Ask Your Question

Octavia Health-check IP and Security group

asked 2019-07-03 05:05:26 -0500

Aubin gravatar image

Hello Community !
First, let me thank you for all the things you're doing for openstack, it's an amazing projet !

So let's begin,
I'm trying to add a security group on instances who are load balanced with octavia, the whole stack is launched with an heat template.
When I create the rules (in the template), I'm able to get the IP dynamically from the LB and insert it into the security group, but when the stack is ready, the load balancer tell me that the instance is not working. After investigating (I deleted the S.G. and did a tcp dump on the instance) I discovered that the health check (TCP) is coming from an other IP than the LB Private IP (all those requests are in HTTP)

So; First question: Why this choice of implementation for Openstack ? Second question: how can I get this special IP in a heat template to add it into the security group and not let my instance open to the whole word.

Many thanks !

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2019-08-21 15:34:22 -0500

johnsom gravatar image

Hi there, and thank you for the kind words.

You are correct that requests from the load balancer to the "member" servers comes from a dynamic IP address on the backend of the load balancer.

This allows users to add or remove members that are on both public and private subnets alike. When a user adds a member to the load balancer pool, we hot plug the network and subnet into the load balancer (If it is not already). This hot-plug process causes neutron to issue us an IP address on that subnet.

The other action that makes this tricky is the load balancer failover mechanisms, where should a load balancer have a failure, the Octavia controllers with replace it with a working load balancer. This applies to both standalone and active/standby load balancers. When this failover occurs, the source IP will change.

Currently we don't have a mechanism in Octavia that would allow you to set a security group on the member server ports that would restrict it down to only the load balancer source IP. I think there is an open bug for this use case, but I was unable to find it in storyboard. One proposal was to leverage FWaaS shared security groups, but this functionality has not yet landed in the FWaaS project.

There are a couple of workarounds until we come up with a solution to this: Put the members on a private network/subnet and firewall this at the router or restrict access to members of the subnet only. Since Octavia will plug a port into the network/subnet, it will be local behind this firewall. Add a security group to the members that only allows the member subnet access.

I hope that helps.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2019-07-03 05:05:26 -0500

Seen: 488 times

Last updated: Aug 21 '19