1. 1
OpenStack Advanced
Networking Services: LBaaS
James Sherlow
Avi Networks
@jsherlow
@AviNetworks

2. 2
NetworkVirtualization
Layers
Switches, LAN
(Broadcast Domain)
L2 Neutron: Network
Routers, IP SubnetsL3 Neutron: Router, Subnet
Firewalls
Load Balancers
(ADC)
DNS
VPN Servers
…
L4 – L7
Neutron Services:
FWaaS
LBaaS
Designate
VPNaaS
….
Physical World Virtual World

3. 3
LBaaS in Neutron
APIs
• LBaaS v1.0 API
– Introduced in Grizzly
– Lacks several key advanced features: SSL support, rules based switching
• LBaaS v2.0 API
– Introduced in Kilo
– Implementation currently in progress
• Horizon/Heat integration
• L7 rules
• Neutron flavors

4. 4
LBaaS v2.0 Model
- name
- description
- healthmonitor_id
- protocol
- lb_algorithm
- members
- admin_state_up
-
provisioning_status
- operating_status
- session
persistence
Pool
- pool_id
- address
- protocol_port
- weight
- admin_state_up
- subnet_id
-
provisioning_status
- operating_status
Member
- name
- description
- vip_port_id
- vip_subnet_id
- vip_address
-
provisioning_statu
s
- operating_status
- provider
LoadBalancer
- Type (ping, TCP,
HTTP, HTTPS)
- delay
- timeout
- max_retries
- http_method
- url_path
- expected_codes
- provisioning_status
- admin_state_up
HealthMonitor
- loadbalancer_id
- bytes_in
- bytes_out
-
active_connection
s
-
LB Statistics
1
*
1
1
*
1
1
0..
1
- name
- description
- default_pool_id
- loadbalancer_id
- protocol
- protocol_port
-
default_tls_container
_id
- sni_containers
- connection_limit
- provisioning_status
- operating_status
- admin_state_up
Listener
- listener_id
- tls_container_id
- position
SNI Container
1
0..
1
1
*

5. 5
LBaaSAPIs: Limitations
(Not a comprehensive list)
• Missing protocols
– UDP
– Non-HTTP SSL termination
• SSL
– Missing support for backend (client) SSL cert
• Use case: Pools with backend servers that require client SSL certs
– SSL protocol and cipher-list control
• E.g., SSLv3 is broken and should not be used for external applications
• Prefer EC ciphers over RSA: Perfect-Forward Secrecy
– Support for only one default cert
• Custom health monitoring
– E.g., Monitor on a different port than the port configured for members
– Non-http protocols: e.g., MySQL

6. 6
Reference Implementation (HAProxy)
• One HAProxy process per Pool/VIP
• Running on Network Node
VM
VM
VM
VM VM
VMVM
VM VM
VM
VM VM
VM
VM
Compute
Nodes
Network
Node(s)
Keystone
Controller
Node(s)
Neutron w/LBaaS
…
…
LBaaS Agent
HAProxy
HAProxy
HAProxy
HAProxy
North-South
Traffic
East-West Traffic

7. 7
Reference Implementation (HAProxy)
Reference Implementation (Haproxy)
Scalability Limited
• Runs on shared Neutron nodes, creating a large fan-in
• Traffic “tromboning”
• Complex to manage multiple Neutron nodes / HAProxy instances
High Availability None
• Will need other solutions (e.g., PaceMaker) for achieving HA
Tenant Isolation Best effort; No strong guarantees
• No per-tenant SLA service
• Common pool of resources: network nodes
Not suitable for enterprise-grade
clouds

8. 8
Service-VMArchitecture
Distributed load balancer with a centralized control plane
LB1 LB2
LB3 LB4
OpenStack
Legacy Next Generation
OpenStack
VM
VM
VM
VM VM
VMVM
VM VM
VM
VM VM
VM
VM
VM
VM
VM
VM VM
VMVM
VM VM
VM
VM VM
VM
VM
Controllers
Service
Engine

9. Avi Networks Proprietary and Confidential 2016
REST API
Avi Vantage for OpenStack LBaaS
Drop-In replacement for HAProxy with Enterprise Class Load Balancing & App Monitoring

10. 10
Demos

11. 11
Avi’s ElasticApplication Delivery & Monitoring
Drop-in Replacement for HAProxy with Full-featured Elastic ADC
 Self-service automation
 Single-point of management and integration
 Multi-tenancy with Keystone integration
 Elastic & Auto-scale
 Active/Active & N+1 HA
 Application & End-user performance monitoring
 Comprehensive Security Insights and DDoS mitigation

12. 12
Thanks!
https://www.avinetworks.com/try