<div dir="ltr">If we're talking about default haproxy driver for lbaas, then I'd say that the diagram is not quite correct because one could assume that LB_A and LB_B are kind of routing devices which have networks behind.<div><br></div><div>Since haproxy is layer 4 loadbalancer, so packet received by <span style="font-family:arial,sans-serif;font-size:13px">RHB1 will have source of LB_B and destination of RHB1, and similarly for the opposite direction.</span></div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">In fact the packet is not modified, it's just different, since haproxy is not forwarding packets, it just opens connection to the backend server.</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Client's ip is usually forwarded via x-forwarded-for http header.</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Thanks,</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Eugene.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 11, 2014 at 2:33 PM, Maish Saidel-Keesing <span dir="ltr"><<a href="mailto:maishsk+openstack@maishsk.com" target="_blank">maishsk+openstack@maishsk.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am trying to find out how traffic currently flows went sent to an<br>
instance through a LB.<br>
<br>
Say I have the following scenario:<br>
<br>
<br>
RHA1 -------- LB_A ----------> >-> LB_B ----------- RHB1<br>
| |<br>
RHA2 ---| |--------- RHB2<br>
<br>
<br>
A packet is sent from RHA1 to LB_B (with a final destination of course<br>
being either RHB1 or RHB2)<br>
<br>
I have a few questions about the flow.<br>
<br>
1. When the packet is received by RHB1 - what is the source and<br>
destination address?<br>
Is the source RHA1 or LB_B?<br>
Is the destination LB_B or RHB_1?<br>
2. When is the packet modified (if it is)? And how?<br>
3. Traffic in the opposite direction. RHB1 -> RHA1. What is the path<br>
that will be taken?<br>
<br>
The catalyst of this question was how to control traffic that is coming<br>
into instances through a LoadBalancer with security groups. At the<br>
moment you can either define a source IP/range or a security group.<br>
There is no way to add a LB to a security group (at least not that I<br>
know of).<br>
<br>
If the source IP that the packet is identified with - is the Load<br>
balancer (and I suspect it is) then there is no way to enforce the<br>
traffic flow.<br>
<br>
How would you all deal with this scenario and controlling the traffic flow?<br>
<br>
Any help / thoughts is appreciated!<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maish Saidel-Keesing<br>
<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</font></span></blockquote></div><br></div>