Skip to content

Elastic IP

The Safespring Elastic IP feature allows for users and projects to announce anycast IP addresses within a site, and enables the potential for load balancing and/or failover for your services. The customer instances advertise the addresses via Border Gateway Protocol (BGP), either IPv4 and/or IPv6 addresses. If the same address is advertised from multiple instances, Equal Cost Multipath (ECMP) routes will be created in the Safespring infrastructure.

Example usecases for the Safespring Elastic IP feature include MetalLB for container clusters and anycast enabled haproxy servers.

How it works

Each project consuming the Elastic IP feature will be provided an extra OpenStack network. The OpenStack network itself will provide a pool of private IPv4 addresses with NAT policy, as well as public IPv6 addresses. Prefixes from which you pick IP addresses to be advertised are also provided, in addition to a mandatory AS number. After launching one or more instances attached to this OpenStack network, you are ready to advertise anycast addresses.

Example configuration

In this example we will launch an instance, install a BGP speaker and verify IPv4 and IPv6 connectivity. Launching the instance is nothing different from what you normally would do, the only difference being the OpenStack network the instance attaches to. In our example we will be using the popular BGP speaker Bird, other widely used BGP speakers include Free Range Routing, GoBGP and ExaBGP

Please note that the Security Groups you configure for your instance will be applied to the OpenStack network for the instance, as well as to the IP addresses announced by the instance.

Installing Bird is trivial as it is available in most linux distributions (Enterprise Linux may require the EPEL repository). For example, in recent Ubuntu releases it can be installed with

# sudo apt-get install -y bird2

Regardless of which software you use, there are common parameters:

  1. Your assigned AS number
  2. A provided AS number to peer your instance to, which is different from the instance's AS number
  3. IPv4 and IPv6 prefixes you are allowed to announce

A complete configuration file for Bird could look like this:

router id 10.129.0.3;

filter export_bgp_v4 {
    if net ~ 185.189.29.0/31 then accept;
    else {
        reject;
    }
}

filter export_bgp_v6 {
    if net ~ 2a0a:bcc0:40:4::/127 then accept;
    else {
        reject;
    }
}

protocol device {
  scan time 5;
}

protocol direct {
        disabled;
        ipv4;
        ipv6;
}

protocol kernel {
        learn;
        scan time 2;
        ipv4 {
              import all;
              export all;
        };
}

protocol kernel {
        learn;
        scan time 2;
        ipv6 {
              import all;
              export all;
        };
}

protocol bgp safespring  {
  neighbor 169.254.169.254 port 179 as 64700;
  local 10.129.0.3 as 64512;
  multihop;
  ipv4 {
        import none;
        export filter export_bgp_v4;
       };
  ipv6 {
        import none;
        export filter export_bgp_v6;
        };
}

The address and port to connect to is always 169.254.169.254:179. Even though the BGP peering happens over IPv4 only, you may advertise IPv6 prefixes over this connection. Please note that the term "safespring" is an arbitrary name set specifically in Bird in order to identify the connection - it has no technical meaning or effect. After starting Bird we can check status with

# birdcl show protocol safespring
BIRD 2.0.7 ready.
Name       Proto      Table      State  Since         Info
safespring BGP        ---        up     11:21:37.847  Established

At this point we can start advertising prefixes. Given the above configuration, we want to advertise 185.189.29.0/32. First, we have to actually assign the IP address to an interface on the instance. That interface can be of the dummy interface type, or you can assign the IP address directly to the loopback interface.

ip addr add 185.189.29.0/32 dev lo
ip -6 addr add 2a0a:bcc0:40:4::/128 dev lo

The advertisement happens as soon as there is a route to the IP address.

ip route add 185.189.29.0/32 dev lo
ip -6 route add 2a0a:bcc0:40:4::/128 dev lo

Likevise, the advertisement will stop as soon as you delete the routes. In our example, we can check which prefixes we are announcing with

# birdcl show route export safespring
BIRD 2.0.7 ready.
Table master4:
185.189.29.0/32      unicast [kernel1 12:39:30.408] (10)
    dev lo

Table master6:
2a0a:bcc0:40:4::/128 unicast [kernel2 12:44:41.579] (10)
    dev lo

Next steps

More instances advertising the same IP addresses may be created (with identical configuration for the BGP speaker software, with the notable exeption for the instance's own address). Depending on your usecase, a service health checker can be useful. For example, AnyCast Healthcecker configures the Bird daemon directly. If you are using MetalLB, please note that by default MetalLB will try peering all your nodes with the infrastructure. This may not be optimal, so consider deploying only a few nodes with elastic IP.

Conclusion

Safespring Elastic IP enables a generic and simple method of implementing load balancing and failover over industry standard BGP protocol for a variety of usecases. Please contact us in order to get the necessary resources to get started.