Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


vRouter Interface Health Check

SUMMARY In Juniper® Cloud-Native Contrail Networking (CN2) Release 22.3, a new health-check custom resource object is introduced that associates the virtual machine interface (VMI) to the pod creation and update workflow. The health-check resource is a namespace-scoped resource.

vRouter Interface Health Check Overview

The Contrail vRouter agent provides the health-check functionality. You can associate a ping or HTTP health check to an interface. If the health check fails, the interface is set as administratively down and associated routes are withdrawn. Those settings are based on the timers and intervals configured in the health-check object. Health check traffic continues to be transmitted in an administratively down state to allow for an interface to recover.

Create a Health-Check Object


These two attributes (targetIpList and targetIpAll) related to VMI health check are not supported in CN2 Release 22.3. These two attributes will be supported in a future release.

To create a health-check object:

  1. In the deployment manifests from the Contrail Networking download page, use the hc.yaml file (shown below) for the YAML definition for health-check objects. The same folder also includes the hc_pod.yaml, which has the YAML definition to associate the health-check object with VMI by means of pod definitions.

    Sample hc.yaml file:

  2. Complete the parameters to define the health check. Table 1 lists and explains the parameters.
    Table 1: Health-Check Configurable Parameters
    Field Description
    Delay The delay, in seconds, to repeat the health check.
    DelayUsecs Time in micro seconds at which the health check is repeated.
    Enabled Indicates that the health check is enabled. The default is False.
    ExpectedCodes When the monitor protocol is HTTP, the expected return code for HTTP operations must be in the range of 200-299.
    HealthCheckType Indicates the health-check type: link-local, end-to-end, segment, vn-ip-list, and end2end. The default is link-local.

    In both link-local and end-to-end modes, the health check is executed for the pod on the vRouter where the VMI is running.

    HttpMethod When the monitor protocol is HTTP, the type of HTTP method used is GET.
    MaxRetries The number of retries to attempt before declaring a health down instance .
    MonitorType The protocol type to be used is PING, BFD, or TCP.

    Attribute is configurable but not supported in CN2 Release 22.3. This attribute will be supported in a future release.


    Attribute is configurable but not supported in CN2 Release 22.3. This attribute will be supported in a future release.

    Timeout The number of seconds to wait for a response.
    TimeoutUsecs Time in micro seconds to wait for response.
    UrlPath Must be a valid URL, such as<path>. The IP address can be a placeholder that will be replaced with the pod link-local IP address or metadata IP address.

    Following is an abstract Golang schema for the health-check resource:

    The YML representation for the Golang schema is:

  3. Link the health-check object to the VMI by means of the pod annotation reference value The default behavior is to associate the health check with the primary interface.
  4. (Optional) To link the health check with multiple interfaces, attached to a different Network Attachment Definition (NAD) or virtual network (VN), you can refer the health check object within the cni-args section. Following is an example of configured cni-args in annotations.

    Existing VMI objects will have a new field to reference the HealthCheck object.

    For the PING or HTTP monitoring-based health check, the minimum interval is 1second. If you need a sub-second level health check for critical applications, you can opt for the BFD-based monitoring type.

Health-Check Process

The Contrail vRouter agent is responsible for providing the health-check service. The agent spawns a health-check probe process to monitor the status of a service hosted on the same compute node. Then the process updates the status to the vRouter agent.

The vRouter agent acts on the status provided by the script to withdraw or restore the exported interface routes. The agent is responsible for providing a link-local metadata IP address for allowing the script to communicate with the destination IP address from the underlay network, using appropriate NAT translations. In a running system, this information is displayed in the vRouter agent introspect at: