Network

Isolate admin services

Available since:

  • HAProxy ALOHA 16.0

By default, the HAProxy ALOHA virtual appliance uses a single network interface, eth0, for all traffic, including production traffic and traffic for administrative services like the ALOHA Web UI. This guide describes how to separate the administrative services onto a different network interface so that both inbound and outbound traffic for the service travel over a different network.

By default, outbound traffic will still flow through the default gateway unless you explicitly bind the service to the new interface using the @interface notation described here. The @interface notation binds both inbound and outbound traffic for the service to the named interface. In addition, the notation blocks any traffic routed to the service from an interface other than the named interface.

To bind administrative services to an interface:

  1. If needed, add a network interface to the HAProxy ALOHA virtual machine. See the documentation for your VM hypervisor. The new interface will appear as eth1 under Services > network.

  2. Assign a static IP address to the interface.

    haproxy
    service network eth1
      ip address 192.168.24.236/255.255.255.0
    haproxy
    service network eth1
      ip address 192.168.24.236/255.255.255.0

  3. Assign a default gateway to the interface. Be sure to set a metric value. By doing this, you are creating a second default gateway, but with a lower priority than the original default gateway because the metric value is higher. Then using the @interface notation, you can choose it explicitly.

    haproxy
    service network eth1
      ip address 192.168.24.236/255.255.255.0
      ip route default 192.168.24.1 metric 10
    haproxy
    service network eth1
      ip address 192.168.24.236/255.255.255.0
      ip route default 192.168.24.1 metric 10

  4. Bind the service to an interface.

    • In the Services tab, locate the administrative service you want to assign to the new network and click setup.

      Syslog setup

    • Update the address to use the static IP and append the @interface notation to force outgoing traffic to use the given network interface. In the example below, we bind the Syslog service to the static IP 192.168.24.236 through the eth1 interface.

      text
      service syslog system
        server 192.168.24.236@eth1:514
      text
      service syslog system
        server 192.168.24.236@eth1:514

  5. Reload the service.

  6. To make your changes persistent after a reboot, click the Setup tab. Then click Save under Configuration.

The following administrative services support the @interface notation.

Service Parameter
collectd server <ip_address[@iface]>
httpd bind_address <ip_address[@iface]>
notify smtp_server <ip_address[@iface]>, snmp_server <ip_address[@iface]>
snmpd listen <ip_address[@iface]>
sshd listen <ip_address[@iface]>
syslog server <remote_server_ip[@iface][:port]>

Do you have any suggestions on how we can improve the content of this page?

Previous page IP static routes Next page Link aggregation
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences