Overview of Load Balancing

The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from one entry point to multiple servers reachable from your virtual cloud network (VCN). The service offers a load balancer with your choice of a public or private IP address, and provisioned bandwidth.

A load balancer improves resource utilization, facilitates scaling, and helps ensure high availability. You can configure multiple load balancing policies and application-specific health checksA test to confirm the availability of backend servers. to ensure that the load balancer directs traffic only to healthy instances. The load balancer can reduce your maintenance window by draining traffic from an unhealthy application server before you remove it from service for maintenance.

How Load Balancing Works

The Load Balancing service enables you to create a public or private load balancer within your VCN. A public load balancer has a public IP address that is accessible from the internet. A private load balancer has an IP address from the hosting subnet, which is visible only within your VCN. You can configure multiple listenersAn entity that checks for incoming traffic on the load balancer's public floating IP address. for an IP address to load balance transport Layer 4 and Layer 7 (TCP and HTTP) traffic. Both public and private load balancers can route data traffic to any backend server that is reachable from the VCN.

Public Load Balancer

To accept traffic from the internet, you create a public load balancer. The service assigns it a public IP address that serves as the entry point for incoming traffic. You can associate the public IP address with a friendly DNS name through any DNS vendor.

A public load balancer is regional in scope and requires two subnets, each in a separate availability domain. One subnet hosts the primary load balancer and the other hosts a standby load balancer to ensure accessibility even during an availability domain outage. Each load balancer requires one private IP address from its host subnet. The Load Balancing service attaches a floating public IP address to one of the specified subnets. (The floating public IP address does not come from your backend subnets.) If there is a failure in that subnet's availability domain, the load balancer and public IP address switch to the other subnet. The service treats the two load balancer subnets as equivalent and you cannot denote one as "primary".

You cannot specify a private subnet for your public load balancer.

Private Load Balancer

To isolate your load balancer from the internet and simplify your security posture, you can create a private load balancer. The Load Balancing service assigns it a private IP address that serves as the entry point for incoming traffic.

When you create a private load balancer, the service requires only one subnet to host both the primary and standby load balancers. The assigned floating private IP address is local to the specified subnet. The load balancer is accessible only from within the VCN that contains the associated subnet, or as further restricted by your security list rules.

A private load balancer is local to the availability domain that contains the hosting subnet. The primary and standby load balancers each require a private IP address from that subnet, in addition to the assigned floating private IP address. If there is an availability domain outage, the load balancer has no failover.

All Load Balancers

Your load balancer has a backend set to route incoming traffic to your Compute instances. The backend set is a logical entity that includes:

  • A list of backend servers.
  • A load balancing policy.
  • A health check policy.
  • Optional SSL handling.
  • Optional session persistence configuration.

The backend servers (Compute instances) associated with a backend set can exist anywhere, as long as the associated security lists and route tables allow the intended traffic flow.

Every subnet within your VCN has security listsVirtual firewall rules for your VCN. and a route table. Rules within the security lists determine whether a subnet can accept data traffic from the internet or from another subnet. When you add backend servers to a backend set, the Load Balancing service can suggest appropriate security list rules, or you can configure them yourself through the Networking service. See Security Lists for more information.

Oracle recommends that you distribute your backend servers across all availability domains within the region.

To create a minimal system with a functioning load balancer, you must:

  • Create a VCN with an internet gateway and at least two public subnets for a public load balancer. Each subnet must reside in a separate availability domain.

    You cannot specify a private subnet for your public load balancer.

  • Create a VCN with at least one subnet for a private load balancer.
  • Create at least two Compute instances, each in a separate availability domain.
  • Create a load balancer.
  • Create a backend set with a health check policy.
  • Add backend servers (Compute instances) to the backend set.
  • Create a listener, with optional SSL handling.
  • Update the load balancer subnet security list so it allows the intended traffic.

Private IP Address Consumption

A public load balancer consumes two private IP addresses, one from each host subnet.

A private load balancer created in a single subnet consumes three private IP addresses from the host subnet.

See Getting Started with Load Balancing for step-by-step instructions to create a simple load balancing setup.

The following diagram provides a high-level view of a simple public load balancing system configuration. Far more sophisticated and complex configurations are common.

Diagram of a simple load balancing configuration

Load Balancing Concepts

The following concepts are essential to working with Load Balancing.

backend server
An application server responsible for generating content in reply to the incoming TCP or HTTP traffic. You typically identify application servers with a unique combination of overlay (private) IPv4 address and port, for example, and
For more information, see Managing Backend Servers.
backend set
A logical entity defined by a list of backend servers, a load balancing policy, and a health check policy. SSL configuration is optional. The backend set determines how the load balancer directs traffic to the collection of backend servers.
For more information, see Managing Backend Sets.
If you use HTTPS or SSL for your listener, you must associate an SSL server certificate (X.509) with your load balancer. A certificate enables the load balancer to terminate the connection and decrypt incoming requests before passing them to the backend servers.
For more information, see Managing SSL Certificates.
health check

A test to confirm the availability of backend servers. A health check can be a request or a connection attempt. Based on a time-interval you specify, the load balancer applies the health check policy to continuously monitor backend servers. If a server fails the health check, the load balancer takes the server temporarily out of rotation. If the server subsequently passes the health check, the load balancer returns it to the rotation.

You configure your health check policy when you create a backend set. You can configure TCP-level or HTTP-level health checks for your backend servers.

