Neutron to BIG-IP Command Mapping¶
When you issue neutron lbaas
commands on your OpenStack Neutron controller, the F5 Agent for OpenStack Neutron configures objects on your BIG-IP device(s).
This document describes how OpenStack Neutron LBaaS objects correspond to BIG-IP objects and what actions the F5 Agent takes for each neutron lbaas-loadbalancer
CLI command.
F5 LBaaSv2 uses the f5-sdk to communicate with BIG-IP via the F5 iControl REST API. The table below shows the corresponding iControl endpoint and BIG-IP object for each neutron lbaas- ‘create’ command.
Neutron command | iControl REST API endpoint |
---|---|
neutron lbaas-loadbalancer-create | https://<icontrol_endpoint>:443/mgmt/tm/sys/folder/~Project_<os_tenant_id> |
neutron lbaas-listener-create | https://<icontrol_endpoint>:443/mgmt/tm/ltm/virtual/ |
neutron lbaas-pool-create | https://<icontrol_endpoint>:443/mgmt/tm/ltm/pool/ |
neutron lbaas-member-create | https://<icontrol_endpoint>:443/mgmt/tm/ltm/pool/~Project_<os_tenant_id>~pool1/members/ |
neutron lbaas-healthmonitor-create | https://<icontrol_endpoint>:443/mgmt/tm/ltm/monitor/http/ |
The sections below cover the settings F5 Agent applies to a standalone, overcloud BIG-IP device. The actual settings applied for a given command can vary depending on your existing BIG-IP device configurations and network architecture.
Tip
To view the actual API calls the F5 Agent sends to the BIG-IP device(s), set the F5 agent’s DEBUG level to ‘True’ and view the logs (/var/log/neutron/f5-openstack-agent.log
).
Start the F5 Agent for OpenStack Neutron¶
- systemctl start f5-openstack agent
- When you first start the F5 Agent:
- it reads the
vtep
self IP defined in the F5 Agent config file; - the F5 Agent discovers the BIG-IP
vtep
IP address and advertises it to Neutron as itstunneling_ip
; - the F5 Driver for OpenStack LBaaSv2 adds a new port for the
vtep
to the OVS switch; - the F5 Agent adds profiles for all tunnel types to the BIG-IP device(s).
Create a Neutron LBaaS Load Balancer¶
- neutron lbaas-loadbalancer-create
- The F5 Agent creates the following:
- new BIG-IP partition
- BIG-IP forwarding database (FDB) records for all peers in the network
- new BIG-IP route domain
- new BIG-IP self IP on the specified subnet (this is the IP address at which the BIG-IP device can receive traffic for this load balancer)
- new tunnel (uses the
vtep
as the local address and the BIG-IP vxlan profile created when the F5 Agent started) [1] - new SNAT pool list/SNAT translation list [2]
In addition, the F5 Driver adds a Neutron port for each SNAT address.
- If BIG-IP SNAT mode is off and you have
f5_snat_addresses_per_subnet
set to0
, the BIG-IP acts as a gateway and handles all return traffic from members. - If BIG-IP SNAT mode is on and you have
f5_snat_addresses_per_subnet
set to0
, the BIG-IP device uses SNAT automap.
Create a Neutron LBaaS Listener¶
- neutron lbaas-listener-create
- The F5 Agent creates a new BIG-IP virtual server in the specified partition.
- uses the Fast L4 protocol
- uses the IP address Neutron assigned to the load balancer
- uses the route domain created for the load balancer
- if you’re using tunnels, traffic is only handled in the tunnel assigned to the load balancer
- for secure listeners using the
TERMINATED_HTTPS
protocol: [3]- fetches the certificate/key container from Barbican.
- adds the key and certificate to the BIG-IP device(s).
- creates a custom SSL profile using
clientssl
as the parent profile. - adds the new SSL profile to the virtual server.
Create a Neutron LBaaS Pool¶
- neutron lbaas-pool-create
- The F5 Agent adds a new pool to the specified virtual server.
Create a Neutron LBaaS Member¶
- neutron lbaas-member-create
- The F5 Agent adds a new member to the requested pool using the specified IP address and port.
- If there is a Neutron port associated with the specified IP address and subnet, the F5 Agent creates a forwarding database (FDB) entry for the member on the BIG-IP device(s). [4]
- When you add a member to a pool for the first time, the BIG-IP pool status changes.
- When you create a member with a specific IP address for the first time, the F5 Agent also creates a new BIG-IP node for that IP address.
Create a Neutron LBaaS Health Monitor¶
- neutron lbaas-healthmonitor-create
- The F5 Agent creates a new BIG-IP health monitor for the specified pool.
- Creating a health monitor for a pool for the first time makes the BIG-IP pool status change.
- Health monitors directly affect the status and availability of BIG-IP pools and pool members. Any additions or changes may change the status of the specified pool.
Footnotes
[1] | If using global routed mode, F5 Agent doesn’t create a tunnel. Instead, all traffic goes to the load balancer’s self IP address. |
[2] | You can set the number of SNAT addresses to create via the f5_snat_addresses_per_subnet setting in the L2 Segmentation Mode settings section of the F5 Agent configuration file. |
[3] | See Set up the F5 Agent for OpenStack Barbican. |
[4] | The F5 Agent will not create a FDB entry if the pool member IP address and subnet don’t have a corresponding Neutron port. In such cases, warning messages print to the f5-openstack-agent and neutron-server logs. |