Create a load balancer
Control panel
OpenStack CLI
Terraform
Select the configuration and network
-
В control panels go to Cloud platform → Balancers.
-
Open the tab Balancers.
-
Click Create a balancer.
-
Select region and pool in which the balancer will be created.
-
Select configuration depending on the project load.
-
Enter the name of the balancer.
-
Optional: enter a comment — any additional information about the balancer, it will only be displayed in the control panel.
-
Select a subnet:
- private — traffic balancing will be performed only within the subnet. You can connect a public IP address to a private address — the balancer will be accessible from the Internet via NAT;
- or public — the balancer will be accessible from the Internet and will be able to proxy requests from the public subnet to cloud servers on the private subnet. If you will be hosting cloud servers on the same subnet, choose a network of /28 or larger, or make sure that it has a free IP address for the load balancer port.
-
Specify the IP address in the subnet, a free address that will be assigned to the balancer.
-
Optional: Connect a public IP address. If there is no free public IP address available, create a new IP address. The private subnet on which you create the balancer must be prepared for connecting a public IP address.
-
Click Further.
Create a task force
-
Open the tab Servers.
-
Optional: to change the name target group, press , enter a name and press .
-
Select the traffic assignment protocol that the balancer uses to send traffic to the target group. The following combinations of protocols are available for accepting traffic on the balancer and assigning traffic to the target group:
- TCP-TCP is classic L4 balancing;
- TCP-PROXY — client information is not lost and is transmitted in a separate connection header;
- UDP-UDP — The UDP protocol is faster than TCP, but less reliable;
- HTTP-HTTP — L7-balancing;
- HTTPS-HTTP — L7 balancing with encryption and SSL certificate termination on the balancer.
-
A default port will be automatically selected for the selected protocol — change it if necessary. The port value will be common to all servers in the group.
-
Mark the servers to be added to the target group.
-
Specify settings for each marked server:
6.1 Select the IP address.
6.2 Optional: change the port.
6.3 Specify the server weight — this is a proportional measure, denotes the share of requests that the server handles. If the weights are the same, the servers serve the same number of requests. If, for example, there is one server in a group with a weight of "2" and two servers with a weight of "1", the first server will receive 50% of all requests and the other two will each receive 25%. The maximum weight value is 256.
6.4 Optionally, to direct traffic to a server only when other servers in the group are unavailable, check the checkbox Reserve.
-
Open the tab Algorithm.
-
Select query distribution algorithm — Round Robin or Least connections.
-
Optional: to enable the method Sticky Sessions and check the box Sticky sessions and select a session ID. For APP-cookie ID, enter a cookie name.
-
Open the tab Accessibility checks.
-
Select type accessibility checks. Once a group is created, the type of check cannot be changed.
-
If you selected the HTTP validation type, specify the request parameters — method, path, and expected response codes.
-
Specify the check interval — the interval in seconds at which the balancer sends check requests to servers.
-
Specify the connection timeout — the maximum time to wait for a response in seconds, must be less than the interval between checks.
-
Specify the success threshold — the number of successful accesses in a row, after which the server is put into a working state.
-
Specify the failure threshold — the number of unsuccessful requests in a row, after which the server is suspended.
-
Optional: to add another target group, tap Add a target group and set it up.
-
Click Further.
Create rules and HTTP policies
- Select protocol receiving traffic on the balancer — TCP, UDP, HTTP or HTTPS. Prometheus option is also available for customization load balancer monitoring.
TCP or UDP traffic
HTTP or HTTPS traffic
-
For the selected protocol, the default port on which the balancer will listen to traffic will be automatically selected — change it if necessary.
-
Select a target group. Groups are available to which you can balance traffic on the selected one protocols receiving traffic.
-
Optional: expand unit Advanced rule settings and specify connection settings:
- for incoming requests to the balancer — specify the connection timeout and maximum connections;
- for requests from the balancer to servers — specify the connection timeout, inactivity timeout and TCP packet waiting timeout.
-
Optional: to add another rule, press Add rule and go to step 1. There is no limit to the number of rules.
-
Check the total cost of the balancer.
-
Click Create a balancer.
-
For the selected protocol, the default port on which the balancer will listen to traffic will be automatically selected — change it if necessary.
-
If you selected the HTTPS protocol, select a certificate to terminate HTTPS traffic on the balancer — select a certificate from the Secrets Manager or download a new one. Read more in the instructions TLS(SSL)-certificates of the load balancer.
-
Optional: check mark HTTP request headers that will be transmitted to the servers.
-
Select the default target group — this is where traffic that does not fall under the HTTP policy.
-
Create HTTP Policies.
