This topic describes how to modify health check policies for a backend set.
To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.
For administrators: For a typical policy that gives access to load balancers and their components, see Let network admins manage load balancers.
Also, be aware that a policy statement with
inspect load-balancers gives the specified group the ability to see all information about the load balancers. For more information, see Details for Load Balancing.
You configure your health check policy when you create a backend set. You can configure TCP-level or HTTP-level health checks for your backend servers.
- TCP-level health checks attempt to make a TCP connection with the backend servers and validate the response based on the connection status.
- HTTP-level health checks send requests to the backend servers at a specific URI and validate the response based on the status code or entity data (body) returned.
The service provides application-specific health check capabilities to help you increase availability and reduce your application maintenance window.
Configure your health check protocol to match your application or service.
If you run an HTTP service, be sure to configure an HTTP-level health check. If you run a TCP-level health check against an HTTP service, you might not get an accurate response. The TCP handshake can succeed and indicate that the service is up even when the HTTP service is incorrectly configured or having other issues. Although the health check appears good, customers might experience transaction failures. For example:
- The backend HTTP service has issues and returns 5XX messages. An HTTP health check catches the message and marks the service as down. In this case, a TCP health check handshake succeeds and marks the service as healthy, even though the HTTP service is not usable.
- The backend HTTP service responds with 4XX messages due to authorization issues or no configured content. A TCP health check does not catch these errors.
The Load Balancing service provides health status indicators that use your health check policies to report on the general health of your load balancers and their components. You can see health status indicators on the Console List and Details pages for load balancers, backend sets, and backend servers. You also can use the Load Balancing API to retrieve this information.
There are four levels of health status indicators. The general meaning of each level is:
- ok (green)
- No attention required.
- The resource is functioning as expected.
- warning (yellow)
- Some reporting entities require attention.
- The resource is not functioning at peak efficiency or the resource is incomplete and requires further work.
- critical (red)
- Some or all reporting entities require immediate attention.
- The resource is not functioning or unexpected failure is imminent.
- unknown (gray)
- Health status cannot be determined.
- The resource is not responding or is in transition and might resolve to another status over time.
The precise meaning of each level differs among the following components:
At the highest level, load balancer health reflects the health of its components. The health status indicators provide information you might need to drill down and investigate an existing issue. Some common issues that the health status indicators can help you detect and correct include:
A health check is misconfigured.
In this case, all the backend servers for one or more of the affected listeners report as unhealthy. If your investigation finds that the backend servers do not have problems, then a backend set probably includes a misconfigured health check.
A listener is misconfigured.
All the backend server health status indicators report OK, but the load balancer does not pass traffic on a listener.
The listener might be configured to:
- Listen on the wrong port.
- Use the wrong protocol.
- Use the wrong policy.
If your investigation shows that the listener is not at fault, check the security list configuration.
A security list is misconfigured.
Health status indicators help you diagnose two cases of misconfigured security lists:
- All entity health status indicators report OK, but traffic does not flow (as with misconfigured listeners). If the listener is not at fault, check the security list configuration.
All entity health statuses report as unhealthy. You have checked your health check configuration and your services run properly on your backend servers.
In this case, your security lists might not include the IP range for the source of the health check requests. You can find the health check source IP on the Details page for each backend server. You can also use the API to find the IP in the
sourceIpAddressfield of the HealthCheckResult object.Note
The source IP for health check requests comes from a Compute instance managed by the Load Balancing service.
One or more of the backend servers reports as unhealthy.
A backend server might be unhealthy or the health check might be misconfigured. To see the corresponding error code, check the status field on the backend server's Details page. You can also use the API to find the error code in the
healthCheckStatus field of the HealthCheckResult object.
Other cases in which health status might prove helpful include:
- VCN security lists block traffic.
- Compute instances have misconfigured route tables.
Health Status Limitations
Health status is updated every three minutes. No finer granularity is available.
Health status does not provide historical health data.
Using the Console
You create your health check tests when you create a backend set.
- Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
- Click the name of the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
- In the Resources menu, click Backend Sets (if necessary).
- For the backend set you want to modify, click the Actions icon (three dots), and then click View Backend Set Details.
- Click Update Health Check.
In the Health Check section, specify the test parameters to confirm the health of backend servers.
All parameters are required when updating an existing health check policy.
Protocol: Required. Specify the protocol to use, either HTTP or TCP.
Configure your health check protocol to match your application or service.
Port: Required. Specify the backend server port against which to run the health check.
You can enter the value '0' to have the health check use the backend server's traffic port.
- URL Path (URI): (HTTP only) Optional. Specify a URL endpoint against which to run the health check.
- Interval in ms: Optional. Specify how frequently to run the health check, in milliseconds. Default is 10000 (10 seconds).
- Timeout in ms: Optional. Specify the maximum time in milliseconds to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. Default is 3000 (3 seconds).
- Number of retries: Optional. Specify the number of retries to attempt before a backend server is considered "unhealthy". Default is 3.
- Status Code: (HTTP only) Required. Specify the status code a healthy backend server must return.
Response Body Regex: (HTTP only) Required. Provide a regular expression for parsing the response body from the backend server. The system treats a blank entry here as the value ".*".
Health checks require all fields to match. Your status code and response body both must match, as specified.
- Click Save.
Using the API
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
Use this API operation to edit a backend set's health check policy: