Revision history [back]

click to hide/show revision 1
initial version

FWaaS with Neutron L3 Agent High Availability

Hi All!

I have 2 neutron network node with simple l3 agent rescheduling on Kilo. I started to experiment with fwaas, and what I found that after an L3 agent dies Neutron reschedules the router to the other node, firewall won't be configured on the rescheduled router.

As I understand fwaas in this reference design is an iptables ruleset in the virtual router namespace. After rescheduling why this iptables rules are not recreated?

If I start to use L3 Agent HA mode with keepalived, would that make the firewall rules appear in both router namespace? If yes, then what would happen at a case of complete neutron node loss, where Neutron would have to reschedule the lost router to another node, would that mean that one of the routers would have the firewall rules the other not?

I have a usecase where it would be really nice to use perimeter firewalling on the virtual routers, but providing HA raises a lot of questions.

Thanks in advance!