17.8 Configuring Load Balancing Using Keepalived in DR Mode

The following example uses Keepalived in direct routing (DR) mode to implement a simple failover and load balancing configuration on two servers. One server acts as the master, the other acts as a backup, and the master server has a higher priority than the backup server. Each of Keepalived servers has a single network interface and the servers are connected to the same network segment (10.0.0.0/24) on which two web servers are accessible.

Figure 17.4 shows that the Keepalived master server has network addresses 10.0.0.11 and 10.0.0.1 (virtual). The Keepalived backup server has network address 10.0.0.12. The web servers websvr1 and websvr2 have network addresses 10.0.0.71 and 10.0.0.72 respectively. In additional, both web servers are configured with the virtual IP address 10.0.0.1 to make them accept packets with that destination address. Incoming requests are received by the master server and redirected to the web servers, which respond directly.

Figure 17.4 Example Keepalived Configuration for Load Balancing in DR Mode

The diagram shows that the Keepalived master server has network addresses 10.0.0.11 and 10.0.0.1 (virtual). The Keepalived backup server has network address 10.0.0.12. The web servers websvr1 and websvr2 have network addresses 10.0.0.71 and 10.0.0.72 respectively. In additional, both web servers are configured with the virtual IP address 10.0.0.1 to make them accept packets with that destination address. Incoming requests are received by the master server and redirected to the web servers, which respond directly.


You might use the following configuration in /etc/keepalived/keepalived.conf on the master server:

global_defs {
   notification_email {
     root@mydomain.com
   }
   notification_email_from svr1@mydomain.com
   smtp_server localhost
   smtp_connect_timeout 30
}

vrrp_instance external {
    state MASTER
    interface enp0s8
    virtual_router_id 91
    priority 200
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1215
    }
    virtual_ipaddress {
        10.0.0.1/24
    }
}

virtual_server 10.0.0.1 80 {
    delay_loop 10
    protocol TCP
    lb_algo rr
#   Use direct routing
    lb_kind DR
    persistence_timeout 7200

    real_server 10.0.0.71 80 {
        weight 1
        TCP_CHECK {
          connect_timeout 5
          connect_port 80
        }
    }

    real_server 10.0.0.72 80 {
        weight 1
        TCP_CHECK {
          connect_timeout 5
          connect_port 80
        }
    }
}

The virtual server configuration is similar to that given in Section 17.7, “Configuring Load Balancing Using Keepalived in NAT Mode” except that the value of lb_kind is set to DR (Direct Routing), which means that the Keepalived server handles all inbound network traffic from the client before routing it to the back-end servers, which reply directly to the client, bypassing the Keepalived server. This configuration reduces the load on the Keepalived server but is less secure as each back-end server requires external access and is potentially exposed as an attack surface. Some implementations use an additional network interface with a dedicated gateway for each web server to handle the response network traffic.

The configuration of the backup server is the same except for the values of notification_email_from, state, priority, and possibly interface if the system hardware configuration is different:

global_defs {
   notification_email {
     root@mydomain.com
   }
   notification_email_from svr2@mydomain.com
   smtp_server localhost
   smtp_connect_timeout 30
}

vrrp_instance external {
    state BACKUP
    interface enp0s8
    virtual_router_id 91
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1215
    }
    virtual_ipaddress {
        10.0.0.1/24
    }
}

virtual_server 10.0.0.1 80 {
    delay_loop 10
    protocol TCP
    lb_algo rr
#   Use direct routing
    lb_kind DR
    persistence_timeout 7200

    real_server 10.0.0.71 80 {
        weight 1
        TCP_CHECK {
          connect_timeout 5
          connect_port 80
        }
    }

    real_server 10.0.0.72 80 {
        weight 1
        TCP_CHECK {
          connect_timeout 5
          connect_port 80
        }
    }
}

Two further configuration changes are required:

See Section 17.5, “Installing and Configuring Keepalived” for details of how to install and configure Keepalived.