Configure a floating IP between multiple instances with Neutron

Follow these steps to configure a floating IP address between instances:

1)List your existing VMs:

# nova list
+--------------------------------------+--------------------+--------+------------+-------------+------------------------------------+
| ID                                   | Name               | Status | Task State | Power State | Networks                           |
+--------------------------------------+--------------------+--------+------------+-------------+------------------------------------+
| 8acf9bce-7cb6-4d7c-8000-462fe2c8320d | test1.u1404.arahal | ACTIVE | -          | Running     | inap-16182-WAN2526=192.170.156.162 |
| 0bde5aff-c573-451a-9bb2-f9f38a3b187f | test2.u1404.arahal | ACTIVE | -          | Running     | inap-16182-WAN2526=192.170.156.163 |
+--------------------------------------+--------------------+--------+------------+-------------+------------------------------------+

2) Add a Neuton port:

In order to prevent the virtual IP to be taken by a specific VM, even one of the VMs that will receive it,  create a port with the chosen IP.

3) Get the network_id and subnet_id

In order to add a port, you will need to know the network_id

# neutron net-list
+--------------------------------------+--------------------+---------------------------------------------------------+
| id                                   | name               | subnets                                                 |
+--------------------------------------+--------------------+---------------------------------------------------------+
| 189e8790-c4ca-41f0-9b66-0caa23a261d2 | inap-16182-WAN2526 | dc5fa6b0-de0c-470b-b268-8951b8e86ecd 192.170.156.160/29 |
| 47ab68dc-ef69-40dc-ac71-108dbe0d7850 | inap-16182-LAN3505 | 7a1babac-340f-4076-9df8-7b279fed4744 172.31.72.32/27    |
+--------------------------------------+--------------------+---------------------------------------------------------+

Here, we found

  • network_id: 189e8790-c4ca-41f0-9b66-0caa23a261d2
  • subnet_id: dc5fa6b0-de0c-470b-b268-8951b8e86ecd

Automatic IP selection

If you don’t need a specific virtual IP but just want it to be in the right subnet, you can let Neutron do it’s IPAM (IP Address Manager) job by providing just the right network_id and subnet_id.

# neutron port-create --fixed-ip subnet_id=dc5fa6b0-de0c-470b-b268-8951b8e86ecd --no-security-groups --name "Virtual IP" 189e8790-c4ca-41f0-9b66-0caa23a261d2
+-----------------------+----------------------------------------------------------------------------------------+
| Field                 | Value                                                                                  |
+-----------------------+----------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                   |
| allowed_address_pairs |                                                                                        |
| binding:vnic_type     | normal                                                                                 |
| device_id             |                                                                                        |
| device_owner          |                                                                                        |
| fixed_ips             | {"subnet_id""dc5fa6b0-de0c-470b-b268-8951b8e86ecd""ip_address""192.170.156.166"} |
| id                    | e684349b-bfff-4fad-8d66-6679284dda44                                                   |
| mac_address           | fa:16:3e:67:b5:eb                                                                      |
| name                  | Virtual IP                                                                             |
| network_id            | 189e8790-c4ca-41f0-9b66-0caa23a261d2                                                   |
| security_groups       |                                                                                        |
| status                | DOWN                                                                                   |
| tenant_id             | 7e5c7c0ce561448dab5a0a82e6685684                                                       |
+-----------------------+----------------------------------------------------------------------------------------+

This sent back the automatically chosen IP, that is guaranteed to be unused: 192.170.156.166

Manual IP selection

If you want to select the virtual IP, it must be currently available in the subnet. To make sure you are in the correct range, list the subnets:

# neutron subnet-list
+--------------------------------------+------+--------------------+--------------------------------------------------------+
| id                                   | name | cidr               | allocation_pools                                       |
+--------------------------------------+------+--------------------+--------------------------------------------------------+
| 7a1babac-340f-4076-9df8-7b279fed4744 |      | 172.31.72.32/27    | {"start""172.31.72.34""end""172.31.72.62"}       |
| dc5fa6b0-de0c-470b-b268-8951b8e86ecd |      | 192.170.156.160/29 | {"start""192.170.156.162""end""192.170.156.166"} |
+--------------------------------------+------+--------------------+--------------------------------------------------------+

The Subnet list will tell you available ranges for IPs. Listing all the ports will tell which IPs are taken:

# neutron port-list
+--------------------------------------+-------------+-------------------+----------------------------------------------------------------------------------------+
| id                                   | name        | mac_address       | fixed_ips                                                                              |
+--------------------------------------+-------------+-------------------+----------------------------------------------------------------------------------------+
| 782e96f8-f310-43e2-ab75-143fa5e2416b |             | fa:16:3e:a3:87:cf | {"subnet_id""dc5fa6b0-de0c-470b-b268-8951b8e86ecd""ip_address""192.170.156.163"} |
| b422baa3-e71b-49b9-aecf-d4c0aece11ed |             | fa:16:3e:57:1e:9a | {"subnet_id""dc5fa6b0-de0c-470b-b268-8951b8e86ecd""ip_address""192.170.156.162"} |
+--------------------------------------+-------------+-------------------+----------------------------------------------------------------------------------------+

First, choose an available IP out of the same subnet as the servers (192.170.156.164).

