HA to get all outbound traffic to come from single IP?

  • Posted on September 9, 2014
  • travAsked by trav

Hey guys,

If I setup many servers behind a load balancer to handle incoming http requests, how can i get cron api calls from ANY one server to appear to come from the ONE internet address?

The reason for the same internet address is to allow it through a firewall at an external site. If i add/drop servers I want to be able to continue query the external firewall api without bugging there security admins to allow a new IP. A single IP setup will allow me to scale and ensure some levels of HA.

I hope that makes sense. Any help would be greatly appreciated.

Cheers, Trav.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi Trav,

I am not sure I did understand clearly your question, but I think you can configure iptables post routing and masquerading rules to make your api cron requests from a single IP.

If you have a local network configured between the 3 servers on range + a load balancer, then all servers can have a public IP (eth0) and a local IP (eth1). You just need to update the /etc/network/interfaces file to get the eth1 IP up with static IPs and set the new interfaces up.

Next, you can configure your load balancer in that network to masquerade requests thanks to an iptables rule of that kind :

auto eth0
iface eth0 inet static
       address PUBLIC_IP
        gateway PUBLIC_GW
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '' -o eth0 -j MASQUERADE

auto eth1
iface eth1 inet static

The kernel route of the load balancer server keeps a route going through eth0, but can access the local network. The load balancing might be done using that local IP to reach backend IPs.

On the 3 other backend servers, you can configure the kernel routes to use eth1 device as default interface to go out of the network, using the load balancer local IP as gateway address.

auto eth0

auto eth1
iface eth1 inet static
        address 10.10.10.X
        gateway # the load balancer IP
        post-up route add default gw 10.10.10.X dev eth1
        post-down route del default gw 10.10.10.X dev eth1

In the situation each VM can ping the load balancer other through the local IP, and if the masquerading rule was set successfully, the the load balancer will make all requests directly to the external site using the public IP configured on the Load Balancer.

I believe this was the kind of configuration you were looking for. You should be able to use those informations to design your load balancing using masquerading for backend servers requests.

Hope this could help.

– rustx