Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring VRRP for a BareMetal server cluster using Keepalived

Written by
Updated at May 27, 2025

Note

Yandex BareMetal is at the Preview stage.

VRRP (Virtual Router Redundancy Protocol) is a network protocol that increases fault tolerance of routers used as a default gateway.

To implement fault tolerance, two or more routers are grouped into a single virtual router acting as the default gateway for the associated network segments. VRRP enables creating a virtual IP address which is shared among the grouped routers to increase the gateway availability.

This tutorial provides an example of setting up a high-availability proxy server configuration on BareMetal servers, where proxying functions are configured symmetrically on two or more HAProxy nodes and a virtual IP address is generated and shared among these nodes using Keepalived.

Solution architecture

In the ru-central1-m availability zone, you will set up an environment of two private subnets, subnet-m3 and subnet-m4, created in the ru-central1-m3 and ru-central1-m4 server pools, respectively. You will group these subnets into a virtual network segment (VRF) named vrrp-vrf.

In subnet-m3, you will create two BareMetal servers, master-server-m3 and backup-server-m3, which will have the MASTER and BACKUP roles, respectively, in the VRRP group. On these two servers, you will run Keepalived and use it to set up a virtual IP address for the server group in the ru-central1-m3 pool.

In subnet-m4 of the ru-central1-m4 server pool, you will create a BareMetal server named client-server-m4, which will serve as a client when using the virtual IP address created in the ru-central1-m3 pool.

This solution fully demonstrates the operation of an isolated client VRF segment with the OSI L3 routing between the ru-central1-m3 and ru-central1-m4 server pools as well as the L2-level operation of the broadcast VRRP in the ru-central1-m3 server pool.

Note

At L2 of the OSI network model, broadcasting works only within one server pool and only for a group of servers in the same network.

To configure a fault-tolerant cluster of BareMetal servers using VRRP:

  1. Get your cloud ready.
  2. Create a virtual routing and forwarding segment.
  3. Create private subnets.
  4. Lease BareMetal servers.
  5. Configure Keepalived on the servers of the ru-central1-m3 pool.
  6. Test the solution.

See also How to cancel server lease.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of the proposed solution includes the BareMetal server lease fee (see Yandex BareMetal pricing).

Create a virtual routing and forwarding segment

To link several private subnets at the L3 level of the OSI network model, you need to group them into a virtual network segment (VRF).

Create a new VRF segment:

  1. In the management console, select the folder to create your infrastructure in.
  2. From the list of services, select BareMetal.
  3. In the left-hand panel, select VRF and click Create VRF.
  4. In the Name field, enter a name for the VRF segment: vrrp-vrf.
  5. Click Create VRF.

Create private subnets

Create two private subnets in different server pools and add them to the VRF segment you created earlier:

  1. In the management console, select the folder to create your infrastructure in.
  2. From the list of services, select BareMetal.
  3. In the left-hand panel, select Private subnets and click Create subnet.
  4. In the Pool field, select the ru-central1-m3 server pool.
  5. In the Name field, enter a name for the subnet: subnet-m3.
  6. Enable IP addressing and routing.
  7. In the Virtual network segment (VRF) field, select the previously created VRF segment, vrrp-vrf.
  8. In the CIDR field, specify 172.28.1.0/24.
  9. Click Create subnet.
  10. Similarly, create a private subnet named subnet-m4 in the ru-central1-m4 server pool with the 172.28.2.0/24 CIDR.

Lease BareMetal servers

  1. In the management console, select the folder to create your infrastructure in.

  2. In the list of services, select BareMetal and click Lease server.

  3. In the Pool field, select the ru-central1-m3 server pool.

  4. Under Configuration, select the appropriate server configuration.

  5. (Optional) Under Disk, configure disk partitioning:

    1. Click Configure disk layout.

    2. Specify the partitioning parameters. To create a new partition, click Add partition.

      To build RAID arrays and configure disk partitions yourself, click Remove RAID.

