In a way kolla already does this by separating certain things onto "internal" VIPs vs "external" VIPs. So even though a single haproxy instance is running both internal and external, they are separated into their own connection paths that enforce segregation. Ultimately running a separate haproxy won't really add much security as you'll essentially be doing what kolla is already doing.

From: Mariusz Karpiarz <m.karpiarz@eschercloud.ai>
Sent: 16 November 2022 17:23
To: Michal Arbet <michal.arbet@ultimum.io>
Cc: openstack-discuss <openstack-discuss@lists.openstack.org>
Subject: Re: [Kolla][kolla-ansible][HAProxy] Splitting the load balancer into internal and external?

CAUTION: This email originates from outside THG

Michal,
Thank you for your message.

To explain what I mean a little better, let’s look at a use case of a web-based service running in a cloud but not using a Database-as-a-Service offering. In this setup (a sample diagram: https://www.cozumpark.com/wp-content/uploads/2020/02/image-5.png) a good security practice is to use a different (“internal”) load balancer for database servers and different (“public”) - for all the web servers serving user requests. The database doesn’t need to be accessible from the outside world, so this split provides a physical separation of traffic and this is exactly what I’m suggesting here.

As for how to archive this, we can keep one HAProxy process in one container (and use regular Kolla images) but there will simply be two HAProxy containers (one “external” and one “public”) running either on the same controllers or on different ones.

I hope this explanation helps but please do let me know if you want me to elaborate on any particular aspect of it.

For the purposes of this email, the "company" means The Hut Group Limited, a company registered in England and Wales (company number 6539496) whose registered office is at Fifth Floor, Voyager House, Chicago Avenue, Manchester Airport, M90 3DQ and/or any of its respective subsidiaries.

Confidentiality Notice
This e-mail is confidential and intended for the use of the named recipient only. If you are not the intended recipient please notify us by telephone immediately on +44(0)1606 811888 or return it to us by e-mail. Please then delete it from your system and note that any use, dissemination, forwarding, printing or copying is strictly prohibited. Any views or opinions are solely those of the author and do not necessarily represent those of the company.

Encryptions and Viruses
Please note that this e-mail and any attachments have not been encrypted. They may therefore be liable to be compromised. Please also note that it is your responsibility to scan this e-mail and any attachments for viruses. We do not, to the extent permitted by law, accept any liability (whether in contract, negligence or otherwise) for any virus infection and/or external compromise of security and/or confidentiality in relation to transmissions sent by e-mail.

Monitoring
Activity and use of the company's systems is monitored to secure its effective use and operation and for other lawful business purposes. Communications using these systems will also be monitored and may be recorded to secure effective use and operation and for other lawful business purposes.