Introduction


CloudStack provides the ability to set up load balancer in isolated networks [1]. It is implemented by haproxy in virtual routers of the network. In haproxy configuration file, it contains some basic settings which are hardcoded (for example, client/server timeout are hardcodes as 50000 ms) or set globally (for example uri/port/auth of haproxy stats).

This improvements to the VR HA proxy allow domains (our customers) to manage certain restricted configuration settings. With this feature, users can e.g. set the amount of allowed connections, haproxy stats settings.

Based on this, we can implement more advanced features to cloudstack load balancer, for example

(1) transparent load balancer

(2) SSL offloading

(3) Http2 support

(4) Variable SSL configurations [3]


Feature description

This will add some APIs to manage the Load balancer configs in different scope

  1. Available scope: Network, Vpc, LoadBalancerRule
  2. Available APIs to create/delete/update/list load balancer configs. A new API replaceLoadBalancerConfigs will be added to replace all current LB configs with passed configs.
  3. When create/update/delet/replace lb configs, cloudstack will re-apply new load balancer configs
    1. generate new haproxy.cfg , based on our changes
    2. apply new haproxy.cfg in VRs.
    3. When VR is rebooted/recreated, the haproxy.cfg is also created based on our configs.
  4. For advanced features, more changes are needed
    1. Transparent LB. Beside the new haproxy.cfg, it will add some firewall rules in VRs.
    2. SSL offloading, it requires some changes on UI, and copied the SSL certificate to VRs.

API Changes

API nameAPI descriptionAPI ParametersAPI response
createLoadBalancerConfigCreates a load balancer config

scope (Network/Vpc/LoadBalancer)

networkId

vpcId

loadBalancerId

name (of config)

value (of config)

forced (Force add a load balancer config)

id (the load balancer rule ID)

name (the name of the load balancer config)

value (the value of the load balancer config)

scope (the scope of the load balancer config)

networkId

vpcId

loadBalancerId

created (the date when the load balancer config is created)

description (the description of the load balancer config)

defaultValue (the default value of the load balancer config)

deleteLoadBalancerConfigDeletes a load balancer configid of load balancer configSuccess/Exceptions
updateLoadBalancerConfigUpdates a load balancer configid of load balancer configSuccess/Exceptions

replaceLoadBalancerConfigs


Replaces load balancer configs of vpc/network/rule

scope (Network/Vpc/LoadBalancer)

networkId

vpcId

loadBalancerId

config (configs list, Example: config[0].name=timout&config[0].value=60000)

Success/Exceptions
listLoadBalancerConfigsList load balancer configs

id of load balancer config

scope (Network/Vpc/LoadBalancer)

networkId

vpcId

loadBalancerId

name (of config)

listAll (If set to true, list all available configs for the scope)

List of LoadBalancerConfigResponse


Load balancer configurations (to be supported)

  • Network

Scopenamevalue typecurrent value in CSdescription
Networkhaproxy.timeoutLong50000mstimeout server/client
Networkhaproxy.stats.enableBooleantrueIf haproxy stats is enabled
Networkhaproxy.stats.uriString/admin?statsURI of HAProxy stats
Networkhaproxy.stats.authStringadmin1:AdMiN123HAproxy stats username and password
Networkhaproxy.maxconnLong4096
Networkhaproxy.maxpipesLong1024default is maxconn/4 in haproxy

  • VPC (same as Network)


  • LoadBalancerRule

Scopenamevalue typecurrent value in CSdescription

LoadBalancerRule

lb.max.connLong<not set>LB max connection
LoadBalancerRulelb.full.connLong<not set>LB full connection, default is 'maxconn/10' in haproxy

LoadBalancerRule

lb.max.conn.eachLong<not set>LB max connection per site
LoadBalancerRulelb.full.conn.eachLong<not set>LB full connection per site
LoadBalancerRulelb.max.queue.eachLong<not set>LB max queue per site
LoadBalancerRulelb.httpBoolean<not set>If LB is http, default is 'true' for port 80 and 'false' for others'
LoadBalancerRulelb.http.keepaliveBooleanfalseIf LB http keepalive enabled/disabled


  • Advanced configurations

Scopenamevalue typecurrent value in CSdescription
Networkhaproxy.transparentBoolean<not set>If transparent is supported, default value is false
LoadBalancerRulelb.transparentBoolean<not set>If LB if transparent, only applies when haproxy.transparent is true. default value is false
LoadBalancerRulelb.ssl.offloadingBoolean<not set>If SSL offloading is enabled on the IP/port. default value is false
LoadBalancerRulelb.http2Boolean<not set>If HTTP2 is enabled. default value is false
LoadBalancerRulelb.ssl.configurationString<not set>Customized SSL configuration. available values are none (default), old, intermediate


DB Changes

A new table load_balancer_config is added to cloudstack, to save lb configs in network/vpc/loadbalancerrule.


UI  changes


  1. Add a new tab 'LB Configs" in network view. Click on Network -> 'LB Configs', an overview of all the available settings are shown in a form;


  2. Add a new column in Load balancer rule view. Click 'Network' -> choose a network -> 'View IP Addresses' -> choose an IP -> click 'Configurations' tab -> click 'Load Balancing' -> click 'View All'


  3. Click 'Configure', a new dialog will be popup.

References

  1. Load Balancer rules http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#load-balancer-rules
  2. haproxy configurations. http://cbonte.github.io/haproxy-dconv/1.8/configuration.html
  3. SSL configurations. https://ssl-config.mozilla.org/#server=haproxy&version=1.8&config=intermediate&openssl=1.1.1d&guideline=5.4
  4. Leaseweb implementation for CloudStack 4.7.1. https://kb.leaseweb.com/products/apache-cloudstack-private-cloud/managing-apache-cloudstack-network#ManagingApacheCloudStackNetwork-ConfiguringaloadbalancerforanIPAddressofanIsolatedNetwork
  • No labels