From d9fa4351db64dd3c7fe45414a3170732d09f041c Mon Sep 17 00:00:00 2001
From: Marcus Klein <marcus.klein@open-xchange.com>
Date: Fri, 24 Dec 2021 15:32:15 +0100
Subject: [PATCH] Describe in detail why external and internal keepalived ping
 addresses should be separated

Change-Id: Iae5c21ee0d604fb015593337815840981ab10ef9
---
 doc/source/configure-haproxy.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/source/configure-haproxy.rst b/doc/source/configure-haproxy.rst
index 9727e69..af8ba6f 100644
--- a/doc/source/configure-haproxy.rst
+++ b/doc/source/configure-haproxy.rst
@@ -128,6 +128,13 @@ By default, OpenStack-Ansible configures keepalived to ping one of the root
 DNS servers operated by RIPE. You can change this IP address to a different
 external address or another address on your internal network.
 
+If external connectivity fails, it is important that internal services can
+still access an HAProxy instance. In a situation, when ping to some external
+host fails and internal ping is not separated, all keepalived instances enter
+the fault state despite internal connectivity being still available. Separate
+ping check for internal and external connectivity ensures that when one
+instance fails the other VIP remains in operation.
+
 Securing HAProxy communication with SSL certificates
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~