-
Optional: change connection settings To do this, open the block Advanced rule settings and specify:
- for incoming requests to the balancer — specify the connection timeout and maximum connections;
- for requests from the balancer to servers — specify the connection timeout, inactivity timeout and TCP packet waiting timeout.
-
Optional: to add another rule, press Add rule and go to step 1. There is no limit to the number of rules.
-
Check the price of the balancer.
-
Click Create a balancer.
Create a balancer
-
Install the Octavia component to work with cloud load balancers — Yoga release version 3.4.0 is required for compatibility with the release version:
pip3 install python-octaviaclient===3.4.0
-
Create a load balancer:
openstack loadbalancer create \
--vip-subnet-id <subnet_uuid> \
--vip-address <loadbalancer_ip_address> \
--flavor <flavor> \
--name <loadbalancer_name>Specify:
<subnet_uuid>
— The ID of a private or public subnet, can be viewed withopenstack subnet list
;<loadbalancer_ip_address>
— The IP address that will be allocated to the load balancer is one of the free ones in the subnet;<flavor>
— The ID or name of the flavor. The flavors correspond to by load balancer type and determine the number of vCPUs, RAM, and the number of balancer instances. For example,ac18763b-1fc5-457d-9fa7-b0d339ffb336
— ID to create a balancer with type Advanced with reservation in the ru-9 pool. The list of flavors can be viewed withopenstack loadbalancer flavor list -c id -c name
or in a table List of load balancer flavorings in all pools;<loadbalancer_name>
— balancer's name.
-
Check that the balancer is in statuses
ONLINE
(parameteroperating_status
in the command output) andACTIVE
(provisioning_status
):openstack loadbalancer show <loadbalancer>
Specify
<loadbalancer>
— ID or name of the balancer, the list can be viewed using theopenstack loadbalancer list
-
Optional: connect a public IP address to the balancer:
openstack floating ip set --port <loadbalancer_port_uuid> <floating_ip>
Specify:
<loadbalancer_port_uuid>
— The ID of the balancer port, can be viewed usingopenstack loadbalancer show <loadbalancer>
valuevip_port_id
;<floating_ip>
— public IP address.
Create a rule, HTTP policy and target group
For TCP or UDP traffic
For HTTP or HTTPS traffic
-
Create rule:
openstack loadbalancer listener create \
--name <listener_name> \
--protocol <protocol> \
--protocol-port <port> \
<loadbalancer>Specify:
<listener_name>
— NAME OF RULE;<protocol>
— title protocols:TCP
orUDP
;<port>
— port number on the balancer.
-
Create target group:
openstack loadbalancer pool create \
--name <pool_name> \
--lb-algorithm <algorithm> \
--listener <listener_name> \
--protocol <protocol>Specify:
-
Add the server to the target group:
openstack loadbalancer member create \
--subnet-id <subnet_uuid> \
--address <server_ip_address> \
--protocol-port <port> \
<pool_name>Specify:
<subnet_uuid>
— The ID of a server's private or public subnet can be viewed withopenstack subnet list
;<server_ip_address>
— The IP address of the server from the specified subnet;<port>
— port number on the server;<pool_name>
— the name of the target group you created in step 2.
-
Optional: create accessibility check for the task force:
openstack loadbalancer healthmonitor create \
--delay <delay> \
--timeout <timeout> \
--max-retries <max_retries> \
--max-retries-down <max_retries_down> \
--type <type> \
--http-method <http_method> \
--url-path <url_path> \
--expected-codes <codes> \
<pool_name>Specify:
-
<delay>
— the interval between checks in seconds; -
<timeout>
— the maximum time to wait for a response in seconds; -
<max_retries>
— number of consecutive successful accesses, after which the server is brought back online; -
<max_retries_down>
— number of unsuccessful requests in a row, after which the server is suspended; -
<type>
— validation type. The available types depend on the target protocol you specified in step 2:- for the record
TCP
— typePING
,TCP
; - for the record
UDP
— typeUDP_CONNECT
,PING
; - for the record
PROXY
— typeTLS_HELLO
,HTTP
,PING
,TCP
;
- for the record
-
HTTP request parameters, if you have selected the validation type
HTTP
:--http-method <http_method>
— method of verification:GET
,POST
,DELETE
,PUT
,HEAD
,OPTIONS
,PATCH
,CONNECT
,TRACE
;--url-path <url_path>
— query path without a domain name;--expected-codes <codes>
— expected response codes, separated by commas;<pool_name>
— the name of the target group you created in step 2.
