Episode 6 – LBaaS – It is all about balance (An Openstack Series)

LBaaS, which is short for Load Balancer as a Service is just another way of saying, if you need a load balancer we have it. Till now you must have figured that running your own OpenStack has allowed you to have your own virtualized environments. Virtual Servers, Virtual Networks, Virtual Subnets and even virtual routers. Congratulations, you have had your first run with SDN (short for Software Defined Networks.) Along with these there is also things like Load Balancers, Firewalls and other stuff. For the course of this episode you and OS are going to learn how to lead a balanced life, or in other words how to load balance across multiple application instances.

Reading Level: Intermediate
Environment: OpenStack (Newton) on Ubuntu 16.04

Recap for Episode 5:

  • We understood the basics of heat
  • We learnt how to use heat to automate some operational tasks in OS

Now look at the diagram below:

Simple Representation of a Load Balancer

This is a very simple representation of a Load Balancer, balancing IP traffic across 3 web servers. During the course of this episode we will setup a Load Balancer inside a tenant in OS and then connect it to a pool of three web servers running on three different IPs within the same tenant. Then we will test the setup to make sure that the load balancer is working. I will not be covering the steps for the web server setup in this episode, since that is going to dilute the episode off topic. But if you are curious to know then just drop me a word and I will be more than happy to share the setup details.

To begin with, we need to setup the LBaaS service in OpenStack. In order to do that please run the following configuration on the controller node:

Install the lbaas common component and the haproxy. Note that OS uses haproxy to provide load balancing services. For more information on haproxy please visit haproxy.org

$ sudo apt-get install neutron-lbaas-common haproxy

Edit the neutron.conf and set the service plugin for LBaaS. Ensure that you retain the existing service plugins and add this after a comma:

$ sudo vi /etc/neutron/neutron.conf 
   service_plugins = ,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2

For Example:

$ sudo vi /etc/neutron/neutron.conf 
   service_plugins = router,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2

Edit the lbaas configuration file to setup the service provider.

$ sudo vi /etc/neutron/neutron_lbaas.conf 
   service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default

Restart the neutron server service

$ sudo systemctl restart neutron-server.service

Populate the lbaas database:

$ neutron-db-manage --subproject neutron-lbaas upgrade head

Run the following configuration on the neutron node to setup the LBaaS agent and the haproxy services:

Install the lbaas agent and ha proxy

$ sudo apt-get install neutron-lbaasv2-agent haproxy

Configure the lbaas agent configuration file:

$ sudo vi /etc/neutron/lbaas_agent.ini 
   #define the interface driver. This can be for example openvswitch or linuxbridge, whichever you are using in neutron 
   interface_driver = openvswitch 
   #Add the LBaaS device driver 
   device_driver = neutron.services.loadbalancer.drivers.haproxy.namespace_driver.HaproxyNSDriver 
   #Not sure what this does but I am following the official documentation 
   user_group = haproxy

Start the lbaas Agent:

$ neutron-lbaasv2-agent \ 
--config-file /etc/neutron/neutron.conf \ 
--config-file /etc/neutron/lbaas_agent.ini

Up to this point you have performed all the installation and configuration to setup the LBaaS. However we have not yet created any load balancer. The following steps will create the load balancer and perform the other required configuration.

The first step is to create the load balancer itself. The command uses the following format:

neutron lbaas-loadbalancer-create –name

For my case I ran the following:

Source your tenant where the load balancer will be created and then create the load balancer:

$ . keystone_admin_containers 
$ neutron lbaas-loadbalancer-create --name con-testlb1 PriSub1TNT83CL3 
$ neutron lbaas-loadbalancer-show con-testlb1 
| Field               | Value                                          |  
| admin_state_up      | True                                           |  
| description         |                                                |  
| id                  | 65068517-921b-467e-bbe1-4ab67604a892           |  
| listeners           | {"id": "44e6e312-1f2c-4d2f-950f-6af3aa49523f"} |  
| name                | con-testlb1                                    |  
| operating_status    | ONLINE                                         |  
| pools               | {"id": "225829b7-d4b0-49d3-a28a-e703d9c76d29"} |  
| provider            | haproxy                                        |  
| provisioning_status | ACTIVE                                         |  
| tenant_id           | f1b1d287add24cb5a096fcdf8c16dbb9               |  
| vip_address         |                                    |  
| vip_port_id         | 1211cc57-5449-407c-ad50-acfb4171b064           |  
| vip_subnet_id       | 1f386ab9-e8ee-4e5e-ab4d-1d80794dadcd           |  

Make sure that operating_status is ONLINE in the output above. If not then wait for it to be online. Note down the output of the last command. We will need some of these items in the steps that follow.

