I have successfully PoC'd the use of two HAProxy servers w/ heartbeat to load balance traffic between two squid servers with pass through Kerberos authentication in our shared services office. I've been exploring the idea of separating internal load balancing from our Citrix NetScalers that currently have a leg both inside the private network and in the DMZ (terrible security practice so we're changing that). One of the things that I can't seem to find anywhere is assigning more than one floating IP to an HA pair. The reason for this is that we load balance many things and want to use a different IP for each service being load balanced (I.e., squid, DNS, LDAP, web servers, etc). Could use some direction on this.
Asked
Active
Viewed 976 times
-1
-
@GregL The only thing I've tried so far is just research. Maybe the terms I'm using in my searches have been incorrect and that's why I haven't found anything? I've seen some info on this topic for keepalived but not for heartbeat. – MasterOfNothing Feb 21 '17 at 20:43
-
Are you also using Pacemaker as a CRM? – GregL Feb 23 '17 at 01:15
-
Sorry for the late response. Yes, corosync is being used as a CRM. – MasterOfNothing Mar 09 '17 at 19:33
1 Answers
0
You can add multiple Subnet IP addresses to be used for traffic towards your backend servers.
Doing so requires the following steps:
- Add a Subnet IP Address (System --> Network --> IP)
- Create an IP Set (System --> Network --> IPSets) and assign the Subnet IP address to the set
- Create a Network Profile (System --> Network --> Net Profile) and assign the IPSet to the Network Profile
- Assign the network profile to a load balancing virtual server or to the services/service groups belonging to the load balancing virtual server
By using separate network profiles per type of service, you can easily control the traffic.
Nowadays, even VIP addresses can be used as source IP addresses to the backend, given there is at least one Subnet IP address in the subnet.
Jan
- 121
- 3
-
I get the impression that OP wants to do this on the HAProxy pair, not the NetScalers. – GregL Feb 21 '17 at 20:40
-
-
In that case I will refrain from further answers, as I'm not a HA Proxy expert. One final thing, if you want to continue using NetScaler, you might consider switching from a 2-leg scenario to 1-leg, letting the intermittent firewalls do the filtering between external and internal networks. As such, your NetScaler sets in between the unsecure and secure network, thus preventing the NetScaler being in both networks. And then you can still apply my first answer. Good luck with HA Proxy! :) – Jan Feb 21 '17 at 21:20