# Add Members to Pool
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.10 --protocol-port 80 pool2
openstack loadbalancer member create --subnet-id private-subnet --address 192.0.2.11 --protocol-port 80 pool2

# Create Floating IP
openstack floating ip create public

# Assign the Floating IP to the LoadBalancer (use IDs from previous outputs)
openstack floating ip set --port <load_balancer_vip_port_id> <floating_ip_id>

Note

Further instructions for generating an SNI HTTPS Load Balancer (multiple domains or a wildcard certificate) can be found at the following link: Deploy a TLS-terminated HTTPS load balancer with SNI