Empty Load Balancer

Next we will create a Security Group for our Load Balancer. The security group defines what ports will be accessible to users who are using the load balancer. Use the following commands:


$ neutron security-group-create lbaas 
$ neutron security-group-rule-create \ 
  --direction ingress \ 
  --protocol tcp \ 
  --port-range-min 80 \ 
  --port-range-max 80 \ 
  --remote-ip-prefix \ 
$ neutron security-group-rule-create \ 
  --direction ingress \ 
  --protocol tcp \ 
  --port-range-min 443 \ 
  --port-range-max 443 \ 
  --remote-ip-prefix \ 
$ neutron security-group-rule-create \ 
  --direction ingress \ 
  --protocol icmp \ 

Note above that we have created a security group called lbaas and then added three rules to allow incoming traffic. We are allowing traffic from all IPs to port 80 and 443 for TCP.  These are the common ports for any webserver. These will be mapped to your actual web server ports on the web servers running at your backend. These ports need NOT be the same as the ones your web servers are actually running on. You will see why in a minute. We have also created a rule to be able to ping the load balancer for testing.

Now apply this security group to the lbaas port. In order to get the port_id look at the vip_port_id in the output for neutron lbaas-loadbalancer-show con-testlb1 above.


$ neutron port-update \ 
  --security-group lbaas \ 

Ping the load balancer and make sure that it is responding to ping requests:

$ ping -c 10


Load Balancer with a Security Group

Till now we have created a load balancer and assigned some firewall rules to it. Now we will go ahead and create what is called a listener. This listener is going to well listen (duh) on a particular port for incoming requests. Then it will pass these to our pool of web servers. So here we go:


$ neutron lbaas-listener-create \ 
  --name test-lb-http \ 
  --loadbalancer con-testlb1 \ 
  --protocol HTTP \ 
  --protocol-port 80

We have created a listener for HTTP protocol for port 80. Next we create a pool that the requests will be forwarded to for this listener.


$ neutron lbaas-pool-create \ 
  --name test-lb-pool-http \ 
  --lb-algorithm ROUND_ROBIN \ 
  --listener test-lb-http \ 
  --protocol HTTP

Now let us add the three web servers to this pool. Note that my three webservers are running on,, respectively.


$ neutron lbaas-member-create \ 
  --name test-lb-http-member-1 \ 
  --subnet PriSub1TNT83CL3 \ 
  --address \ 
  --protocol-port 8080 \ 

$ neutron lbaas-member-create \ 
  --name test-lb-http-member-2 \ 
  --subnet PriSub1TNT83CL3 \ 
  --address \ 
  --protocol-port 8080 \ 

$ neutron lbaas-member-create \ 
  --name test-lb-http-member-3 \ 
  --subnet PriSub1TNT83CL3 \ 
  --address \ 
  --protocol-port 8080 \ 

Note that my webservers are actually running on port 8080. However the load balancer is listening on port 80 and then redirecting to 8080 on any one of these instances.

Assign a floating IP address to your load balancer:

neutron floatingip-associate FLOATINGIP_ID LOAD_BALANCER_PORT_ID

In order to get the FLOATINGIP_ID run the following command:


$ neutron floatingip-list

From the output select a floating IP that is currently NOT assigned to a fixed_ip. If there is none then assign some new floating IPs to this project in OS. By now you should know how to assign a floating IP to a project 🙂

I used the following command to associate the floating ip:


$ neutron floatingip-associate b0268afb-8bbe-4299-bcf8-43ec68cd55b7 1211cc57-5449-407c-ad50-acfb4171b064
Fully configured load balancer

Now open up a browser on a machine that has access to your public network on OS and open the following URL:

http://<loadBalancer-floatingip >
For me this was

Just for kicks I configured my web servers so they respond with different outputs on each node so I can identify that the requests are actually being distributed across all three servers. The following are my browser outputs in 4 refreshes.


As you can see these requests are being load balanced to three different web servers in a round robin fashion.

In this Episode we learned:

  • How to get some balance using lbaas
  • How to  use lbaas to load balance across 3 web servers

Thank you for reading. I hope the articles are fun to read. If you have any questions or comments please feel free to share below in the comments. It is my intention to continue to add content. So don’t forget to check back.

For my latest posts please visit WhatCloud.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

%d bloggers like this: