HA to get all outbound traffic to come from single IP?

September 9, 2014 1.8k views

Hey guys,

If I setup many servers behind a load balancer to handle incoming http requests, how can i get cron api calls from ANY one server to appear to come from the ONE internet address?

The reason for the same internet address is to allow it through a firewall at an external site. If i add/drop servers I want to be able to continue query the external firewall api without bugging there security admins to allow a new IP. A single IP setup will allow me to scale and ensure some levels of HA.

I hope that makes sense. Any help would be greatly appreciated.


1 Answer

Hi Trav,

I am not sure I did understand clearly your question, but I think you can configure iptables post routing and masquerading rules to make your api cron requests from a single IP.

If you have a local network configured between the 3 servers on range + a load balancer, then all servers can have a public IP (eth0) and a local IP (eth1). You just need to update the /etc/network/interfaces file to get the eth1 IP up with static IPs and set the new interfaces up.

Next, you can configure your load balancer in that network to masquerade requests thanks to an iptables rule of that kind :

auto eth0
iface eth0 inet static
       address PUBLIC_IP
        gateway PUBLIC_GW
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '' -o eth0 -j MASQUERADE

auto eth1
iface eth1 inet static

The kernel route of the load balancer server keeps a route going through eth0, but can access the local network. The load balancing might be done using that local IP to reach backend IPs.

On the 3 other backend servers, you can configure the kernel routes to use eth1 device as default interface to go out of the network, using the load balancer local IP as gateway address.

auto eth0

auto eth1
iface eth1 inet static
        address 10.10.10.X
        gateway # the load balancer IP
        post-up route add default gw 10.10.10.X dev eth1
        post-down route del default gw 10.10.10.X dev eth1

In the situation each VM can ping the load balancer other through the local IP, and if the masquerading rule was set successfully, the the load balancer will make all requests directly to the external site using the public IP configured on the Load Balancer.

I believe this was the kind of configuration you were looking for. You should be able to use those informations to design your load balancing using masquerading for backend servers requests.

Hope this could help.


  • Thanks heaps rustx!!

    Your solution is a little over my head but i get the basic idea. I will attempt to configure it and perform some tests.

    Thanks again.

Have another answer? Share your knowledge.