    3. Click Save.

  6. Under Image, select the Ubuntu 24.04 image.

  7. In the Lease duration field, select a lease period: 1 day, 1 month, 3 months, 6 months, or 1 year.

    When this period expires, server lease will be automatically renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.

  8. Under Network settings:

    1. In the Private subnet field, select subnet-m3, which you created earlier.
    2. In the Public address field, select Automatically.

  9. Under Access:

    1. In the Password field, use one of these options to create a password for the root user:

      • To generate a password for the root users, select New password and click Generate.

        Warning

        This option assumes that the user is responsible for password security. Save the password in a safe place. Yandex Cloud does not store this password, and you will not be able to view it once you lease the server.

      • To use the root user password saved in a Yandex Lockbox secret, select Lockbox secret.

        In the Name, Version, and Key fields, select the secret, its version, and the key your password is saved in, respectively.

        If you do not have a Yandex Lockbox secret, click Create to create it.

        This option allows you either to set your own password (the Custom secret type) or to use an automatically generated one (the Generated secret type).

    2. In the Public SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You will need to create a key pair for the SSH connection to a server yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If adding SSH keys by users to their profiles is disabled in the organization, the public SSH key you add will be saved only to the OS user profile of the new BareMetal server.

  10. Under Server information in the Name field, enter a name for the server: master-server-m3.

  11. Click Lease server.

  12. Similarly, lease two more servers: one named backup-server-m3 in the ru-central1-m3 server pool and another one named client-server-m4 with the subnet-m4 subnet in the ru-central1-m4 server pool.

On the page with a list of BareMetal servers that opens, you will see information about all the servers you created. In the Public address field of the table, copy the server public IP addresses as you will need them to connect to the servers over SSH.

Note

Getting servers ready and installing operating systems on them may take up to 45 minutes. The servers will have the Provisioning status during this time. After OS installation is complete, the server status will change to Ready.

Configure Keepalived on the servers of the ru-central1-m3 pool

At this step, you will install, configure, and run Keepalived on the servers created in the ru-central1-m3 pool.

Follow the steps below to configure both servers, master-server-m3 and backup-server-m3.

  1. Connect to the server over SSH by using the server’s public IP address you saved in the previous step.

  2. Install Keepalived by running this command:

    sudo apt update && sudo apt install keepalived -y

  3. View the list of the server’s network interfaces:

    ip a

    Result:

    ...
5: etx2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:02:c9:35:fd:31 brd ff:ff:ff:ff:ff:ff
    altname enp6s0d1
    inet 172.28.1.2/24 metric 100 brd 172.28.1.255 scope global dynamic etx2
       valid_lft 3512sec preferred_lft 3512sec
    inet6 fe80::202:c9ff:fe35:fd31/64 scope link
       valid_lft forever preferred_lft forever

    In the command output, find an interface with an IP address in the 172.28.1.0/24 range allocated for the private subnet named subnet-m3. In the example above, such an interface has the etx2 ID. You will need the interface ID in later steps to configure Keepalived.

  4. Create a Keepalived configuration file:

    sudo nano /etc/keepalived/keepalived.conf

  5. Add the following configuration into the file you created:

    vrrp_instance M3_1 {
    state MASTER
    interface etx2
    virtual_router_id 51
    priority 100
    advert_int 1

    authentication {
        auth_type PASS
        auth_pass hGoVjTjSYQq3Epm
    }

    virtual_ipaddress {
        172.28.1.254
    }

    preempt
}

    vrrp_instance M3_2 {
    state BACKUP
    interface etx2
    virtual_router_id 51
    priority 90
    advert_int 1

    authentication {
        auth_type PASS
        auth_pass hGoVjTjSYQq3Epm
    }

    virtual_ipaddress {
        172.28.1.254
    }

    preempt
}

    Where:

    • vrrp_instance: Virtual router name:

      • M3_1 for the server with the MASTER role.
      • M3_2 for the server with the BACKUP role.

    • state: Server state, MASTER or BACKUP.

    • interface: ID of the network interface where the virtual IP address will be used. In the example above, it is etx2.

    • virtual_router_id: Unique VRRP ID for the group of virtual routers. This value must be the same for all servers in the group.

    • priority: Priority that allows you to set the master and backup nodes. Set a server’s priority to 100 to make it the master node or to 90 to make it the backup one.

    • advert_int: Interval between state announcements in seconds.

    • authentication: Section with authentication settings to provide security. Contents of this section must be the same for all servers in a group.

    • virtual_ipaddress: Virtual IP address that the current node will manage. Virtual IP address requirements:

      • It must belong to the CIDR range allocated for the virtual subnet where you created the server group.
      • It must be unused.
      • All servers in the group must have the same address.

    • preempt: Enables the server to change its state to MASTER if it has a higher priority than the current master in the group.

  6. Restart Keepalived:

    systemctl restart keepalived.service

  7. View Keepalived logs to make sure the service is running:

    sudo journalctl -u keepalived.service

    Result:

    systemd[1]: keepalived.service - Keepalive Daemon (LVS and VRRP) was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/keepalived/keepalived.conf).
systemd[1]: Starting keepalived.service - Keepalive Daemon (LVS and VRRP)...
Keepalived[4045]: Starting Keepalived v2.2.8 (04/04,2023), git commit v2.2.7-154-g292b299e+
Keepalived[4045]: Running on Linux 6.8.0-53-generic #55-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 17 15:37:52 UTC 2025 (built for Linux 6.8.0)
Keepalived[4045]: Command line: '/usr/sbin/keepalived' '--dont-fork'
Keepalived[4045]: Configuration file /etc/keepalived/keepalived.conf
Keepalived[4045]: NOTICE: setting config option max_auto_priority should result in better keepalived performance
Keepalived[4045]: Starting VRRP child process, pid=4046
Keepalived_vrrp[4046]: (/etc/keepalived/keepalived.conf: Line 10) Truncating auth_pass to 8 characters
Keepalived[4045]: Startup complete
systemd[1]: Started keepalived.service - Keepalive Daemon (LVS and VRRP).
Keepalived_vrrp[4046]: (M3_1) Entering BACKUP STATE (init)
Keepalived_vrrp[4046]: (M3_1) Entering MASTER STATE

    systemd[1]: keepalived.service - Keepalive Daemon (LVS and VRRP) was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/keepalived/keepalived.conf).
systemd[1]: Starting keepalived.service - Keepalive Daemon (LVS and VRRP)...
Keepalived[2751]: Starting Keepalived v2.2.8 (04/04,2023), git commit v2.2.7-154-g292b299e+
Keepalived[2751]: Running on Linux 6.8.0-53-generic #55-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 17 15:37:52 UTC 2025 (built for Linux 6.8.0)
Keepalived[2751]: Command line: '/usr/sbin/keepalived' '--dont-fork'
Keepalived[2751]: Configuration file /etc/keepalived/keepalived.conf
Keepalived[2751]: NOTICE: setting config option max_auto_priority should result in better keepalived performance
Keepalived[2751]: Starting VRRP child process, pid=2752
Keepalived_vrrp[2752]: (/etc/keepalived/keepalived.conf: Line 10) Truncating auth_pass to 8 characters
Keepalived[2751]: Startup complete
Keepalived_vrrp[2752]: (M3_2) Entering BACKUP STATE (init)

Test the solution

  1. Make sure the virtual IP address was added to the network interface of the server with the Master role:

    1. Connect to master-server-m3 over SSH.

    2. View the configuration of the network interface assigned to the subnet-m3 private subnet.

      ip a

      Result:

      ...
5: etx2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:02:c9:35:fd:31 brd ff:ff:ff:ff:ff:ff
    altname enp6s0d1
    inet 172.28.1.2/24 metric 100 brd 172.28.1.255 scope global dynamic etx2
    valid_lft 3575sec preferred_lft 3575sec
    inet 172.28.1.254/32 scope global etx2
    valid_lft forever preferred_lft forever
    inet6 fe80::202:c9ff:fe35:fd31/64 scope link
    valid_lft forever preferred_lft forever

      The network interface received an additional virtual IP address specified in Keepalived settings: 172.28.1.254/32.

  2. Send ICMP requests from the subnet-m4 private subnet to make sure the virtual IP address in the subnet-m3 private subnet is available:

    1. Connect to client-server-m4 over SSH.

    2. Run this command:

      ping 172.28.1.254 -s 1024 -c 5

      Result:

      PING 172.28.1.254 (172.28.1.254) 1024(1052) bytes of data.
1032 bytes from 172.28.1.254: icmp_seq=1 ttl=62 time=0.211 ms
1032 bytes from 172.28.1.254: icmp_seq=2 ttl=62 time=0.242 ms
1032 bytes from 172.28.1.254: icmp_seq=3 ttl=62 time=0.264 ms
1032 bytes from 172.28.1.254: icmp_seq=4 ttl=62 time=0.312 ms
1032 bytes from 172.28.1.254: icmp_seq=5 ttl=62 time=0.273 ms

--- 172.28.1.254 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4117ms
rtt min/avg/max/mdev = 0.211/0.260/0.312/0.033 ms

      The command you have used sends and receives packages of an increased size. All packages were delivered in full.

  3. Make sure the Keepalived load balancer works correctly:

    1. Connect to client-server-m4 over SSH.

    2. In a separate terminal window, connect to master-server-m3 over SSH.

      Move terminal windows so that you see contents of both windows at the same time.

    3. In the terminal window with the client-server-m4 session, run ping once again without a retry limit:

      ping 172.28.1.254 -s 1024

      During this poll, stop Keepalived in the terminal window with the open master-server-m3 session by running this command:

      sudo systemctl stop keepalived

      When it stops, observe the terminal window with the client-server-m4 session. If the virtual IP address was shared successfully, ICMP requests should switch to the backup host almost seamlessly without interrupting the running ping command.

      Note

      A minor loss of 1 to 3 packages is acceptable, which may happen when the timer for selecting a new group MASTER is triggered and the server is assigned the virtual IP address.

      Result:

      PING 172.28.1.254 (172.28.1.254) 1024(1052) bytes of data.
1032 bytes from 172.28.1.254: icmp_seq=1 ttl=62 time=0.249 ms
...
1032 bytes from 172.28.1.254: icmp_seq=56 ttl=62 time=0.224 ms
1032 bytes from 172.28.1.254: icmp_seq=57 ttl=62 time=0.314 ms
1032 bytes from 172.28.1.254: icmp_seq=58 ttl=62 time=0.278 ms
^C
--- 172.28.1.254 ping statistics ---
58 packets transmitted, 55 received, 5.17241% packet loss, time 58368ms
rtt min/avg/max/mdev = 0.185/0.271/0.326/0.035 ms

    4. In the terminal window with the master-server-m3 session, run Keepalived using this command:

      sudo systemctl start keepalived

  4. Check Keepalived logs on the server with the BACKUP role:

    1. Connect to backup-server-m3 over SSH.

    2. View Keepalived logs:

      sudo journalctl -u keepalived.service

      Result:

      ...
# Logging the transition to MASTER when Keepalived stopped on the initial master node
Feb 19 07:08:07 backup-server-m3 Keepalived_vrrp[2752]: (M3_2) Entering MASTER STATE

# Logging the transition to BACKUP when resuming Keepalived on the initial master node.
Feb 19 07:08:31 backup-server-m3 Keepalived_vrrp[2752]: (M3_2) Master received advert from 172.28.1.2 with higher priority 100, ours 90
Feb 19 07:08:31 backup-server-m3 Keepalived_vrrp[2752]: (M3_2) Entering BACKUP STATE
...

      As you can see from the service log and comments, backup-server-m3 was promoted to the master node when Keepalived was stopped on master-server-m3. After resuming Keepalived on master-server-m3, the server reclaimed its master role and backup-server-m3, again, became the backup node.

How to cancel server lease

You cannot delete BareMetal servers. Instead, you can cancel their lease.

To stop paying for the resources you created, cancel the lease of the BareMetal servers you created earlier.

Previous
Deleting a trunk
Next
Configuring network connectivity in the BareMetal subnet