Balance traffic by request URL
You can direct traffic to different server targets depending on which domain and path are specified in the request.
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Balancers → Balancers tab.
-
Open the balancer page.
-
Click Create Rule.
-
Select HTTPS as the protocol to receive traffic. The default port 443 will be automatically selected, on which the balancer will listen for traffic.
-
Select a certificate to terminate HTTPS traffic on the balancer — select a certificate from the Secrets Manager or upload a new one. If the rule will accept traffic for multiple domains, the certificate must be valid for all domains, or add multiple certificates.
-
Select the default target group — traffic that is not subject to HTTP policies will be directed there. Select a group from the list or create a new target group, specify the HTTP traffic destination protocol and port 80 for it. If you want to discard traffic that does not fall under the HTTP policy, select No target group.
-
Mark the HTTP request headers that will be passed to the servers.
-
Create an HTTP policy that will be used for traffic balancing. To do this, click Add New Policy.
-
To balance the request by domain name, select the validation condition: HOSTNAME — EQUAL TO.
-
Enter the domain name without the protocol, such as
example.com
. -
Click New Condition.
-
To balance the query by path, select the check condition: PATH — STARTS WITH.
-
Enter the text where the request path should begin, e.g.
/api
. -
Select the Direct to Target action.
-
Select the target group to which traffic that is subject to the policy will be forwarded. To create a new target group, click New Target Group and create a target group with the HTTP protocol and port 80. If you want to discard traffic that does not fall under the HTTP policy, select No Target Group.
-
Optional: change the policy name or leave the default one generated.
-
Click Add.
-
Optional: open the Advanced Rule Settings block and specify the connection settings:
- for incoming requests to the balancer — specify the connection timeout and maximum connections;
- for requests from the balancer to servers — specify the connection timeout, inactivity timeout and TCP packet waiting timeout.
-
Click Create.
-
If you don't already have a target group where traffic will be balanced to, create one:
openstack loadbalancer pool create \
--name <pool_name> \
--lb-algorithm <algorithm> \
--loadbalancer <loadbalancer> \
--protocol HTTPSpecify:
<pool_name>
— the name of the target group;<algorithm>
— algorithm name:ROUND_ROBIN
orLEAST_CONNECTIONS
<loadbalancer>
— The ID or name of the load balancer. The list can be viewed with the commandopenstack loadbalancer list
.
-
If you created a target group in step 2, add a server to it:
openstack loadbalancer member create \
--subnet-id <subnet_uuid> \
--address <server_ip_address> \
--protocol-port 80 \
<pool>Specify:
<subnet_uuid>
— The ID of the private or public subnet of the server. The list can be viewed with the commandopenstack subnet list
;<server_ip_address>
— private IP address of the server. Can be copied from the control panel: in the top menu click Products → Cloud Servers → Server page → tab Ports → in the port card, click next to the IP address;<pool>
— The ID or name of the target group that you created in step 2.
-
Create a rule for the balancer with the TERMINATED_HTTPS protocol and port 443:
openstack loadbalancer listener create \
--name <listener_name> \
--protocol TERMINATED_HTTPS \
--protocol-port 443 \
--default-tls-container=<certificate_uuid> \
--default-pool <default_pool> \
<loadbalancer>Specify:
<listener_name>
— rule name;<certificate_uuid>
— The ID of the TLS(SSL)-certificate for terminating traffic on the balancer. Can be copied into control panel: in the top menu click Products → Secrets Manager → tab Certificates → in the menu of the certificate, select Copy UUID. If the rule will accept traffic for multiple domains, the certificate must be valid for all domains, either add multiple certificates;- optional:
--default-pool <default_pool>
— ID or name of the default target group, where the traffic not covered by HTTP policies in the rule will be directed. You can view the list of groups using theopenstack loadbalancer pool list
command . If you do not have a suitable target group, create one. If you do not specify a parameter, traffic not caught by the policies will be discarded; <loadbalancer>
— The ID or name of the load balancer. The list can be viewed with the commandopenstack loadbalancer list
.
-
Create an HTTP policy in the rule:
openstack loadbalancer l7policy create \
--action REDIRECT_TO_POOL \
--redirect-pool <pool> \
--name <policy_name> \
<listener_name>Specify:
<pool>
— ID or name of the target group. The list can be viewed with the commandopenstack loadbalancer pool list
;<policy_name>
— L7 policy name;<listener_name>
— the name of the rule you set in step 4.
-
To balance the request by domain name, create a condition in the HTTP policy to validate the domain:
openstack loadbalancer l7rule create \
--compare-type EQUAL_TO \
--type HOST_NAME \
--value <domain_name> \
<policy>Specify:
<domain_name>
— domain of the formexample.com
;<policy>
— The ID or name of the L7 policy. The list can be viewed with the commandopenstack loadbalancer l7policy list
.
-
To balance the request by path, create a condition in the HTTP policy to check the path:
openstack loadbalancer l7rule create \
--compare-type STARTS_WITH \
--type PATH \
--value <path> \
<policy>Specify:
<path>
— the text where the request path should start, e.g,/api
;<policy>
— The ID or name of the L7 policy. The list can be viewed with the commandopenstack loadbalancer l7policy list
.