Then, create a new port on the network (189e8790-c4ca-41f0-9b66-0caa23a261d2) with the chosen IP (192.170.156.164)

# neutron port-create --fixed-ip subnet_id=dc5fa6b0-de0c-470b-b268-8951b8e86ecd,ip_address=192.170.156.164 --no-security-groups --name "floating IP" 189e8790-c4ca-41f0-9b66-0caa23a261d2
Created a new port:
+-----------------------+----------------------------------------------------------------------------------------+
| Field                 | Value                                                                                  |
+-----------------------+----------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                   |
| allowed_address_pairs |                                                                                        |
binding:vnic_type     | normal                                                                                 |
| device_id             |                                                                                        |
| device_owner          |                                                                                        |
| fixed_ips             | {"subnet_id""dc5fa6b0-de0c-470b-b268-8951b8e86ecd""ip_address""192.170.156.164"} |
| id                    | bf9cfd5f-caa4-44f2-96a3-346c009b0d42                                                   |
| mac_address           | fa:16:3e:2b:3f:4b                                                                      |
| name                  | Virtual IP                                                                             |
| network_id            | 189e8790-c4ca-41f0-9b66-0caa23a261d2                                                   |
| security_groups       |                                                                                        |
| status                | DOWN                                                                                   |
| tenant_id             | 7e5c7c0ce561448dab5a0a82e6685684                                                       |
+-----------------------+----------------------------------------------------------------------------------------+

Allow the virtual IP to each VM

As anti-spoofing is still in place, you need to allow the virtual IP to reach the VMs.

This operation involves the use of the allowed_address_pairs feature on the ports of the given VMs.

Find the current ports

# neutron port-list
+--------------------------------------+------------+-------------------+----------------------------------------------------------------------------------------+
| id                                   | name       | mac_address       | fixed_ips                                                                              |
+--------------------------------------+------------+-------------------+----------------------------------------------------------------------------------------+
| 782e96f8-f310-43e2-ab75-143fa5e2416b |            | fa:16:3e:a3:87:cf | {"subnet_id""dc5fa6b0-de0c-470b-b268-8951b8e86ecd""ip_address""192.170.156.163"} |
| b422baa3-e71b-49b9-aecf-d4c0aece11ed |            | fa:16:3e:57:1e:9a | {"subnet_id""dc5fa6b0-de0c-470b-b268-8951b8e86ecd""ip_address""192.170.156.162"} |
| bf9cfd5f-caa4-44f2-96a3-346c009b0d42 | Virtual IP | fa:16:3e:2b:3f:4b | {"subnet_id""dc5fa6b0-de0c-470b-b268-8951b8e86ecd""ip_address""192.170.156.164"} |
+--------------------------------------+------------+-------------------+----------------------------------------------------------------------------------------+

Correlate with the VM list (nova list). Note the place-holder port with the IP that was selected:

VM ports are:

  • 782e96f8-f310-43e2-ab75-143fa5e2416b
  • b422baa3-e71b-49b9-aecf-d4c0aece11ed

Allow the additional IP on the ports

# neutron port-update 782e96f8-f310-43e2-ab75-143fa5e2416b --allowed-address-pairs type=dict list=true ip_address=192.170.156.164
Updated port: 782e96f8-f310-43e2-ab75-143fa5e2416b
# neutron port-update b422baa3-e71b-49b9-aecf-d4c0aece11ed --allowed-address-pairs type=dict list=true ip_address=192.170.156.164
Updated port: b422baa3-e71b-49b9-aecf-d4c0aece11ed

Check that the assignment worked

 

# neutron port-show 782e96f8-f310-43e2-ab75-143fa5e2416b --fields allowed_address_pairs
+-----------------------+-----------------------------------------------------------------------+
| Field                 | Value                                                                 |
+-----------------------+-----------------------------------------------------------------------+
| allowed_address_pairs | {"ip_address""192.170.156.164""mac_address""fa:16:3e:a3:87:cf"} |
+-----------------------+-----------------------------------------------------------------------+
# neutron port-show b422baa3-e71b-49b9-aecf-d4c0aece11ed --fields allowed_address_pairs
+-----------------------+-----------------------------------------------------------------------+
| Field                 | Value                                                                 |
+-----------------------+-----------------------------------------------------------------------+
| allowed_address_pairs | {"ip_address""192.170.156.164""mac_address""fa:16:3e:57:1e:9a"} |
+-----------------------+-----------------------------------------------------------------------+

Bind IP to one of the hosts

root@test1:~# ip addr add 192.170.156.164/32 dev eth0

Now, the new IP should be reachable. If not, try arping to the gateway

arping -c 1 192.170.156.161 -S 192.170.156.164

ARPING 192.170.156.161

60 bytes from 00:12:f2:f5:d9:00 (192.170.156.161): index=0 time=644.541 msec

 

— 192.170.156.161 statistics —

1 packets transmitted, 1 packets received,   0% unanswered (0 extra)