Assign service to FHRP

[topical]

NetBox version

v3.1.6

Feature type

New functionality

Proposed functionality

Be able to assign services to a FHRP group.

This can be done by either:

• assign service to FHRP group (not supported right now)
• assign service to one of the member hosts, selecting IP address of FHRP group (not possible, as these IP addresses are not shown on member hosts)

Use case

You have a service (e.g. HTTP) that is redundantly provided by 2 servers (e.g. web1, web2). For this, you define a FHRP group (e.g. "1"), add an IP address to it (say 192.168.100.100) and assign this group to both servers. Servers may be devices or virtual machines.

Now, you want to define the service somehow. Assigning it directly to a server is impossible, as the shared IP address is not shown (this is another topic). Assigning a service to the FHRP group is impossible too.

In my case, my monitoring system reads service definitions from NetBox, which is sadly impossible.

Workaround is to not use FHRP groups in NetBox but assign CARP IP addresses directly to server interfaces, but that's a step backwards.

Database changes

No response

External dependencies

No response

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

[jeremystretch]

This will require ditching the current device and virtual_machine fields on the Service model in favor of a generic foreign key.

[topical]

I don't know how much has to be changed for this, but I would be really happy if this could be done. As described in my request, I cannot use FHRP yet because of this restriction.

[neuro42]

Service definitely needs some way to describe load balanced services, both layer 3/4 like LVS and layer 7. One ends up with two types of nodes involved in the service, however. The load balancer (where the IP gets bound/answers ARP/VRRP), and the service nodes (where the service actually runs, which are either NAT'd or don't answer ARP/VRRP). This is very similar to FHRP, but not quite the same. The gateway protocols FHRP covers are typically only on the LB, with the LB either having multiple NAT targets for the VIP (layer 7/LVS NAT), or the same IP configured, but not answering arp (LVS DR).

[thscma]

I run into the same problem when I try to document exposed kubernetes services.
From my point of view, it make sense to assign a service only to an ip address and never direct to a device or vm.
The ip address could then assigned to an interface of a device or vm or via FHRP to interfaces at multiple devices/vm`s.

[topical]

I run into the same problem when I try to document exposed kubernetes services.
From my point of view, it make sense to assign a service only to an ip address and never direct to a device or vm.
The ip address could then assigned to an interface of a device or vm or via FHRP to interfaces at multiple devices/vm`s.

For me, this sounds like a perfect solution. Support of FHRP would be just a "side effect" of the change.

Apart from the work and the breaking changes there is one thing to consider: if a device/VM has multiple IP addresses, you need multiple service definitions. Especially with dual stack setups, this isn't really funny.

BTW: the way services are defined is not perfect in general. Services usually depend on the role of the device. E.g. with icinga this can be defined automagically, but this is far beyond this issue :)

[engageant]

We're in need of this as well, and I'd also like to suggest that however this gets implemented that the services are still visible on the device or VM's main page.

[kfox1111]

We've also hit this, trying to roughly map k8s pods as netbox vm's.

[Yarli]

I also hit this issue too.
We have 2 HA firewalls using CARP/FHRP groups for our public IP addresses which are shared across the 2 units.
Trying to assign an open port on a public IP address seem to only allow when the public IP is directly assigned to the device, therefore we can see the single CARP public ip per firewall, but not hte remaining shared (virtual IP's) assigned onthe FHRP group.
Oddly the "Service" section shows on the FHRP group, but i'm unsure how you would ever populate it when the requirement is there to specify a device of virtual machine. I feel a 3rd tab is needed for FHRP groups as well.

Having said all that, if you don't specify anything in the device/VM drop down, and then type your Public IP into the IP address box, it does let you select it, then if you go back up to the device box and type in the device and select it, you can then save the form and it then does show up against the FHRP group and on the device as well.
Maybe the filter on the IP address dropdown jsut needs extending to include any associated IP's via the FHRP groups as well ??

[mmfreitas]

I also have the need to record the service on a FHRP Group IP Address, would love to see this in the next implementation of 3.5 or 3.6 if it's not too much of a hustle.

[Omripresent]

I run into the same problem when I try to document exposed kubernetes services. From my point of view, it make sense to assign a service only to an ip address and never direct to a device or vm. The ip address could then assigned to an interface of a device or vm or via FHRP to interfaces at multiple devices/vm`s.

I see it differently, in case of F5 and other highly available deployments, the actual used IP is never attached to a given interface, it would respond to ARP requests if the virtual address is on the same subnet as one of its vlan interfaces, or if the prefix is routed to the F5.

In those cases it would make more sense to be able to attach a server to a set of devices, physical or virtual, and associate an address to it (not restricted to ones attached to the devices).

This would more accurately represent the "real world" deployment.

In cases of HA Proxy and Keepalived for example, the same process can be used, the service address would be the same as of teh FHRP group and the associated devices would be the number of HA Proxy servers, this way there's flexibility to allow both use cases.