When using the HAProxy driver, load balancers are implemented in one-arm mode. In the one-arm mode, a load balancer is not in the path of normal traffic to the pool members. The load balancer has a single interface for ingress and egress traffic to and from clients and pool members.
A logical diagram of a load balancer in one-arm mode can be seen in Figure 10.1:
Figure 10.1
In Figure 10.1, a load balancer is configured in one-arm mode and resides in the same subnet as the servers that it is balancing traffic to.
As a load balancer in one-arm mode is not the gateway for the pool members that it is sending traffic to, it must rely on the use of source NAT, or SNAT, to ensure that return traffic from the members to the client is sent back through the load balancer. An example of the traffic flow can be seen in Figure 10.2:
Figure 10.2
In Figure 10.2, the load balancer receives a request from the client and forwards it to WEB1. The load balancer then modifies the source IP of the request to its own address, 10.30.0.5, before forwarding the request to the server. This ensures that the server sends the response back to the load balancer, which then rewrites the destination IP as the client address. If the server were to send the response directly to the client, the client would reject the packet.
Neutron configures HAProxy to send an HTTP X-Forwarded-For header to the pool member, which allows the pool member to get the original client address. Without this header, all traffic would be identified as coming from the load balancer.
Alternatives to the one-arm mode include the routed and transparent modes. In routed mode, the load balancer acts as a gateway between the client and pool member. The source addresses of packets do not need to be manipulated in most cases as the load balancer servers act as the gateway for pool members.
In transparent mode, the load balancer acts as a network bridge between two VLANs configured with the same subnet(s). Using this mode allows users to introduce a load balancer to the network with minimal disruption as pool members do not need to change their gateway.
Neutron relies on network namespaces to provide individual load balancers when using the HAProxy plugin. Every VIP has a corresponding network namespace. Load balancers are scheduled to LBaaS agents in the environment, which are responsible for creating a corresponding network namespace and appropriate configuration. Namespaces used for load balancers are prefaced with qlbaas in the ip netns output.