Skip to content

L7 Policies Load Balancing

A layer 7 load balancer consists of a listener that accepts requests on behalf of a number of back-end pools. The requests are distributed to pools based on policies that use application data to make load balancing decisions. Please consult the Upstream documentation to learn more about the L7 Load Balancing. This documentation is inspired from Octavia L7 Cookbook.

Concepts

  • Logical Diagram of a single listener

     +---+---+     +---------------+        +---+---+
 |Pool 1 +-----+               +--------+Pool 2 |
 +-------+     | Load Balancer |        +-------+
               |               |
               |               |
               +-------+-------+
                       |
                +------v-------+
                |   Listener   |
                | Port 80/HTTP |
                |              |
                |Default Pool1 |
                +------ -------+
                |              |
          +-----+-----+  +-----+-----+
          | L7 Policy |  | L7 Policy |
          +-----+-----+  +-----+-----+
                |              |
             +--+---+       +--+---+
             |Rule 1|       |Rule 1|
             +------+       +------+
             |Rule 2|       |Rule 2|
             +------+       +------+
             |Rule N|       |Rule N|
             +------+       +------+

Info

  • Shared pools

To use the L7 policies, we have to attach pools to a load balancer instead of associating them with listeners. This feature brings a lot of flexibility because pools can now be shared among different listeners.

  • Default Pool

If a request doesn't match any L7 policy then it is routed to the listener’s default pool. If no default pool is set for a listener and the request doesn't match any L7 policy, then an error is returned.

  • Supported Listener Protocols

The diagram shows that L7 policies are applied to the listener. L7 policies work only for listener with protocol type HTTP and TLS_TERMINATED because L7 policies make load balancing decisions based on layer 7 (application) data.

L7 Policy

An L7 Policy contains one or more L7 rules. We can specify what action to take if all the rules for an L7 policy are satisfied.

Possible actions for an L7 policy are the following:

REJECT: The request is denied and not forwarded to any back-end pool.
REDIRECT_TO_URL: The request is sent an HTTP redirect to the URL defined in the redirect-url parameter.
REDIRECT_TO_POOL: The request is forwarded to the back-end pool defined in the redirect-pool parameter.

When multiple L7 policies are attached to listeners, we can control the order of policy processing by specifying the policy position parameter. Since our load balancing solution is based on HaProxy, the following policy precedence rules are applied despite of the policy positioning:

REJECT policies take precedence over all other policies.
REDIRECT_TO_URL policies take precedence over REDIRECT_TO_POOL policies.
REDIRECT_TO_POOL policies are only evaluated after all of the above, and in the order specified by the position of the policy.

L7 Rule

An L7 rule specifies a condition that returns either True or False. Multiple L7 rules can be attached to a single L7 policy. Results from all the rules within an L7 Policy are logically ANDed together.

Types of L7 Rules:

HOST_NAME: The rule does a comparison between the HTTP/1.1 hostname in the request against the value parameter in the rule.
PATH: The rule compares the path portion of the HTTP URI against the value parameter in the rule.
FILE_TYPE: The rule compares the last portion of the URI against the value parameter in the rule. (eg. “txt”, “jpg”, etc.)
HEADER: The rule looks for a header defined in the key parameter and compares it against the value parameter in the rule.
COOKIE: The rule looks for a cookie named by the key parameter and compares it against the value parameter in the rule.

L7 rules perform a comparison based on the comparison type specified in the rule.

Supported comparison types are shown below:

REGEX: regular expression matching
STARTS_WITH: String starts with
ENDS_WITH: String ends with
CONTAINS: String contains
EQUAL_TO: String is equal to

Invert

It is possible to invert the result of an L7 rule by setting the invert parameter to True. For example when the inverted flag is set, the EQUAL_TO comparison becomes "not equals to", STARTS_WITH becomes "doesn't starts with" etc.

Scenario

This section present a scenario for L7 policies usage.

  1. Redirect HTTP requests to VM1 or VM2 regarding the url 

          +-----+                                +-----+
      | VM1 |                                | VM2 |
      +-----+                                +-----+
         |                                      |
     +---+---+     +---------------+        +---+---+
     |Pool 1 +-----+               +--------+Pool 2 |
     +-------+     | Load Balancer |        +-------+
                   | loadbalancer1 |
                   |               |
                   +-------+-------+
                           |
                    +------v-------+
                    |   Listener   |
                    | Port 80/HTTP |
                    |              |
                    |Default Pool1 |
                    +------ -------+
                    |              |
              +-----+-----+  +-----+-----+
              | L7 Policy |  | L7 Policy |
              +-----+-----+  +-----+-----+
                    |              |
 +------------------v---+      +---v------------------+
 |  redirect_to_pool1   |      |  redirect_to_pool2   |
 |                      |      |                      |
 |    redirect url:     |      |    redirect url:     |
 |    http://url1       |      |    http://url2       |
 +-------+--------------+      +-------+--------------+
         |                             |
 +-------v------------------+  +-------v------------------+
 |          L7 rule         |  |          L7 rule         |
 |type: PATH                |  |type: PATH                |
 |compare-type: EQUAL_TO    |  |compare-type: EQUAL_TO    |
 |value: /url1              |  |value: /url2              |
 +--------------------------+  +--------------------------+

  2. create a loadbalancer

    openstack loadbalancer create --name loadbalancer1 --vip-network-id ext-net1

  3. create the first pool and attach it to the loadbalancer

    openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --loadbalancer loadbalancer1 --protocol HTTP
openstack loadbalancer member create --name VM1 --address <VM1_ADDRESS> --protocol-port 80 pool1

  4. create the second pool and attach it to the loadbalancer

    openstack loadbalancer pool create --name pool2 --lb-algorithm ROUND_ROBIN --loadbalancer loadbalancer1 --protocol HTTP
openstack loadbalancer member create --name VM2 --address <VM2_ADDRESS> --protocol-port 80 pool2

  5. create a listener for port 80

    openstack loadbalancer listener create --name http_listener --protocol HTTP --protocol-port 80 loadbalancer1

  6. set pool1 as a default pool for http_listener (all traffic which doesn't match a l7 rule will be redirected to this backend. Optional)

    openstack loadbalancer listener set --default-pool pool1 http_listener

  7. create a L7 policy for both pools

    openstack loadbalancer l7policy create --action REDIRECT_TO_POOL --redirect-pool pool1 --name redirect_to_pool1 http_listener
openstack loadbalancer l7policy create --action REDIRECT_TO_POOL --redirect-pool pool2 --name redirect_to_pool2 http_listener

  8. attach the L7 rules to the policies

    openstack loadbalancer l7rule create --compare-type EQUAL_TO --type PATH --value /url1 redirect_to_pool1
openstack loadbalancer l7rule create --compare-type EQUAL_TO --type PATH --value /url2 redirect_to_pool2