Use HAVIPs and Keepalived to deploy high-availability services - Virtual Private Cloud

You can use the high-availability virtual IP address (HAVIP) feature of virtual private clouds (VPCs) together with Address Resolution Protocol (ARP) and Keepalived or Heartbeat to deploy high-availability services. This ensures that IP addresses are not changed when failover is performed.

What is an HAVIP?

Definition

An HAVIP is a private IP address that can be created and released as an independent resource. Similar to the primary IP addresses of Elastic Compute Service (ECS) instances, HAVIPs support network communication. HAVIPs can work with high-availability software, such as Keepalived, to deploy high-availability services.

An HAVIP can be associated with multiple ECS instances, or the primary or secondary elastic network interface (ENIs) of multiple ECS instances. Combined with these resources, HAVIPs can be used to implement automatic IP switchover between multiple high-availability servers in the same zone. This ensures that the private IP address used to provide services remains unchanged. Additionally, you can associate an HAVIP with an elastic IP address (EIP) to provide services over the Internet. In addition, ECS instances associated with HAVIPs can use deployment sets to further improve service reliability. For more information, see Deployment set.

If Keepalived can be used to implement high availability of virtual IP addresses, why are HAVIPs used?

In traditional data centers, servers can announce their IP addresses over ARP. Then, the servers can provide services through the IP addresses. This capability is required by common applications in many scenarios. For example, Keepalived and Heartbeat can be used to keep IP addresses unchanged in disaster recovery scenarios.

However, most cloud service providers use the software-defined networking (SDN) technology, which does not support free ARP announcements in VPCs. This is because cloud environments are built with virtualization technologies, and virtual IP addresses are assigned and managed by the underlying virtualization platform. Applications cannot change host IP addresses as in traditional environments. In addition, virtual networks are built on top of Layer 3 tunneling, which prevents hosts from announcing IP addresses because ARP announcements are terminated on the senders. To address this issue, Alibaba Cloud developed HAVIPs.

Scenarios

As shown in the following figure, ECS1 and ECS2 are used to deploy a high-availability service in a VPC by using Keepalived. The service is accessible to ECS3 in the VPC. The service address is the IP address of the HAVIP. If ECS1 is down, ECS2 automatically takes over. This ensures the availability of the services.

Note

If you need to access the Internet, you can associate the HAVIP with an EIP to provide high-available services over the Internet through the EIP.

Quotas and billing

The HAVIP feature is in beta testing. To use this feature, submit an application in the Alibaba Cloud Quota Center console.

Important

The HAVIP feature is free of charge in beta testing. Alibaba Cloud does not provide service-level agreement (SLA) guarantees during the beta period.

Supported regions

Area	Region
Asia Pacific	China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney) Closing Down, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East	UAE (Dubai) and SAU (Riyadh) Important The SAU (Riyadh - Partner Region) region is operated by a partner.

Limits and quotas

Name/ID	Description	Default value	Adjustable
N/A	Network types that support HAVIPs	VPC	No
	Maximum number of HAVIPs that can be associated with each ECS instance	5
	Maximum number of EIPs that can be associated with each HAVIP	1
	Maximum number of ECS instances or ENIs that can be associated with each HAVIP	10 Note You can associate each HAVIP with at most 10 ECS instances or 10 ENIs. However, you cannot associate an HAVIP with an ECS instance and an ENI at the same time. HAVIPs can be associated with ECS instances or ENIs that belong to the same vSwitch.
	Whether HAVIPs support broadcasting or multicasting	No Note HAVIPs support only unicast. If you use third-party software such as Keepalived to implement high availability, you must change the communication mode in the configuration file to unicast.
	Maximum number of HAVIPs that can be created with each Alibaba Cloud account	50
	Maximum number of HAVIPs that can be created in each VPC	50
vpc_quota_havip_custom_route_entry	Maximum number of route entries that point to an HAVIP in each VPC	5	You can increase the quota by performing the following operations: Go to the Quota Management page to request a quota increase. For more information, see Manage VPC quotas. Go to the Quota Center page to request a quota increase. For more information, see Request a quota increase.

HAVIP use cases

You can use Terraform automation scripts to simplify the deployment, or manually deploy ECS instances in primary/secondary mode by using HAVIPs and Keepalived. For more information, see Scenarios.

Procedure

Prerequisites

Privilege: The privilege to create HAVIPs is obtained by submitting an application in the Quota Center console.

Permissions: Resource Access Management (RAM) users are granted minimum permissions on the VPC and ECS instances by the Alibaba Cloud account.

RAM policy actions

vpc:CreateVpc
vpc:DeleteVpc
vpc:DescribeVpcs
vpc:AllocateEipAddress
vpc:AssociateEipAddress
vpc:DescribeEipAddresses
vpc:UnassociateEipAddress
vpc:ReleaseEipAddress
vpc:CreateVSwitch
vpc:DeleteVSwitch
vpc:DescribeVSwitches
vpc:CreateHaVip
vpc:DeleteHaVip
vpc:AssociateHaVip
vpc:UnassociateHaVip
vpc:DescribeHaVips
ecs:RunInstances
ecs:StartInstances
ecs:StopInstances
ecs:DescribeInstances
ecs:DeleteInstances

For more information, see Grant permissions to a RAM user and Grant RAM users permissions to use ECS resources.

If you choose manual deployment in the console, prepare the following resources:
- Three ECS instances with NGINX deployed. Ensure that NGINX is running in primary and secondary ECS instances. For more information, see Create an instance on the Custom Launch tab and Install NGINX.

Billing

Quick deployment: After you run Terraform automation scripts, three preemptible ECS instances with one vCPU and 2 GiB of memory, one VPC, one vSwitch, and one HAVIP are created. Your expenses depend on how long you keep your ECS instances. We recommend that you remove unused resources to avoid additional cost.
Manual deployment: The fees that you are charged depend on the specifications of the ECS instances that you create.

Note

If you have a need for Internet access, please note that there are fees for the EIP linked to your HAVIP. For more information, please see Billing overview.

Procedure

Quick deployment by using Terraform

Download the project file iac-example-havip.zip.
Log on to Alibaba Cloud Cloud Shell and upload the file.
Run the following commands in sequence to decompress the package, enter the project root directory, initialize the script, and then create resources:
```
unzip iac-example-havip.zip
cd iac-example-havip
terraform init
terraform apply -auto-approve
```
Command output:
Test network connectivity.
1. Log on ECS3. Run the curl ha_vip_private_ip command to view the information returned by ECS1 (primary).
2. Run the following command to stop ECS1 in Cloud Shell:
```
aliyun ecs StopInstance --InstanceId <$instance_id_ecs1> --ForceStop false --StoppedMode KeepCharging -- Dryrun false
```
3. Log on ECS3. Run the curl ha_vip_private_ip command again to view the information returned by ECS2.
  In this example, when ECS1 is down, ECS2 automatically takes over. The IP address that is used to provide services remains unchanged, making IP address switchover possible.
Run the following command to release all the resources so that billing can stop:
```
terraform destroy -auto-approve
```

Manual deployment in the console

Step 1: Create an HAVIP

Log on to the VPC console.
In the left-side navigation pane, click HaVip.
In the top navigation bar, select the region where you want to create the HAVIP.
On the HaVip page, click Create HaVip.
In the Create HaVip dialog box, set the following parameters, keep other parameters at their default values or modify them as needed, and click OK.
- VPC: specifies the VPC to which the HAVIP belongs.
- vSwitch: specifies the vSwitch to which the HAVIP belongs.
- Whether to automatically assign private IP addresses: Select whether to automatically assign a private IP address.
  - Yes: The system automatically allocates an idle private IP address from the vSwitch CIDR block.
  - No: Manually enter an idle private IP address from the vSwitch CIDR block.

After the HAVIP is created, you can view the HAVIP on the HaVip page. 创建HaVip

Step 2: Install Keepalived on the primary and secondary ECS instances

In this example, the ECS instances use the CentOS.

Log on to ECS1. For more information, see Connection methods.
Run the following command to install keepalived:
yum install keepalived

Modify the keepalived.conf file.

Run the following command to modify the keepalived.conf file:
vim /etc/keepalived/keepalived.conf

Run the i command to enter the input mode. Modify the keepalived.conf file based on the following instructions:

! Configuration File for keepalived
vrrp_instance VI_1 {
state MASTER           #Specify ECS1 as the primary ECS instance.
    interface eth0          #Specify the name of the ENI. eth0 is used in this example.  
    virtual_router_id 51
    nopreempt              
    priority 100             #Specify a priority for the ECS instance. A larger value indicates a higher priority. A priority of 100 is specified for the ECS instance in this example.
    advert_int 1        
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    unicast_src_ip 192.168.0.209   #Specify the private IP address of the ECS instance. 192.168.0.209 is used in this example.
    unicast_peer {
        192.168.0.210           #Specify the private IP address of the peer ECS instance. 192.168.0.210 is used in this example.
    }
    virtual_ipaddress {
        192.168.0.88          #Specify the IP address of the HAVIP. 192.168.0.88 is used in this example. 
    }   
    garp_master_delay 1
    garp_master_refresh 5

    track_interface {
        eth0                #Specify the name of the ENI of the ECS instance. eth0 is used in this example.
    }
}

Note

This example shows only the parts that need to be modified. Modify the keepalived.conf file based on the instances you are using. Do not copy the content in this example over the keepalived.conf file.

Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the configuration file.

Run the following command to start keepalived on ECS1:
systemctl start keepalived
Log on to ECS2.
Run the following command to install keepalived:
yum install keepalived

Modify the keepalived.conf file.

Run the following command to modify the keepalived.conf file:
vim /etc/keepalived/keepalived.conf

Run the i command to enter the input mode. Modify the keepalived.conf file based on the following instructions:

! Configuration File for keepalived
vrrp_instance VI_1 {
state BACKUP           #Specify ECS2 as the secondary ECS instance.
    interface eth0          #Specify the name of the ENI. eth0 is used in this example.  
    virtual_router_id 51
    nopreempt              
    priority 10             #Specify a priority for the secondary ECS instance. A larger value indicates a higher priority. A priority of 10 is specified for the ECS instance in this example.
    advert_int 1        
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    unicast_src_ip 192.168.0.210   #Specify the private IP address of the ECS instance. 192.168.0.210 is used in this example.
    unicast_peer {
        192.168.0.209           #Specify the private IP address of the peer ECS instance. 192.168.0.209 is used in this example.
    }
    virtual_ipaddress {
        192.168.0.88          #Specify the IP address of the HAVIP. 192.168.0.88 is used in this example. 
    }    
    garp_master_delay 1
    garp_master_refresh 5

    track_interface {
        eth0                #Specify the name of the ENI of the ECS instance. eth0 is used in this example.
    }
}

Note

Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the configuration file.
Run the following command to start keepalived on ECS2:
systemctl start keepalived

Step 3: Associate the HAVIP with the primary and secondary ECS instances

You can associate the HAVIP with both the primary and secondary ECS instances. Then, the ECS instances can announce the HAVIP by sending ARP messages.

Note

An HAVIP can be associated only with ECS instances in the same vSwitch. Each HAVIP can be associated with at most 10 ECS instances.

Perform the following steps to associate the HAVIP with both the primary and secondary ECS instances:

Log on to the VPC console.
In the left-side navigation pane, click HaVip.
In the top navigation bar, select the region where the HAVIP is created.
Find the HAVIP created in Step 1 and click its ID.
Click Bind next to ECS Instances in the Resources section.
In the dialog box that appears, select ECS1 and click OK.
Repeat the preceding steps to associate the HAVIP with ECS2.

After the HAVIP is associated with ECS1 and ECS2, you can view the ECS instances in the Resources section.

Step 4: Test network connectivity

Log on to ECS3. Run the curl ha_vip_private_ip command to access NGINX delopyed in the instance.

Test results:

If ECS1 works as expected, ECS1 is accessible.
If ECS1 is down, ECS2 takes over the virtual IP address and workloads of ECS1. This ensures service high availability.

Manage HAVIPs

Manage HAVIPs in the console

Operation platform

Log on to the VPC console.
In the left-side navigation pane, click HaVip.
In the top navigation bar, select the region where you want to create the HAVIP.

Perform the following operations as needed.

Create an HAVIP

On the HaVip page, click Create HaVip.
In the Create HaVip dialog box, set the following parameters and click OK.
- Resource Group: Select the resource group to which the HAVIP belongs.
- Tag Key: Enter or select a tag key for the HAVIP. It can be up to 128 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://. You can specify at most 20 tag keys at a time.
- Tag Value: Enter or select a tag value for the HAVIP. The tag value can be up to 128 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://. You can specify at most 20 tag values at a time.
- Region: displays the region where you want to create the HAVIP.
- VPC: specifies the VPC to which the HAVIP belongs.
- vSwitch: specifies the vSwitch to which the HAVIP belongs.
- vSwitch CIDR Block: displays the CIDR block of the vSwitch.
- Whether to automatically assign private IP addresses: Select whether to automatically assign a private IP address.
  - Yes: The system automatically allocates an idle private IP address from the vSwitch CIDR block.
  - No: Manually enter an idle private IP address from the vSwitch CIDR block.

Note

If you no longer use an HAVIP, you can find the HAVIP on the HaVip page and click Delete in the Actions column. Before you delete an HAVIP, make sure that it is disassociated from all ECS instances, ENIs, and EIPs.

Associate with and disassociate from an ECS instance or an ENI

On the HaVip page, click the ID of the HAVIP that you want to manage.
Click Bind next to ECS Instances in the Resources section.

In the dialog box that appears, select the ECS instance or ENI that you associate with the HAVIP, and click OK.

Parameter

Description

Resource Type

Select the type of resource with which you want to associate the HAVIP. Supported resource types:

ECS Instance
ENI

Bind Resource

Select the ECS instance or ENI that you want to associate with the HAVIP.

The ECS instance or ENI must meet the following requirements:

The ECS instance is deployed in a VPC.
The ECS instance or ENI is in the same vSwitch as the HAVIP.

To disassociate an HAVIP from an ECS instance or an ENI, find the ECS instance or ENI below ECS Instances in the Resources section. In the message that appears, click Disassociate.

Note

HAVIP can only be associated with one type of resource at a given time. To link it with a different type, you need to unbind the existing resource.
If you delete an ECS instance that is associated with an HAVIP, the system automatically disassociates the HAVIP from the ECS instance.
If you disassociate a secondary ENI that is associated with an HAVIP from an ECS instance, the secondary ENI is still associated with the HAVIP.
If you delete an ENI that is associated with an HAVIP, the system automatically disassociates the HAVIP from the ENI.

Associate with and disassociate from an EIP

You can associate an HAVIP with an EIP. After the HAVIP is associated with the EIP, the HAVIP can use the EIP to provide services over the Internet. Before you get started, apply for an EIP. The EIP must meet the following requirements:

The EIP and the HAVIP are in the same region.
The EIP is in the Available state.

On the HaVip page, find the HAVIP that you want to manage and click Bind EIP Address in the Actions column.
In the Bind Elastic IP Address dialog box, select the EIP that you want to associate with the HAVIP and click OK.

API references

You can manage HAVIPs by calling SDK operations, running Terraform scripts, or calling the following API operations:

FAQ

Which version of Keepalived is recommended?

We recommend that you use the version 1.2.15 or later.

What can I do if I run into problems when I use Keepalived?

We recommend that you seek solutions on Keepalived GitHub.

If I use third-party software such as Keepalived to implement high availability, how do I configure the source IP address for heartbeat detection?

If you use third-party software such as Keepalived to implement high availability, you need to change the source IP address of heartbeat detection to the private IP address of the ECS instance, instead of the private IP address of the HAVIP.

Can I use HAVIPs to implement high availability for user-created Linux virtual servers (LVS)?

No, you cannot use HAVIPs to implement high availability for user-created LVS.

When an ECS instance that is associated with an HAVIP accesses the Internet, what is the source IP address of the data packets?

In this case, the HAVIP is associated with the ECS instance and an EIP. The EIP is mapped to the private IP address of the HAVIP instead of the private IP address of the ECS instance. Therefore, the source IP address of the data packets is the private IP address of the HAVIP instead of the private IP address of the ECS instance.