Skip to content

Load Balancers (Octavia)

Load Balancing as a Service (LBaaS) offers load balancing relying on virtual IPs. For the OpenStack platform, LB (load balancing) is provided to users as a service that provides users with on-demand, ready access to configurable business load balancing scenarios, known as Load Balancing as a service.

This section present a full use case, other examples are available on the official documentation

Basic object concepts

loadbalancer: The root object of the load balancing service, on which the user defines, configures, and operates load balancing. Technically, loadbalancers are based on haproxy + VRRP.

VIP:The IP address associated with loadbalancer.

Listener: Listener belongs to a loadbalancer, the user can configure the type of external access to the VIP (e.g. protocols, ports). Technically, it corresponds to the haproxy listen section.

Pool: Pool belongs to a listener and correponds to the configuration of the backend. Technically, this is the bakend section of haproxy.

Member: Members belong to a pool and are real virtual machine IPs. Technically, corresponds to the lines starting with `server` of the backend section in `haproxy`

Health Monitor: Belong to a Pool and periodically perform health checks on Member(s) of the Pool. Technically, corresponds to check parameters of the backend section in haproxy

L7 Policy :A seven-tier forwarding policy that describes the action of packet forwarding (e.g. Forward to Pool, forward to URL, refuse to forward)

L7 Rule :A seven-tier forwarding rule, under which L7 Policy describes the matching domain for packet forwarding (e.g. Forward to all Members in Pool that have started with webserver)

Usecase 1 : 2 virtual machines on a private network + 1 loadbalancer with a public IP

The load balancer will also be used to access the 2 backend virtual machines via SSH

  • Step 1: create 1 private network + 1 private subnet
  • Step 2: create 2 virtual machines on a private network which will be our HTTP backend
  • Step 3: create 1 loadbalancer with a public IP in front of the 2 virtual machines
  • Step 4: Configure the loadbalancer
  • Step 5: configure a basic HTTP server
  • Step 6: Health monitor
  • Step 7: Add TLS termination

load_balancer_1

Step 1: create 1 private network + 1 private subnet

taylor@laptop:~$ openstack network create mynetwork
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2021-03-30T08:41:23Z                 |
| description               |                                      |
| dns_domain                | None                                 |
| id                        | d0cbd844-4955-494a-a5ac-a43961696df1 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | False                                |
| is_vlan_transparent       | None                                 |
| mtu                       | 1500                                 |
| name                      | mynetwork                            |
| port_security_enabled     | True                                 |
| project_id                | ac4fafd60021431585bbb23470119557     |
| provider:network_type     | None                                 |
| provider:physical_network | None                                 |
| provider:segmentation_id  | None                                 |
| qos_policy_id             | None                                 |
| revision_number           | 1                                    |
| router:external           | Internal                             |
| segments                  | None                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| updated_at                | 2021-03-30T08:41:23Z                 |
+---------------------------+--------------------------------------+
taylor@laptop:~$ openstack subnet create mysubnet --network mynetwork --dhcp --subnet-range 10.10.10.0/24 --dns-nameserver 83.166.143.51 --dns-nameserver 83.166.143.52 --allocation-pool start=10.10.10.100,end=10.10.10.200

+----------------------+--------------------------------------+
| Field                | Value                                |
+----------------------+--------------------------------------+
| allocation_pools     | 10.10.10.100-10.10.10.200            |
| cidr                 | 10.10.10.0/24                        |
| created_at           | 2021-03-30T08:41:32Z                 |
| description          |                                      |
| dns_nameservers      | 83.166.143.51, 83.166.143.52         |
| dns_publish_fixed_ip | None                                 |
| enable_dhcp          | True                                 |
| gateway_ip           | 10.10.10.1                           |
| host_routes          |                                      |
| id                   | 23409bfe-3047-4c31-bf5f-18d048846758 |
| ip_version           | 4                                    |
| ipv6_address_mode    | None                                 |
| ipv6_ra_mode         | None                                 |
| name                 | mysubnet                             |
| network_id           | d0cbd844-4955-494a-a5ac-a43961696df1 |
| prefix_length        | None                                 |
| project_id           | ac4fafd60021431585bbb23470119557     |
| revision_number      | 0                                    |
| segment_id           | None                                 |
| service_types        |                                      |
| subnetpool_id        | None                                 |
| tags                 |                                      |
| updated_at           | 2021-03-30T08:41:32Z                 |
+----------------------+--------------------------------------+

