Managing Backend Servers

This topic describes how to manage backend servers for use with a load balancer. For information about managing load balancers, see Managing a Load Balancer.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: For a typical policy that gives access to load balancers and their components, see Let network admins manage load balancers.

Also, be aware that a policy statement with inspect load-balancers gives the specified group the ability to see all information about the load balancers. For more information, see Details for Load Balancing.

If you're new to policies, see Getting Started with Policies and Common Policies.

Working with Backend Servers

When you implement a load balancer, you must specify the backend servers (Compute instances ) to include in each backend set . The load balancer routes incoming traffic to these backend servers based on the policies you specified for the backend set. You can use the Console to add and remove backend servers in a backend set.

To route traffic to a backend server, the Load Balancing service requires the IP address of the compute instance and the relevant application port. If the backend server resides within the same VCN as the load balancer, Oracle recommends that you specify the compute instance's private IP address. If the backend server resides within a different VCN, you must specify the public IP address of the compute instance. You also must ensure that the VCN's security rules allow Internet traffic.


When you add backend servers to a backend set, you specify either the instance OCID or an IP address for the server to add. An instance with multiple VNICs attached can have multiple IP addresses pointing to it.

  • If you identify a backend server by OCID, Load Balancing uses the primary VNIC's primary private IP address.
  • If you identify the backend servers to add to a backend set by their IP addresses, it is possible to point to the same instance more than once.

To enable backend traffic, your backend server subnets must have appropriate ingress and egress security rules. When you add backend servers to a backend set, you can specify the applicable network security groups (NSGs). If you prefer to use security lists for your VCN, the Load Balancing service Console can suggest security list rules for you. You also can configure them yourself through the Networking service. See Security Lists for more information.


To accommodate high-volume traffic, Oracle strongly recommends that you use stateless security rules for your load balancer subnets.

You can add and remove backend servers without disrupting traffic.

Health Status

The Load Balancing service provides health status indicators that use your health check policies to report on the general health of your load balancers and their components. You can see health status indicators on the Console List and Details pages for load balancers, backend sets, and backend servers. You also can use the Load Balancing API to retrieve this information.

For general information about health status indicators, see Editing Health Check Policies.

Backend Server Health Summary

The Console list of a backend set's backend servers provides health status summaries that indicate the overall health of each backend server. The primary and standby load balancers both provide health check results that contribute to the health status. Health status indicators have four levels. The meaning of each level is:

  • OK: The primary and standby load balancer health checks both return a status of OK.
  • WARNING: One health check returned a status of OK and one did not.
  • CRITICAL: Neither health check returned a status of OK.
  • UNKNOWN: One or both health checks returned a status of UNKNOWN or the system was unable to retrieve metrics.

To view the health status details for a specific backend server, click its IP Address.

For guidance on detecting and correcting common issues, see Using Health Status.

Backend Server Health Details

The Details page for a backend set provides the same Overall Health status indicator found in the backend set's list of backend servers. It also reports the following data for the two health checks performed against each backend server:

ip address
The IP address of the health check status report provider, which is a Compute instance managed by the Load Balancing service. This identifier helps you differentiate same-subnet load balancers that report health check status.
The Load Balancing service ensures high availability by providing one primary and one standby load balancer. To diagnose a backend server issue, you must know the source of the health check report. For example, a misconfigured security rule might cause one load balancer instance to report that a backend server is healthy. The other load balancer instance might return an unhealthy status. In this case, one of the two load balancer instances cannot communicate with the backend server. Reconfigure the security rules to restore the backend server's health status.
The status returned by the health check. Possible values include:
  • OK

    The backend server's response satisfied the health check policy requirements.


    The HTTP response status code did not match the expected status code specified by the health policy.


    The backend server did not respond within the timeout interval specified by the health policy.


    The backend server response did not satisfy the regular expression specified by the health policy.


    The health check server could not connect to the backend server.


    An input or output communication error occurred while reading or writing a response or request to the backend server.


    The backend server is set to offline, so health checks are not run.


    Health check status is not available.

last checked
The date and time of the most recent health check.

Health status is updated every three minutes. No finer granularity is available.

Using the Console

To add one or more servers to a backend set
To edit backend server settings
To remove a server from a backend set

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to manage the backend servers in a backend set: