Skip to main content

Overview

Securing the Xloud Load Balancer infrastructure protects both the management plane (controller-to-appliance communication) and the data plane (client traffic). This guide covers network isolation of the management plane, appliance TLS certificate lifecycle, quota auditing, and access log configuration.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

Management Plane Isolation

The load balancing management network carries control traffic between the controller and appliances. This network must be isolated from tenant and provider networks to prevent unauthorized appliance access.

Assign a dedicated management network

The management network should use a non-routable CIDR not reachable from tenant networks or the internet. Configure in XDeploy globals:
Load balancer management network
octavia_management_network: lb-management-net
octavia_management_subnet: lb-management-subnet

Apply security group rules

The management security group should allow only the controller IP to reach appliance management ports:
  • TCP 9443 — appliance API (controller → appliance only)
  • UDP 5555 — health manager heartbeat (bidirectional)
Verify management security group rules
openstack security group rule list octavia-management-sg

Verify network isolation

Confirm tenant VMs cannot reach the management network CIDR:
Test management network isolation
# From a tenant VM — should be unreachable
ping <management-network-cidr-first-ip>
Ping should fail — management network is not routable from tenant networks.

TLS Certificate Lifecycle

Appliances use TLS certificates for secure controller-to-appliance communication. Monitor and rotate certificates before expiry.
Check all appliance certificate expiration dates
openstack loadbalancer amphora list \
  -c id -c cert_expiration -c status \
  --sort-column cert_expiration
For appliances with certificates expiring within 30 days:
Trigger certificate rotation via failover
openstack loadbalancer amphora failover <amphora-id>
Certificate rotation via failover replaces the appliance with a fresh instance using a new certificate. In ACTIVE_STANDBY topology, this is non-disruptive. In SINGLE topology, expect a brief interruption.

Quota Auditing

Regularly review quota consumption to identify projects with unusual resource usage:
Audit all project quotas
openstack loadbalancer quota list --all-projects
Find projects using more than 80% of their load balancer quota
openstack loadbalancer quota list --all-projects -f json | python3 -c "
import json, sys
quotas = json.load(sys.stdin)
for q in quotas:
    lbs = q.get('in_use_loadbalancer', 0)
    limit = q.get('loadbalancer', 10)
    if limit > 0 and lbs / limit >= 0.8:
        print(f'{lbs}/{limit} LBs  {q[\"project_id\"]}')
"
Investigate projects consuming unusually high member or listener counts — this may indicate misconfigured applications creating excessive resources or resource leaks.

Access Log Configuration

Configure load balancer access logs to forward to your centralized logging platform. Access logs capture source IPs, request URIs, response codes, and latency — essential data for compliance auditing and security incident investigation.
Enable access logging in XDeploy globals
octavia_enable_access_log: "yes"
octavia_access_log_facility: LOG_LOCAL0
Apply:
Apply access log configuration
xavs-ansible deploy --tags octavia
Store load balancer access logs in Xloud Object Storage for long-term retention. A retention policy of 90 days satisfies most compliance frameworks.

Security Checklist

Management network isolated

Verify the management network CIDR is not reachable from tenant VMs or external networks.
All appliances have cert_expiration dates more than 30 days in the future.
All projects have explicit quota limits set — none are using unlimited defaults in a multi-tenant environment.
Access logs are configured and flowing to the centralized logging platform. Verify by creating a test load balancer and checking for log entries.

Next Steps

Monitoring

Set up proactive alerts for certificate expiry and appliance health.

Quotas

Configure per-project resource limits to prevent over-consumption.

Admin Troubleshooting

Resolve security-related configuration and access failures.

Architecture

Review the management and data plane boundaries for security design.