Step 2: create 2 virtual machines on a private network

taylor@laptop:~$ openstack server create --key-name yubikey-taylor --flavor a1-ram2-disk20-perf1 --image "debian-10.8.0-openstack-amd64.raw" --network mynetwork myloadbalancer-backend-1
+-----------------------------+--------------------------------------------------------------------------+
| Field                       | Value                                                                    |
+-----------------------------+--------------------------------------------------------------------------+
| OS-DCF:diskConfig           | MANUAL                                                                   |
| OS-EXT-AZ:availability_zone |                                                                          |
| OS-EXT-STS:power_state      | NOSTATE                                                                  |
| OS-EXT-STS:task_state       | scheduling                                                               |
| OS-EXT-STS:vm_state         | building                                                                 |
| OS-SRV-USG:launched_at      | None                                                                     |
| OS-SRV-USG:terminated_at    | None                                                                     |
| accessIPv4                  |                                                                          |
| accessIPv6                  |                                                                          |
| addresses                   |                                                                          |
| adminPass                   | vw7EcZDMFKRq                                                             |
| config_drive                |                                                                          |
| created                     | 2021-03-30T08:48:22Z                                                     |
| flavor                      | a1-ram2-disk20-perf1 (1a9dc950-eae3-4c6f-b327-07b23084b0fc)              |
| hostId                      |                                                                          |
| id                          | 02d4dadf-b0ee-4c97-b55c-7ac4a1101c1e                                     |
| image                       | debian-10.8.0-openstack-amd64.raw (49f425ed-bf79-46ab-8cf3-44935d9d831e) |
| key_name                    | yubikey-taylor                                                           |
| name                        | myloadbalancer-backend-1                                                 |
| progress                    | 0                                                                        |
| project_id                  | ac4fafd60021431585bbb23470119557                                         |
| properties                  |                                                                          |
| security_groups             | name='default'                                                           |
| status                      | BUILD                                                                    |
| updated                     | 2021-03-30T08:48:22Z                                                     |
| user_id                     | b1580497f51e4d10b9110c60c154562c                                         |
| volumes_attached            |                                                                          |
+-----------------------------+--------------------------------------------------------------------------+
taylor@laptop:~$ openstack server create --key-name yubikey-taylor --flavor a1-ram2-disk20-perf1 --image "debian-10.8.0-openstack-amd64.raw" --network mynetwork myloadbalancer-backend-2
+-----------------------------+--------------------------------------------------------------------------+
| Field                       | Value                                                                    |
+-----------------------------+--------------------------------------------------------------------------+
| OS-DCF:diskConfig           | MANUAL                                                                   |
| OS-EXT-AZ:availability_zone |                                                                          |
| OS-EXT-STS:power_state      | NOSTATE                                                                  |
| OS-EXT-STS:task_state       | scheduling                                                               |
| OS-EXT-STS:vm_state         | building                                                                 |
| OS-SRV-USG:launched_at      | None                                                                     |
| OS-SRV-USG:terminated_at    | None                                                                     |
| accessIPv4                  |                                                                          |
| accessIPv6                  |                                                                          |
| addresses                   |                                                                          |
| adminPass                   | wD9giG2RQ7oc                                                             |
| config_drive                |                                                                          |
| created                     | 2021-03-30T08:48:31Z                                                     |
| flavor                      | a1-ram2-disk20-perf1 (1a9dc950-eae3-4c6f-b327-07b23084b0fc)              |
| hostId                      |                                                                          |
| id                          | ea17a66e-909d-4da1-8cee-731b1199a7e4                                     |
| image                       | debian-10.8.0-openstack-amd64.raw (49f425ed-bf79-46ab-8cf3-44935d9d831e) |
| key_name                    | yubikey-taylor                                                           |
| name                        | myloadbalancer-backend-2                                                 |
| progress                    | 0                                                                        |
| project_id                  | ac4fafd60021431585bbb23470119557                                         |
| properties                  |                                                                          |
| security_groups             | name='default'                                                           |
| status                      | BUILD                                                                    |
| updated                     | 2021-03-30T08:48:31Z                                                     |
| user_id                     | b1580497f51e4d10b9110c60c154562c                                         |
| volumes_attached            |                                                                          |
+-----------------------------+--------------------------------------------------------------------------+

taylor@laptop:~$ openstack server list
+--------------------------------------+--------------------------+--------+--------------------------------------+-----------------------------------+----------------------+
| ID                                   | Name                     | Status | Networks                             | Image                             | Flavor               |
+--------------------------------------+--------------------------+--------+--------------------------------------+-----------------------------------+----------------------+
| ea17a66e-909d-4da1-8cee-731b1199a7e4 | myloadbalancer-backend-2 | ACTIVE | mynetwork=10.10.10.115               | debian-10.8.0-openstack-amd64.raw | a1-ram2-disk20-perf1 |
| 02d4dadf-b0ee-4c97-b55c-7ac4a1101c1e | myloadbalancer-backend-1 | ACTIVE | mynetwork=10.10.10.159               | debian-10.8.0-openstack-amd64.raw | a1-ram2-disk20-perf1 |
+--------------------------------------+--------------------------+--------+--------------------------------------+-----------------------------------+----------------------+
* We create a security group to open the ports SSH and HTTP (22 and 80)
taylor@laptop:~$ openstack security group create myloadbalancer-backend-securitygroup
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                 |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2021-03-30T08:51:03Z                                                                                                                                  |
| description     | myloadbalancer-backend-securitygroup                                                                                                                  |
| id              | ed6c0fbc-5fa8-48c5-bc5c-7e2280cca8f4                                                                                                                  |
| name            | myloadbalancer-backend-securitygroup                                                                                                                  |
| project_id      | ac4fafd60021431585bbb23470119557                                                                                                                      |
| revision_number | 1                                                                                                                                                     |
| rules           | created_at='2021-03-30T08:51:03Z', direction='egress', ethertype='IPv4', id='42199c9a-40b4-480a-ba77-5439b8de9aac', updated_at='2021-03-30T08:51:03Z' |
|                 | created_at='2021-03-30T08:51:03Z', direction='egress', ethertype='IPv6', id='ab39d6da-2ce1-4856-b3af-695c1620c2da', updated_at='2021-03-30T08:51:03Z' |
| stateful        | True                                                                                                                                                  |
| tags            | []                                                                                                                                                    |
| updated_at      | 2021-03-30T08:51:03Z                                                                                                                                  |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

taylor@laptop:~$ openstack security group rule create --ingress --protocol tcp --dst-port 22 --ethertype IPv4 myloadbalancer-backend-securitygroup
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| created_at        | 2021-03-30T08:52:28Z                 |
| description       |                                      |
| direction         | ingress                              |
| ether_type        | IPv4                                 |
| id                | 1f642c62-f768-4a1c-a980-103aefacb56b |
| name              | None                                 |
| port_range_max    | 22                                   |
| port_range_min    | 22                                   |
| project_id        | ac4fafd60021431585bbb23470119557     |
| protocol          | tcp                                  |
| remote_group_id   | None                                 |
| remote_ip_prefix  | 0.0.0.0/0                            |
| revision_number   | 0                                    |
| security_group_id | ed6c0fbc-5fa8-48c5-bc5c-7e2280cca8f4 |
| tags              | []                                   |
| updated_at        | 2021-03-30T08:52:28Z                 |
+-------------------+--------------------------------------+

taylor@laptop:~$ openstack security group rule create --ingress --protocol tcp --dst-port 80 --ethertype IPv4 myloadbalancer-backend-securitygroup
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| created_at        | 2021-03-30T08:52:34Z                 |
| description       |                                      |
| direction         | ingress                              |
| ether_type        | IPv4                                 |
| id                | b17b21f8-29aa-448f-83d2-59f58c4253a2 |
| name              | None                                 |
| port_range_max    | 80                                   |
| port_range_min    | 80                                   |
| project_id        | ac4fafd60021431585bbb23470119557     |
| protocol          | tcp                                  |
| remote_group_id   | None                                 |
| remote_ip_prefix  | 0.0.0.0/0                            |
| revision_number   | 0                                    |
| security_group_id | ed6c0fbc-5fa8-48c5-bc5c-7e2280cca8f4 |
| tags              | []                                   |
| updated_at        | 2021-03-30T08:52:34Z                 |
+-------------------+--------------------------------------+
  • We associate this security group with the 2 servers.
taylor@laptop:~$ openstack server add security group myloadbalancer-backend-1 myloadbalancer-backend-securitygroup
taylor@laptop:~$ openstack server add security group myloadbalancer-backend-2 myloadbalancer-backend-securitygroup

We now have our 2 servers created but they are on a private network therefore we can't access them yet.