  • TCP-level health checks attempt to make a TCP connection with the backend servers and validate the response based on the connection status.
  • HTTP-level health checks send requests to the backend servers at a specific URI and validate the response based on the status code or entity data (body) returned.

The service provides application-specific health check capabilities to help you increase availability and reduce your application maintenance window.

For more information on health check configuration, see Editing Health Check Policies.
health status
An indicator that reports the general health of your load balancers and their components.
For more information, see the Health Status section of Editing Health Check Policies.
A logical entity that checks for incoming traffic on the load balancer's IP address. You configure a listener's protocol and port number, and the optional SSL settings. To handle TCP, HTTP, and HTTPS traffic, you must configure multiple listeners.
Supported protocols include:
  • TCP
  • HTTP/1.0
  • HTTP/1.1
  • HTTP/2
  • WebSocket
For more information, see Managing Load Balancer Listeners.
load balancing policy
A load balancing policy tells the load balancer how to distribute incoming traffic to the backend servers. Common load balancer policies include:
  • Round robin
  • Least connections
  • IP hash
For more information, see How Load Balancing Policies Work.
path route set
A set of path route rules to route traffic to the correct backend set without using multiple listeners or load balancers.
For more information, see Managing Request Routing.
regions and availability domains
The Load Balancing service manages application traffic across availability domains within a regionA collection of availability domains located in a single geographic location.. A region is a localized geographic area, and an availability domain is one or more data centers located within a region. A region is composed of several availability domains.
For more information, see Regions and Availability Domains.
session persistence
A method to direct all requests originating from a single logical client to a single backend web server.
For more information, see Session Persistence.
A template that determines the load balancer's total pre-provisioned maximum capacity (bandwidth) for ingress plus egress traffic. Available shapes include 100 Mbps, 400 Mbps, and 8000 Mbps.
Pre-provisioned maximum capacity applies to aggregated connections, not to a single client attempting to use the full bandwidth.
Secure Sockets Layer (SSL) is a security technology for establishing an encrypted link between a client and a server. You can apply the following SSL configurations to your load balancer:
ssl termination
The load balancer handles incoming SSL traffic and passes the unencrypted request to a backend server.
end to end ssl
The load balancer terminates the SSL connection with an incoming traffic client, and then initiates an SSL connection to a backend server.
ssl tunneling
If you configure the load balancer's listener for TCP traffic, the load balancer tunnels incoming SSL connections to your application servers.
Load Balancing supports the TLS 1.2 protocol with a default setting of strong cipher strength. The default supported ciphers include:
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-SHA256
For more information, see Managing SSL Certificates.
A subdivision you define in a VCN, such as and Each subnet exists in a single availability domain. A subnet consists of a contiguous range of IP addresses that do not overlap with other subnets in the VCN. For each subnet, you specify the routing rules and security lists that apply to it.
You must have at least two public subnets, in separate availability domains, within your VCN to create a public load balancer. You cannot specify a private subnet for your public load balancer. A private load balancer requires only one subnet.
For more information on subnets, see VCNs and Subnets and Public vs. Private Subnets.
virtual hostname
A virtual server name applied to a listener to enhance request routing.
For more information, see Managing Request Routing.
virtual cloud network (vcn)
A private network that you set up in the Oracle data centers, with firewall rules and specific types of communication gateways that you can choose to use. A VCN covers a single, contiguous IPv4 CIDR block of your choice in the allowed IP address ranges.
You need at least one virtual cloud network before you launch a load balancer.
For information about setting up virtual cloud networks, see Overview of Networking.
Specifies whether your load balancer is public or private. A public load balancer has a public IP address that clients can access from the internet. A private load balancer has a private IP address, from a VCN local subnet, that clients can access only from within your VCN.
For more information, see Managing a Load Balancer.
work request
An object that reports on the current state of a Load Balancing request.
The Load Balancing service handles requests asynchronously. Each request returns a work request ID (OCID) as the response. You can view the work request item to see the status of the request.
For more information, see Viewing the State of a Work Request.

Resource Identifiers

Each Oracle Cloud Infrastructure resource has a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Ways to Access Oracle Cloud Infrastructure

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see Oracle Cloud Infrastructure SDKs.

To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. You will be prompted to enter your cloud tenant, your user name, and your password.

For general information about using the API, see REST APIs.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groupsA collection of users who all need a particular type of access to a set of resources or compartment., compartmentsA collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization., and policiesA document in the IAM that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

Limits on Load Balancing Resources

See Service Limits for a list of applicable limits and instructions for requesting a limit increase.

Other limits include:

  • You cannot dynamically change the load balancer shape to handle more incoming traffic. You can use the API or Console to create a load balancer with the new shape information.
  • The Load Balancing service does not support IPv6 addresses.
  • The maximum number of concurrent connections is limited when you use stateful security list rules for your load balancer subnets. In contrast, there is no theoretical limit on concurrent connections if you use stateless security list rules. There are, however, practical limitations that depend on various factors. The larger your load balancer shape, the greater the connection capacity. Other considerations include system memory, TCP timeout periods, TCP connection state, and so forth.

    To accommodate high-volume traffic, Oracle strongly recommends that you use stateless security list rules for your load balancer subnets.

  • Each load balancer has the following configuration limits:

    • One IP address
    • 16 backend sets
    • 512 backend servers per backend set
    • 1024 backend servers total
    • 16 listeners