1

OpenStack Advanced Networking Services:

LBaaSJames SherlowAvi Networks

@jsherlow@AviNetworks

2

Network VirtualizationLayers

Switches, LAN(Broadcast Domain)

L2 Neutron: Network

Routers, IP SubnetsL3 Neutron: Router,

Subnet

FirewallsLoad Balancers

(ADC)DNS

VPN Servers…

L4 – L7

Neutron Services: FWaaSLBaaS

DesignateVPNaaS

….

Physical World Virtual World

3

LBaaS in NeutronAPIs• LBaaS v1.0 API

– Introduced in Grizzly– Lacks several key advanced features: SSL support, rules based

switching• LBaaS v2.0 API

– Introduced in Kilo– Implementation currently in progress

• Horizon/Heat integration• L7 rules• Neutron flavors

4

LBaaS v2.0 Model

- name- description- healthmonitor_id- protocol- lb_algorithm- members- admin_state_up- provisioning_status- operating_status- session persistence

Pool

- pool_id- address- protocol_port- weight- admin_state_up- subnet_id- provisioning_status- operating_status

Member

- name- description- vip_port_id- vip_subnet_id- vip_address- provisioning_status- operating_status- provider

LoadBalancer

- Type (ping, TCP, HTTP, HTTPS)- delay- timeout- max_retries- http_method- url_path- expected_codes- provisioning_status- admin_state_up

HealthMonitor

- loadbalancer_id- bytes_in- bytes_out- active_connections- total_connections

LB Statistics

1

*

1

1*

1

10..1

- name- description- default_pool_id- loadbalancer_id- protocol- protocol_port- default_tls_container_id- sni_containers- connection_limit- provisioning_status- operating_status- admin_state_up

Listener

- listener_id- tls_container_id- position

SNI Container

10..1

1

*

5

LBaaS APIs: Limitations(Not a comprehensive list)• Missing protocols

– UDP– Non-HTTP SSL termination

• SSL– Missing support for backend (client) SSL cert

• Use case: Pools with backend servers that require client SSL certs– SSL protocol and cipher-list control

• E.g., SSLv3 is broken and should not be used for external applications• Prefer EC ciphers over RSA: Perfect-Forward Secrecy

– Support for only one default cert

• Custom health monitoring– E.g., Monitor on a different port than the port configured for members– Non-http protocols: e.g., MySQL

6

Reference Implementation (HAProxy)

• One HAProxy process per Pool/VIP

• Running on Network NodeVM

VMVMVM VM

VMVM

VM VM

VM

VM VMVM

VM

Compute Nodes

Network Node(s)

Keystone

Controller Node(s)

Neutron w/LBaaS

……

LBaaS Agent

HAProxyHAProx

yHAProxyHAProx

yNorth-South Traffic

East-West Traffic

7

Reference Implementation (HAProxy)

Reference Implementation (Haproxy)Scalability Limited

• Runs on shared Neutron nodes, creating a large fan-in• Traffic “tromboning”• Complex to manage multiple Neutron nodes / HAProxy

instancesHigh Availability None

• Will need other solutions (e.g., PaceMaker) for achieving HA

Tenant Isolation Best effort; No strong guarantees• No per-tenant SLA service• Common pool of resources: network nodes

Not suitable for enterprise-grade clouds

8

Service-VM ArchitectureDistributed load balancer with a centralized control plane

LB1

LB2LB

3LB4

OpenStackLegacy Next Generation

OpenStack

VM

VMVMVM VM

VMVM

VM VM

VM

VM VMVM

VM

VM

VMVMVM VM

VMVM

VM VM

VM

VM VMVM

VM

Controllers

Service Engine

Avi Networks Proprietary and Confidential 2016

REST API

Avi Vantage for OpenStack LBaaSDrop-In replacement for HAProxy with Enterprise Class Load Balancing & App Monitoring

10

Demos

11

Avi’s Elastic Application Delivery & MonitoringDrop-in Replacement for HAProxy with Full-featured Elastic ADC Self-service automation Single-point of management and integration Multi-tenancy with Keystone integration Elastic & Auto-scale Active/Active & N+1 HA Application & End-user performance monitoring Comprehensive Security Insights and DDoS mitigation

12

Thanks!https://www.avinetworks.com/try