Step 3: create 1 loadbalancer with a public IP in front of the 2 virtual machines

  • We Create our loadbalancer using the ID of the infomaniak shared public network ID :

taylor@laptop:~$ openstack subnet list --network ext-net1 --ip-version 4 --fit-width
+--------------------------------------+------------------+--------------------------------------+-----------------+
| ID                                   | Name             | Network                              | Subnet          |
+--------------------------------------+------------------+--------------------------------------+-----------------+
| 615ddc30-2ed5-4b0a-aba7-acb19b843276 | ext-net1-subnet1 | 5a7f5f53-627c-4d0e-be89-39efad5ac54d | 195.15.241.0/25 |
+--------------------------------------+------------------+--------------------------------------+-----------------+
The subnet ID is 615ddc30-2ed5-4b0a-aba7-acb19b843276

  • We create the loadbalancer
taylor@laptop:~$ openstack loadbalancer create --name myloadbalancer-01 --vip-subnet-id  615ddc30-2ed5-4b0a-aba7-acb19b843276
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| admin_state_up      | True                                 |
| availability_zone   | None                                 |
| created_at          | 2021-03-30T09:16:37                  |
| description         |                                      |
| flavor_id           | None                                 |
| id                  | b35a8c97-81b0-4ffd-8d03-f18e2b02f41d |
| listeners           |                                      |
| name                | myloadbalancer-01                    |
| operating_status    | OFFLINE                              |
| pools               |                                      |
| project_id          | ac4fafd60021431585bbb23470119557     |
| provider            | amphora                              |
| provisioning_status | PENDING_CREATE                       |
| updated_at          | None                                 |
| vip_address         | 195.15.241.82                        |
| vip_network_id      | 5a7f5f53-627c-4d0e-be89-39efad5ac54d |
| vip_port_id         | abb07327-94d3-4f7f-9bef-fb73933f2321 |
| vip_qos_policy_id   | None                                 |
| vip_subnet_id       | 615ddc30-2ed5-4b0a-aba7-acb19b843276 |
+---------------------+--------------------------------------+

It will take a few minutes to create the loadbalancer, run the following command until provisioning_status is ACTIVE

taylor@laptop:~$ openstack loadbalancer show  myloadbalancer-01
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| admin_state_up      | True                                 |
| availability_zone   | None                                 |
| created_at          | 2021-03-30T09:16:37                  |
| description         |                                      |
| flavor_id           | None                                 |
| id                  | b35a8c97-81b0-4ffd-8d03-f18e2b02f41d |
| listeners           |                                      |
| name                | myloadbalancer-01                    |
| operating_status    | ONLINE                               |
| pools               |                                      |
| project_id          | ac4fafd60021431585bbb23470119557     |
| provider            | amphora                              |
| provisioning_status | ACTIVE                               |
| updated_at          | 2021-03-30T09:18:54                  |
| vip_address         | 195.15.241.82                        |
| vip_network_id      | 5a7f5f53-627c-4d0e-be89-39efad5ac54d |
| vip_port_id         | abb07327-94d3-4f7f-9bef-fb73933f2321 |
| vip_qos_policy_id   | None                                 |
| vip_subnet_id       | 615ddc30-2ed5-4b0a-aba7-acb19b843276 |
+---------------------+--------------------------------------+

The loadbalancer Public IP is 195.15.241.82

We have now 2 backend servers and a load balancer. The next step is to link them.

Step 4 : Configure the loadbalancer

  • Our 2 backend servers (VMs) are on a private network. We will define a port redirection on our loadblancer to access one or the other backend servers.
  • Will also redirect the port 80 to the 2 VMs in a round robin manner
taylor@laptop:~$ openstack server list
+--------------------------------------+--------------------------+--------+--------------------------------------+-----------------------------------+----------------------+
| ID                                   | Name                     | Status | Networks                             | Image                             | Flavor               |
+--------------------------------------+--------------------------+--------+--------------------------------------+-----------------------------------+----------------------+
| ea17a66e-909d-4da1-8cee-731b1199a7e4 | myloadbalancer-backend-2 | ACTIVE | mynetwork=10.10.10.115               | debian-10.8.0-openstack-amd64.raw | a1-ram2-disk20-perf1 |
| 02d4dadf-b0ee-4c97-b55c-7ac4a1101c1e | myloadbalancer-backend-1 | ACTIVE | mynetwork=10.10.10.159               | debian-10.8.0-openstack-amd64.raw | a1-ram2-disk20-perf1 |
+--------------------------------------+--------------------------+--------+--------------------------------------+-----------------------------------+----------------------+
  • We create a SSH listeners for each VM + one for the port 80 which will be common to the 2 VMs

Port 2122 will be used to access myloadbalancer-backend-1 port 22 Port 2222 will be used to access myloadbalancer-backend-2 port 22

taylor@laptop:~$ openstack loadbalancer listener create --name my-ssh-listener-1 --protocol TCP --protocol-port 2122 myloadbalancer-01
taylor@laptop:~$ openstack loadbalancer listener create --name my-ssh-listener-2 --protocol TCP --protocol-port 2222 myloadbalancer-01
taylor@laptop:~$ openstack loadbalancer listener create --name my-http-listener --protocol HTTP --protocol-port 80 myloadbalancer-01
  • We create the pools and add the members
openstack loadbalancer pool create --name my-ssh-pool-1 --lb-algorithm ROUND_ROBIN --listener my-ssh-listener-1 --protocol TCP --session-persistence type=SOURCE_IP
openstack loadbalancer pool create --name my-ssh-pool-2 --lb-algorithm ROUND_ROBIN --listener my-ssh-listener-2 --protocol TCP --session-persistence type=SOURCE_IP
openstack loadbalancer pool create --name my-http-pool --lb-algorithm ROUND_ROBIN --listener my-http-listener --protocol HTTP
openstack loadbalancer member create --subnet-id mysubnet --address 10.10.10.115 --protocol-port 22 my-ssh-pool-1
openstack loadbalancer member create --subnet-id mysubnet --address 10.10.10.159 --protocol-port 22 my-ssh-pool-2
openstack loadbalancer member create --subnet-id mysubnet --address 10.10.10.115 --protocol-port 80 my-http-pool
openstack loadbalancer member create --subnet-id mysubnet --address 10.10.10.159 --protocol-port 80 my-http-pool
  • Check you have 2 listeners and 2 pool IDs :
taylor@laptop:~$ openstack loadbalancer show  myloadbalancer-01
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| admin_state_up      | True                                 |
| availability_zone   | None                                 |
| created_at          | 2021-03-30T09:16:37                  |
| description         |                                      |
| flavor_id           | None                                 |
| id                  | b35a8c97-81b0-4ffd-8d03-f18e2b02f41d |
| listeners           | 02fa4014-a33f-435b-a04c-8d5a5894b043 |
|                     | 6450d4ed-4651-4b0a-bd3e-2000b2dd18b4 |
| name                | myloadbalancer-01                    |
| operating_status    | ONLINE                               |
| pools               | 2999027d-694e-4a42-bcdc-7291c44ae12a |
|                     | 4fd0db6f-22bc-4e31-b03d-85592d6de1ad |
| project_id          | ac4fafd60021431585bbb23470119557     |
| provider            | amphora                              |
| provisioning_status | ACTIVE                               |
| updated_at          | 2021-03-30T09:36:20                  |
| vip_address         | 195.15.241.82                        |
| vip_network_id      | 5a7f5f53-627c-4d0e-be89-39efad5ac54d |
| vip_port_id         | abb07327-94d3-4f7f-9bef-fb73933f2321 |
| vip_qos_policy_id   | None                                 |
| vip_subnet_id       | 615ddc30-2ed5-4b0a-aba7-acb19b843276 |
+---------------------+--------------------------------------+

You should now be able to ssh servers myloadbalancer-backend-1 and myloadbalancer-backend-2 using the loadbalancer public ip :

taylor@laptop:~$ ssh debian@195.15.241.82 -p 2122
debian@myloadbalancer-backend-1:~$
taylor@laptop:~$ ssh debian@195.15.241.82 -p 2222
debian@myloadbalancer-backend-2:~$

Step 5: configure a basic HTTP server

  • Internet access is required to install packages Your VMs are on a private network therefore with no internet access. You can provide internet access to your VMs this way :
taylor@laptop:~$ openstack router create myrouter-to-access-internet
taylor@laptop:~$ openstack router set --external-gateway ext-floating1 myrouter-to-access-internet
taylor@laptop:~$ openstack router add subnet myrouter-to-access-internet mysubnet
  • Install apache2
taylor@laptop:~$ ssh debian@195.15.241.82 -p 2122
debian@myloadbalancer-backend-1:~$ sudo apt update && sudo apt -y install apache2

Repeat this on the second VM

You can now open a web browser and open http://195.15.241.82 you should see the Apache2 welcome page.

Once you configured your VMs, we advise you to delete the router otherwise you'll be charged for one public IP (the external-gateway IP of myrouter-to-access-internet)

taylor@laptop:~$  openstack router remove subnet myrouter-to-access-internet mysubnet
taylor@laptop:~$  openstack router delete myrouter-to-access-internet

Step 6: Health monitor

Health monitor corresponds to amphora VMs (Loadbalancer) checking that your backend VMs respond properly. In case one of your backend HTTP VM is unreachable for some reason, the loadbalancer will stop sending requests to that VM. Without healthmonitor the loadbalancer has no way to know if your backend VMs work as expected,

  • In our case we deployed a HTTP service so we'll configure a HTTP health monitor check the url /
openstack loadbalancer healthmonitor create --name http-monitor \
                                            --delay 7 \
                                            --timeout 5 \
                                            --max-retries 3 \
                                            --url-path / \
                                            --expected-codes 200,201 \
                                            --type HTTP my-http-pool
  • We should see GET / requests on our backend VMs from both amphora VMs (loadbalancer)
taylor@laptop:~$ ssh debian@195.15.241.82 -p 2122
debian@myloadbalancer-backend-1:~$ tail -f /var/log/apache2/access.log
10.10.10.101 - - [01/Apr/2021:13:17:10 +0000] "GET / HTTP/1.0" 200 10975 "-" "-"
10.10.10.139 - - [01/Apr/2021:13:17:17 +0000] "GET / HTTP/1.0" 200 10975 "-" "-"
10.10.10.101 - - [01/Apr/2021:13:17:17 +0000] "GET / HTTP/1.0" 200 10975 "-" "-"
10.10.10.139 - - [01/Apr/2021:13:17:24 +0000] "GET / HTTP/1.0" 200 10975 "-" "-"

Step 7: Add TLS termination

This section describes the steps to create add TLS terminated traffic.

  • First of all we have generate a test certificate.
openssl req -newkey rsa:2048 -x509 -sha256 -days 365 -nodes \
            -out tls.crt -keyout tls.key \
            -subj "/CN=myloadbalancer-01.mydomain.infomaniak.cloud/emailAddress=myemail@infomaniak.ch"
  • Combine the individual cert/key to a single PKCS12 file
taylor@laptop:~$ openssl pkcs12 -export -inkey tls.key -in tls.crt -passout pass: -out tls.p12
  • Check the certificate is valid
taylor@laptop:~$ openssl pkcs12 -in tls.p12 -noout -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
  • Next we have to store the certificate in Barbican (OpenStack's secret store)
taylor@laptop:~$ openstack secret store --name='my_tls_secret' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < tls.p12)"
+---------------+-------------------------------------------------------------------------------------------------+
| Field         | Value                                                                                           |
+---------------+-------------------------------------------------------------------------------------------------+
| Secret href   | https://pub1-api.cloud.infomaniak.ch/keymanager/v1/secrets/4401cb25-2dc7-484f-a7ac-b39570fc6dfc |
| Name          | my_tls_secret                                                                                   |
| Created       | None                                                                                            |
| Status        | None                                                                                            |
| Content types | {'default': 'application/octet-stream'}                                                         |
| Algorithm     | aes                                                                                             |
| Bit length    | 256                                                                                             |
| Secret type   | opaque                                                                                          |
| Mode          | cbc                                                                                             |
| Expiration    | None                                                                                            |
+---------------+-------------------------------------------------------------------------------------------------+
  • We create a new loadbalancer listener port 443
taylor@laptop:~$ openstack loadbalancer listener create --fit-width --protocol-port 443 \
--protocol TERMINATED_HTTPS --name my-https-listener \
--default-tls-container=$(openstack secret list | awk '/ my_tls_secret / {print $2}') myloadbalancer-01

+-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                       | Value                                                                                                                                                                                                      |
+-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up              | True                                                                                                                                                                                                       |
| connection_limit            | -1                                                                                                                                                                                                         |
| created_at                  | 2021-03-31T14:13:13                                                                                                                                                                                        |
| default_pool_id             | None                                                                                                                                                                                                       |
| default_tls_container_ref   | https://pub1-api.cloud.infomaniak.ch/keymanager/v1/secrets/4401cb25-2dc7-484f-a7ac-b39570fc6dfc                                                                                                            |
| description                 |                                                                                                                                                                                                            |
| id                          | 737782b8-55a7-42c8-934b-26cecd78c181                                                                                                                                                                       |
| insert_headers              | None                                                                                                                                                                                                       |
| l7policies                  |                                                                                                                                                                                                            |
| loadbalancers               | b35a8c97-81b0-4ffd-8d03-f18e2b02f41d                                                                                                                                                                       |
| name                        | my-https-listener                                                                                                                                                                                          |
| operating_status            | OFFLINE                                                                                                                                                                                                    |
| project_id                  | ac4fafd60021431585bbb23470119557                                                                                                                                                                           |
| protocol                    | TERMINATED_HTTPS                                                                                                                                                                                           |
| protocol_port               | 443                                                                                                                                                                                                        |
| provisioning_status         | PENDING_CREATE                                                                                                                                                                                             |
| sni_container_refs          | []                                                                                                                                                                                                         |
| timeout_client_data         | 50000                                                                                                                                                                                                      |
| timeout_member_connect      | 5000                                                                                                                                                                                                       |
| timeout_member_data         | 50000                                                                                                                                                                                                      |
| timeout_tcp_inspect         | 0                                                                                                                                                                                                          |
| updated_at                  | None                                                                                                                                                                                                       |
| client_ca_tls_container_ref | None                                                                                                                                                                                                       |
| client_authentication       | NONE                                                                                                                                                                                                       |
| client_crl_container_ref    | None                                                                                                                                                                                                       |
| allowed_cidrs               | None                                                                                                                                                                                                       |
| tls_ciphers                 | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-            |
|                             | AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256                                                                                                                        |
| tls_versions                | ['TLSv1.2', 'TLSv1.3']                                                                                                                                                                                     |
| alpn_protocols              | ['http/1.1', 'http/1.0']                                                                                                                                                                                   |
+-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  • We create a pool for the HTTPS listener

ℹ Note: HTTP protocol is specified for pool because backends(members) are serving HTTP content on port 80.

openstack loadbalancer pool create --name my-https-pool \
                                   --lb-algorithm ROUND_ROBIN \
                                   --listener my-https-listener \
                                   --protocol HTTP

+----------------------+--------------------------------------+
| Field                | Value                                |
+----------------------+--------------------------------------+
| admin_state_up       | True                                 |
| created_at           | 2021-03-31T14:18:55                  |
| description          |                                      |
| healthmonitor_id     |                                      |
| id                   | 036b4dd8-a90c-4c6a-b22e-15a6c63ac9a2 |
| lb_algorithm         | ROUND_ROBIN                          |
| listeners            | 737782b8-55a7-42c8-934b-26cecd78c181 |
| loadbalancers        | b35a8c97-81b0-4ffd-8d03-f18e2b02f41d |
| members              |                                      |
| name                 | my-https-pool                        |
| operating_status     | OFFLINE                              |
| project_id           | ac4fafd60021431585bbb23470119557     |
| protocol             | HTTP                                 |
| provisioning_status  | PENDING_CREATE                       |
| session_persistence  | None                                 |
| updated_at           | None                                 |
| tls_container_ref    | None                                 |
| ca_tls_container_ref | None                                 |
| crl_container_ref    | None                                 |
| tls_enabled          | False                                |
| tls_ciphers          | None                                 |
| tls_versions         | None                                 |
+----------------------+--------------------------------------+
* Finally we add our 2 backend VMs

openstack loadbalancer member create --subnet-id mysubnet --address 10.10.10.115 --protocol-port 80 my-https-pool
openstack loadbalancer member create --subnet-id mysubnet --address 10.10.10.159 --protocol-port 80 my-https-pool

Last step is to verify ssl termination. loadbalancer's virtual IP can be found by executing openstack loadbalancer list

Open a browser and check https://195.15.241.82

Or run

taylor@laptop:~$ curl -k https://195.15.241.82

Extra

You can print statistics about your loadbalancer using :

taylor@laptop:~$ openstack loadbalancer stats show myloadbalancer-01
+--------------------+-------+
| Field              | Value |
+--------------------+-------+
| active_connections | 0     |
| bytes_in           | 12519 |
| bytes_out          | 13527 |
| request_errors     | 0     |
| total_connections  | 3     |
+--------------------+-------+
Back to top