[openstack-dev] [Neutron] [LBaaS] Packet flow between instances using a load balancer

Eugene Nikanorov enikanorov at mirantis.com
Fri Sep 19 17:48:46 UTC 2014


If we're talking about default haproxy driver for lbaas, then I'd say that
the diagram is not quite correct because one could assume that LB_A and
LB_B are kind of routing devices which have networks behind.

Since haproxy is layer 4 loadbalancer, so packet received by RHB1 will have
source of LB_B and destination of RHB1, and similarly for the opposite
direction.

In fact the packet is not modified, it's just different, since haproxy is
not forwarding packets, it just opens connection to the backend server.
Client's ip is usually forwarded via x-forwarded-for http header.

Thanks,
Eugene.

On Thu, Sep 11, 2014 at 2:33 PM, Maish Saidel-Keesing <
maishsk+openstack at maishsk.com> wrote:

> I am trying to find out how traffic currently flows went sent to an
> instance through a LB.
>
> Say I have the following scenario:
>
>
> RHA1 --------  LB_A ----------> >-> LB_B -----------  RHB1
>                |                                                  |
> RHA2 ---|                                                  |---------
>  RHB2
>
>
> A packet is sent from RHA1 to LB_B (with a final destination of course
> being either RHB1 or RHB2)
>
> I have a few questions about the flow.
>
> 1. When the packet is received by RHB1 - what is the source and
> destination address?
>      Is the source RHA1 or LB_B?
>      Is the destination LB_B or RHB_1?
> 2. When is the packet modified (if it is)? And how?
> 3. Traffic in the opposite direction. RHB1 -> RHA1. What is the path
> that will be taken?
>
> The catalyst of this question was how to control traffic that is coming
> into instances through a LoadBalancer with security groups. At the
> moment you can either define a source IP/range or a security group.
> There is no way to add a LB to a security group (at least not that I
> know of).
>
> If the source IP that the packet is identified with - is the Load
> balancer (and I suspect it is) then there is no way to enforce the
> traffic flow.
>
> How would you all deal with this scenario and controlling the traffic flow?
>
> Any help / thoughts is appreciated!
>
> --
> Maish Saidel-Keesing
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140919/7a8736ac/attachment.html>


More information about the OpenStack-dev mailing list