How to define L7 policies for Virtual Servers using Multiple ESDs¶

The F5 Agent for OpenStack Neutron can implement L7 policy on your BIG-IP device(s) using Enhanced Service Definitions, or ESDs.

Important

While you can apply multiple ESDs to an LBaaS Listener, you should only apply one ESD to a Listener at a time. If you apply multiple ESDs with conflicting settings to the same Listener at the same time, you may experience unexpected behaviors.

When you deploy multiple ESDs to a single Listener, the F5 Agent essentially overlaps the settings from each ESD into a single JSON request

For example:

What you define:

ESD_DEMO_1¶

{
   "lbaas_ctcp": "tcp-mobile-optimized",
   "lbaas_stcp": "tcp-lan-optimized",
}

ESD_DEMO_2¶

{
   "lbaas_persist": "sourceip"
}

What the F5 Agent applies to the BIG-IP virtual server:

Combined ESD¶

{
  "lbaas_ctcp": "tcp-mobile-optimized",
  "lbaas_stcp": "tcp-lan-optimized",
  "lbaas_persist": "sourceip"
}

When you apply multiple ESDs containing the same tag with different settings to a single LBaaS Listener, L7-policy’s “position” setting determines which setting receives priority.

How the F5 Agent uses position to determine priority¶

When you create a new l7-policy, you can use the position argument to assign it a priority. The lower the position, the higher the priority.

Example: Use l7-policy-create to create two ESDs¶

$ lbaas-l7-policy-create –name “esd_demo_1” –action REJECT –listener vs1 –position 1
$ lbaas-l7-policy-create –name “esd_demo_2” –action REJECT –listener vs1 –position 2

If the F5 Agent encounters conflicting settings, it will select the settings from the ESD with the lower position number.

What you define:

ESD_DEMO_1 – position 1¶

{
  "lbaas_ctcp": "tcp-mobile-optimized",
  "lbaas_stcp": "tcp-lan-optimized",
}

ESD_DEMO_2 – position 2¶

{
  "lbaas_ctcp": "tcp-mobile-optimized",
  "lbaas_stcp": "tcp-lan-optimized",
  "lbaas_persist": "sourceip"
}

What the F5 Agent sees:

{
  "lbaas_ctcp": "tcp-mobile-optimized",   \\ CONFLICT
  "lbaas_ctcp": "tcp-lan-optimized",      \\ CONFLICT
  "lbaas_stcp": "tcp-lan-optimized",
  "lbaas_stcp": "tcp-lan-optimized",
  "lbaas_persist": "sourceip"
}

What the F5 Agent applies to the BIG-IP virtual server:

{
  "lbaas_ctcp": "tcp-mobile-optimized",   \\ Taken from ESD_DEMO_1 (priority 1)
  "lbaas_stcp": "tcp-lan-optimized",      \\ Same in both ESDs
  "lbaas_persist": "sourceip"             \\ Taken from ESD_DEMO_2
}

As noted in the example, the F5 Agent encountered conflicting settings for the lbaas_ctcp field. Because ESD_DEMO_1 has a lower position number, the F5 Agent will select its lbaas_ctcp setting and discard the setting from ESD_DEMO_2. It is possible to assign the same position to multiple l7-policies. If, for example, the F5 Agent finds multiple l7-policies with “position 1” assigned, it treats the most recent policy as the highest priority.

What happens if I don’t assign a position?¶

If you don’t assign a position argument, the F5 Agent follows the protocols defined by the LBaaS community:

“If [you create] a new policy … without specifying a position, or specifying a position that is greater than the number of policies already in the list, the new policy will just [get] appended to the list.” [1]

To expand on the previous example:

You define two ESDs in separate JSON files, then create an l7-policy for each in the order shown below.

Create L7 policies without assigning positions¶

$ lbaas-l7-policy-create –name “esd_demo_1” –action REJECT –listener vs1
$ lbaas-l7-policy-create –name “esd_demo_2” –action REJECT –listener vs1

Because you created the policy for ESD_DEMO_1 first, it receives “position 1”. If you define ESD_DEMO_2 first, it would receive “position 1” and the Agent would prioritize its settings over ESD_DEMO_1. In that case, the F5 Agent would apply the lbaas_ctcp setting from ESD_DEMO_2 to the virtual server.

[1]	Neutron/LBaaS/l7 Wiki

How do I check what ESDs are active on my virtual server?¶

Because ESDs, by definition, provide L4-7 policies beyond those available in OpenStack, you won’t be able to check them using any OpenStack interface. Instead, you can use either the BIG-IP configuration utility or TMSH to view the virtual server settings.

You can, however, use the Neutron API or CLI client to check an L7 Policy’s position. The example command shown below uses the -D flag to return detailed information.

$ neutron lbaas-l7policy-show -D esd_demo_1

What’s next¶

Check out the Neutron/LBaaS/l7 Wiki for more information about L7 switching in OpenStack.
View the Neutron client lbaas-l7policy commands.