How to configure your VPS for VRRP on OpenStack

When you try to use VRRP on an OpenStack instance you will notice that a floating IP can only be attached to a single instance at a time. Also the instance will only be able to use the IP that has been assigned by OpenStack. This is by design, however it prevents the usage of VRRP software like Keepalived to failover a IP. In this article we will explain how you can easily configure three options for a instance that will make VRRP work.

Floating IPs could be used as an alternative to failing over the internal IP, however this lies outside the scope of this tutorial. If you would like to know more there is documentation on our github.
If you would like to use VRRP without a floating IP (internal only) you do not need this tutorial. All you have to do is add the internal IP to the allowed address pair via the commandline client.

Using VRRP on an OpenStack VPS

In order to use VRRP on OpenStack there are six steps. Some steps might not be necessary or might be self explanatory;


Configure 2 or more instances in an internal network

You should configure 2 or more instances, attached to your internal network, that will be running keepalived. In this step we will be creating these two instances. We assume that you already have an internal network.

Running VRRP directly on a public network will not work without using Floating IP's. Floating IP's can only be attached to internal IP's. More importantly, since VRRP traffic is unencrypted, it is also insecure.

Using the Horizon interface

Or using the commandline client

openstack server create --image "Ubuntu 16.04 (LTS)" --flavor 1001 --security-group "allow-all" --key-name "<<your-ssh-key>>" --nic net-id=<<your-net-private>> vrrp-LB-name

On creation of your new instance with the commandline client you can also give the metadata keys from the following step;

openstack server create --image "Ubuntu 16.04 (LTS)" \
 --flavor 1001 \
 --security-group "allow-all" \
 --key-name "<<your-ssh-key>>" \
 --nic net-id=<<your-net-private>> \
 --property ha_vip_address= \
 --property ha_execution=true \
 --property ha_floatingips= \
 --min 2 --max 2 \

Configure the metadata keys

In the dropdown of an existing instance, or in the left sidebar when creating a new instance, you can update the instance Metadata. Metadata is additional information about your instance. In this case we will use pre-defined values that will tell the OpenStack platform that we will be using VRRP.

Click on the + to add the HA Floating IP metadata keys.

Under "Provider platform options" => "HA Floating IP" there are three options;

  • "Internal VIP" (ha_vip_address)
  • "Floating IP adressess" (ha_floatingips)
  • "Trigger platform configuration" (ha_execution)

The first metadata key, ha_vip_address, must contain the internal IP that keepalived will use. This IP should also be reserved in the next step.

The second metadata key, ha_floatingips, can be used to assign a specific floating IP that you have allocated.
If you use a previously assigned floating IP, this will be re-assigned! If you leave this empty, an unassigned IP will be used. If there is no unassigned IP available in your project, one will be registered for you. You can configure multiple floating IPs by separating them with comma's.

The third metadata key, ha_execution, will trigger the reconfiguration of the network when set to true.
Every minute this key will be checked. When ha_execution is true the configuration in the first two keys will be applied and the ha_execution key will be updated with the timestamp or error feedback.


Configure keepalived

The internal IP must be configured as the Virtual IP of Keepalived. Please turn to the documentation of your version of keepalived on how to configure this.

If all has been configured correctly you should now have a working keepalived setup, and the attached floating IP should switch over with the keepalived master.


Reserve an additional port in the internal network (optional)

You should reserve an additional port in the internal network with the IP address used in the previous steps. The registration is only to prevent usage of the IP by other instances, and is only possible using the commandline tools. If you choose not to create this port you must manually prevent the usage of this port.

Using the commandline client

openstack port create --network net-private keepalived_port_1 --fixed-ip ip-address=

Permit VRRP traffic in securitygroups (optional)

Under "Access & Security" you will find the "Security Groups" tab where you can create additional security groups.
For more detail please take a look at the getting started.



You should now be ready to start a failover, and you will see the floating IP moving over where your internal Keepalived IP is active.

If for some reason you ever have problems with this setup you will only need to set the ha_execution metadata key to true and the setup will be reconfigured on the OpenStack networking.