Neutron to BIG-IP Command Mapping

When you issue neutron lbaas commands on your OpenStack Neutron controller, the F5 Agent for OpenStack Neutron configures objects on your BIG-IP device(s). This document describes how OpenStack Neutron LBaaS objects correspond to BIG-IP objects and what actions the F5 Agent takes for each neutron lbaas-loadbalancer CLI command.

F5 LBaaSv2 uses the f5-sdk to communicate with BIG-IP via the F5 iControl REST API. The table below shows the corresponding iControl endpoint and BIG-IP object for each neutron lbaas- ‘create’ command.

Neutron Command to iControl REST API endpoint Mapping
Neutron command iControl REST API endpoint
neutron lbaas-loadbalancer-create https://<icontrol_endpoint>:443/mgmt/tm/sys/folder/~Project_<os_tenant_id>
neutron lbaas-listener-create https://<icontrol_endpoint>:443/mgmt/tm/ltm/virtual/
neutron lbaas-pool-create https://<icontrol_endpoint>:443/mgmt/tm/ltm/pool/
neutron lbaas-member-create https://<icontrol_endpoint>:443/mgmt/tm/ltm/pool/~Project_<os_tenant_id>~pool1/members/
neutron lbaas-healthmonitor-create https://<icontrol_endpoint>:443/mgmt/tm/ltm/monitor/http/

The sections below cover the settings F5 Agent applies to a standalone, overcloud BIG-IP device. The actual settings applied for a given command can vary depending on your existing BIG-IP device configurations and network architecture.


To view the actual API calls the F5 Agent sends to the BIG-IP device(s), set the F5 agent’s DEBUG level to ‘True’ and view the logs (/var/log/neutron/f5-openstack-agent.log).

Start the F5 Agent for OpenStack Neutron

systemctl start f5-openstack agent
When you first start the F5 Agent:
  • it reads the vtep self IP defined in the F5 Agent config file;
  • the F5 Agent discovers the BIG-IP vtep IP address and advertises it to Neutron as its tunneling_ip;
  • the F5 Driver for OpenStack LBaaSv2 adds a new port for the vtep to the OVS switch;
  • the F5 Agent adds profiles for all tunnel types to the BIG-IP device(s).

Create a Neutron LBaaS Load Balancer

neutron lbaas-loadbalancer-create
The F5 Agent creates the following:
  • new BIG-IP partition
  • BIG-IP forwarding database (FDB) records for all peers in the network
  • new BIG-IP route domain
  • new BIG-IP self IP on the specified subnet (this is the IP address at which the BIG-IP device can receive traffic for this load balancer)
  • new tunnel (uses the vtep as the local address and the BIG-IP vxlan profile created when the F5 Agent started) [1]
  • new SNAT pool list/SNAT translation list [2]

In addition, the F5 Driver adds a Neutron port for each SNAT address.

  • If BIG-IP SNAT mode is off and you have f5_snat_addresses_per_subnet set to 0, the BIG-IP acts as a gateway and handles all return traffic from members.
  • If BIG-IP SNAT mode is on and you have f5_snat_addresses_per_subnet set to 0, the BIG-IP device uses SNAT automap.

Create a Neutron LBaaS Listener

neutron lbaas-listener-create
The F5 Agent creates a new BIG-IP virtual server in the specified partition.
  • uses the Fast L4 protocol
  • uses the IP address Neutron assigned to the load balancer
  • uses the route domain created for the load balancer
  • if you’re using tunnels, traffic is only handled in the tunnel assigned to the load balancer
  • for secure listeners using the TERMINATED_HTTPS protocol: [3]
    • fetches the certificate/key container from Barbican.
    • adds the key and certificate to the BIG-IP device(s).
    • creates a custom SSL profile using clientssl as the parent profile.
    • adds the new SSL profile to the virtual server.

Create a Neutron LBaaS Pool

neutron lbaas-pool-create
The F5 Agent adds a new pool to the specified virtual server.

Create a Neutron LBaaS Member

neutron lbaas-member-create
The F5 Agent adds a new member to the requested pool using the specified IP address and port.
  • If there is a Neutron port associated with the specified IP address and subnet, the F5 Agent creates a forwarding database (FDB) entry for the member on the BIG-IP device(s). [4]
  • When you add a member to a pool for the first time, the BIG-IP pool status changes.
  • When you create a member with a specific IP address for the first time, the F5 Agent also creates a new BIG-IP node for that IP address.

Create a Neutron LBaaS Health Monitor

neutron lbaas-healthmonitor-create
The F5 Agent creates a new BIG-IP health monitor for the specified pool.
  • Creating a health monitor for a pool for the first time makes the BIG-IP pool status change.
  • Health monitors directly affect the status and availability of BIG-IP pools and pool members. Any additions or changes may change the status of the specified pool.


[1]If using global routed mode, F5 Agent doesn’t create a tunnel. Instead, all traffic goes to the load balancer’s self IP address.
[2]You can set the number of SNAT addresses to create via the f5_snat_addresses_per_subnet setting in the L2 Segmentation Mode settings section of the F5 Agent configuration file.
[3]See Set up the F5 Agent for OpenStack Barbican.
[4]The F5 Agent will not create a FDB entry if the pool member IP address and subnet don’t have a corresponding Neutron port. In such cases, warning messages print to the f5-openstack-agent and neutron-server logs.