-
-
Create target group which will serve as the default group, where traffic that does not fall under the HTTP Policies in the rule:
openstack loadbalancer pool create \
--name <pool_name> \
--lb-algorithm <algorithm> \
--protocol HTTP \
--loadbalancer <load_balancer>Specify:
<pool_name>
— the name of the target group;<algorithm>
— title algorithm:ROUND_ROBIN
orLEAST_CONNECTIONS
;<load_balancer>
— The ID or name of the balancer that you previously created and the list can be viewed byopenstack loadbalancer list
-
Add the server to the target group:
openstack loadbalancer member create \
--subnet-id <subnet_uuid> \
--address <server_ip_address> \
--protocol-port <port> \
<pool_name>Specify:
<subnet_uuid>
— The ID of a server's private or public subnet can be viewed withopenstack subnet list
;<server_ip_address>
— The IP address of the server from the specified subnet;<port>
— port number on the server;<pool_name>
— the name of the target group you created in step 1.
-
Optional: create accessibility check for the task force:
openstack loadbalancer healthmonitor create \
--delay <delay> \
--timeout <timeout> \
--max-retries <max_retries> \
--max-retries-down <max_retries_down> \
--type <type> \
--http-method <http_method> \
--url-path <url_path> \
--expected-codes <codes> \
<pool_name>Specify:
-
<delay>
— the interval between checks in seconds; -
<timeout>
— the maximum time to wait for a response in seconds; -
<max_retries>
— number of consecutive successful accesses, after which the server is brought back online; -
<max_retries_down>
— number of unsuccessful requests in a row, after which the server is suspended; -
<type>
— type of verification:HTTP
,PING
,TCP
; -
HTTP request parameters, if you have selected the validation type
HTTP
:--http-method <http_method>
— method of verification:GET
,POST
,DELETE
,PUT
,HEAD
,OPTIONS
,PATCH
,CONNECT
,TRACE
;--url-path <url_path>
— query path without a domain name;--expected-codes <codes>
— expected response codes, separated by commas;<pool_name>
— the name of the target group you created in step 1.
-
-
Create rule:
openstack loadbalancer listener create \
--name <listener_name> \
--protocol <protocol> \
--protocol-port <port> \
--default-tls-container=<certificate_uuid> \
--default-pool <default_pool> \
<loadbalancer>Specify:
<listener_name>
— NAME OF RULE;<protocol>
— title protocols:HTTP
orTERMINATED_HTTPS
;<port>
— port number on the balancer;--default-tls-container=<certificate_uuid>
— ID of the TLS(SSL)-certificate for HTTPS traffic termination on the balancer. Specify if you selected the protocolTERMINATED_HTTPS
. You can copy it into control panels: under Cloud platform → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID. Read more about TLS(SSL)-certificates of the load balancer;<default_pool>
— The ID or name of the default target group that you created in step 1, the list can be viewed with theopenstack loadbalancer pool list
-
Create HTTP policy in the rule:
openstack loadbalancer l7policy create \
--action <action> \
[--redirect-url <url> | --redirect-prefix <prefix_url> | --redirect-pool <pool> ]
--position <position> \
--name <policy_name> \
<listener>Specify:
-
<action>
— action to balance traffic:REDIRECT_TO_URL
— completely replace the request URL, including protocol, domain name, path, and parameters;REDIRECT_PREFIX
— replace the protocol and domain name in the request URL;REDIRECT_TO_POOL
— to target the target group;REJECT
— dismiss;
-
where the traffic needs to be directed:
--redirect-url <url>
— the full URL for the redirect. Specify if the action is selectedREDIRECT_TO_URL
;--redirect-prefix <prefix_url>
— URL prefix to replace the protocol and domain in the request, e.g.https://example.com
. Indicate if the action is selectedREDIRECT_PREFIX
;--redirect-pool <pool>
— ID or name of the target group. Specify if the action is selectedREDIRECT_TO_POOL
. The list can be viewed withopenstack loadbalancer pool list
. If you don't already have a target group, create it;
-
--position <position>
— the position of the policy in the rule. Indicate if there will be more than one policy with the same action in the rule, the policy with position1
will be the first to apply; -
<policy_name>
— L7-policy name; -
<listener>
— ID or name of the rule you created in step 4. You can view the list byopenstack loadbalancer listener list
-
-
Create a condition in the HTTP policy:
openstack loadbalancer l7rule create \
--compare-type <compare_type> \
--type <type> \
--value <value> \
<policy>Specify:
-
<compare_type>
— type of match with the control value:EQUAL TO
— is a match;STARTS WITH
— begins with;ENDS WITH
— ends in;CONTAINS
— contains;REGEX
— regular expression;
-
<type>
— parameter in the query to check:HOST_NAME
,PATH
,COOKIE
,FILE_TYPE
,HEADER
; -
<value>
— control value; -
<policy>
— The ID or name of the L7 policy you created in step 5.
-
Use the instructions in the Terraform documentation: