Skip to main content

High Availability: Setting up a Failover Cluster with Keepalived

Keepalived allows you to create a High Availability (HA) cluster using the VRRP protocol. If your primary web server fails, the Floating IP address automatically moves to the backup server, ensuring your website stays online.

Network Prerequisite:
Before starting, ensure you have configured rp_filter = 0 (Asymmetric Routing) on both servers as described in our Failover IP Configuration Guide. Without this, the traffic will be dropped by the kernel.

Step 1: Installation

We recommend installing Keepalived from the official repositories rather than compiling from source. Perform this on both servers.

AlmaLinux / Rocky Linux / CentOS:

sudo dnf install keepalived -y

Ubuntu / Debian:

sudo apt update && sudo apt install keepalived -y

Step 2: Configuration (Unicast)

We will configure Keepalived in Unicast mode. This is more stable in cloud environments than the standard Multicast.

Note on Interfaces: Check your network interface name using ip link. In these examples, we assume eth0, but yours might be ens3.

Server 1: The MASTER

Edit /etc/keepalived/keepalived.conf:

vrrp_script chk_httpd {
    script "pidof httpd"    # Checks if Webserver is running
    interval 2
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0          # CHANGE THIS to your interface name!
    virtual_router_id 51
    priority 100            # Higher priority = Master
    advert_int 1

    authentication {
        auth_type PASS
        auth_pass MySecretPassword
    }

    # Unicast Config (Cloud Friendly)
    unicast_src_ip <IP_OF_SERVER_1>
    unicast_peer {
        <IP_OF_SERVER_2>
    }

    virtual_ipaddress {
        <YOUR_FLOATING_IP>
    }

    track_script {
        chk_httpd
    }
}

Server 2: The BACKUP

Edit /etc/keepalived/keepalived.conf:

vrrp_script chk_httpd {
    script "pidof httpd"
    interval 2
}

vrrp_instance VI_1 {
    state BACKUP            # Starts as Backup
    interface eth0          # CHANGE THIS
    virtual_router_id 51    # Must match Master
    priority 50             # Lower priority = Backup
    advert_int 1

    authentication {
        auth_type PASS
        auth_pass MySecretPassword
    }

    # Unicast Config
    unicast_src_ip <IP_OF_SERVER_2>
    unicast_peer {
        <IP_OF_SERVER_1>
    }

    virtual_ipaddress {
        <YOUR_FLOATING_IP>
    }

    track_script {
        chk_httpd
    }
}

Step 3: Firewall Configuration

VRRP uses protocol ID 112. You must allow this traffic between your servers.

FirewallD (CentOS/Alma)

# Create a rich rule to allow VRRP from the other node
firewall-cmd --permanent --add-rich-rule='rule protocol value="vrrp" accept'
firewall-cmd --reload

UFW (Ubuntu)

sudo ufw allow in proto vrrp from <OTHER_SERVER_IP>

Step 4: Start and Verify

Start the service on both nodes:

systemctl enable --now keepalived

Verification Checks

  1. Check IP assignment: On the MASTER, run ip addr show eth0. You should see the Floating IP listed.
  2. Check Failover: Stop Keepalived on the Master (systemctl stop keepalived). Check the Backup server; it should claim the IP within seconds.
  3. Check Traffic: Use tcpdump to see the packets flowing: 
    tcpdump -v -i eth0 proto 112