Getting Started with Load Balancing

The Load Balancer service allows you to create highly available load balancers within your VCN. All load balancers come with provisioned bandwidth. You can choose to create a load balancer with either a public or a private IP address. Load balancers support SSL handling for both incoming traffic and traffic with your application servers.

When you create a load balancer with a public IP address you specify two subnets, each in a different availability domain, on which the load balancer can run. The two subnets ensure the high availability of the load balancer. A private load balancer requires only one subnet.

This tutorial is an introduction to Load Balancer. You can follow the steps here to create a public load balancer and verify it with a basic web server application. For complete details about the service and its components, see Overview of Load Balancer.

Before You Begin

To try out the Load Balancer service for this tutorial, you must have these things set up first:

  • A virtual cloud network (VCN) with two subnets (each in a different availability domain) and an internet gateway
  • Two instances running (one in each subnet)
  • A web application (such as Apache HTTP Server) running on each instance

If you don't have these items set up yet, you can follow the steps shown here.

Tip

If you need an introduction to VCNs and instances, try the Tutorial - Launching Your First Linux Instance first.

VCN and Instance Setup

The following diagram shows the prerequisite VCN and instances:

Diagram of VCN and prerequisite instances

Create a VCN
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.

    Ensure that the Sandbox compartment (or the compartment designated for you) is selected in the Compartment list on the left.

  2. Click Start VCN Wizard.
  3. Select Create VCN with Internet Connectivity, and then click Start VCN Wizard.
  4. Enter the following:
    • VCN Name: Enter a name for your cloud network. The name is incorporated into the names of all the related resources that are automatically created. Avoid entering confidential information.
    • Compartment: This field defaults to your current compartment. Select the compartment you want to create the VCN and related resources in, if not already selected.
    • VCN CIDR Block: Enter a valid CIDR block for the VCN. For example 10.0.0.0/16.
    • Public Subnet CIDR Block: Enter a valid CIDR block for the subnet. The value must be within the VCN's CIDR block. For example: 10.0.0.0/24.
    • Private Subnet CIDR Block: Enter a valid CIDR block for the subnet. The value must be within the VCN's CIDR block and not overlap with the public subnet's CIDR block. For example: 10.0.1.0/24.
    • Accept the defaults for any other fields.
  5. Click Next.
  6. Review the list of resources that the wizard will create for you. Notice that the wizard will set up security list rules and route table rules to enable basic access for the VCN.
  7. Click Create to create the components.
  8. After the components are created, click View Virtual Cloud Network.

The cloud network has the following resources and characteristics:

  • Internet gateway.
  • NAT gateway.
  • Service gateway with access to the Oracle Services Network.
  • A regional public subnet with access to the internet gateway. This subnet uses the VCN's default security list and default route table. Instances in this subnet may optionally have public IP addresses.
  • A regional private subnet with access to the NAT gateway and service gateway. This subnet uses a custom security list and custom route table that the workflow created. Instances in this subnet cannot have public IP addresses.
  • Use of the Internet and VCN Resolver for DNS.
Launch two instances

This example uses the default flexible VM shape. If you prefer, you can choose a different shape.

  1. Open the navigation menu and click Compute. Under Compute, click Instances.
  2. Click Create Instance.
  3. On the Create Compute Instance page, for Name, enter a name, for example: Webserver1. Avoid entering confidential information.

  4. In the Placement section, select the first availability domain in the list (AD-1).
  5. In the Image and shape section, enter the following:
    1. Image: Select the image you want.
    2. Shape: Select the default settings.
  6. In the Networking section, configure the network details for the instance. Do not accept the defaults.

    1. For Network, leave Select existing virtual cloud network selected
    2. Virtual cloud network in <compartment_name>: Select the cloud network that you created. If necessary, click Change compartment to switch to the compartment containing the cloud network that you created.
    3. For Subnet, leave Select existing subnet selected.
    4. Subnet in <compartment_name>: Select the public subnet in availability domain 1. If necessary, click Change compartment to switch to the compartment that contains the correct subnet.
    5. Select the Assign a public IPv4 address option. This creates a public IP address for the instance, which you need to access the instance. If you have trouble selecting this option, confirm that you selected the public subnet that was created with your VCN, not a private subnet.
    6. Click Show advanced options. Ensure that the Hostname field is blank.
  7. In the Add SSH keys section, upload the public key portion of the key pair that you want to use for SSH access to the instance. Browse to the key file that you want to upload, or drag and drop the file into the box.

    If you do not have an SSH key pair, see Creating a Key Pair.

  8. In the Boot volume section, leave all the options cleared.

  9. Click Create.
  10. Repeat the previous steps. This time, enter the name Webserver2 and select the subnet in availability domain 2.
Start a web application on each instance

This example uses Apache HTTP Server.

  1. Connect to your instance. If you need help, see Connecting to Your Instance.
  2. Run yum update:

    sudo yum -y update
  3. Install the Apache HTTP Server:

    sudo yum -y install httpd
  4. Allow Apache (HTTP and HTTPS) through the firewall:

    sudo firewall-cmd --permanent --add-port=80/tcp
    sudo firewall-cmd --permanent --add-port=443/tcp
    Note

    Open the Firewall

    If you choose to run a different application than Apache, ensure that you run the preceding command to open the firewall for your application's port.

  5. Reload the firewall:

    sudo firewall-cmd --reload
  6. Start the web server:

    sudo systemctl start httpd
  7. Add an index.htm file on each server that indicates which server it is, for example:
    1. On Webserver 1:

      sudo su
      echo 'WebServer1' >/var/www/html/index.html
    2. On Webserver 2:

      sudo su
      echo 'WebServer2' >/var/www/html/index.html

Tutorial Overview

In this tutorial, you create a public load balancer and verify it. A load balancer requires configuration of several components to be functional, and this tutorial walks you through each step to help you understand these components.

To create and test the load balancer, complete the following steps:

  1. Add two subnets to your VCN to host your load balancer.
  2. Create a load balancer.
  3. Create a backend set with health check.
  4. Add backend servers to your backend set.
  5. Create a listener.
  6. Update the load balancer subnet security list and allow internet traffic to the listener.
  7. Verify your load balancer.
  8. Update rules to protect your backend servers.
  9. Delete your load balancer.

Add Two Subnets to Your VCN to Host Your Load Balancer

Your load balancer must reside in different subnets from your application instances. This configuration allows you to keep your application instances secured in subnets with stricter access rules, while allowing public internet traffic to the load balancer in the public subnets.

To add the public subnets to your VCN:

Add a Security List
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.

    The list of VCNs in the current compartment is displayed.

  2. Click the name of the VCN that includes your application instances.
  3. Under Resources, click Security Lists.
  4. Click Create Security List.

    1. Create in Compartment: This field defaults to your current compartment. Select the compartment you want to create the security list in, if not already selected.
    2. Enter a Name, for example, "LB Security List". Avoid entering confidential information.
    3. Delete the entry for the ingress rule and the entry for the egress rule. The security list must have no rules. The correct rules are added automatically during the load balancer workflow.
    4. Tags: Leave as is (you can add tags later if you like).
    5. Click Create Security List.
    6. Return to your Virtual Cloud Network Details page.
Add a Route Table
  1. Under Resources, click Route Tables.
  2. Click Create Route Table. Enter the following:
    1. Create in Compartment: This field defaults to your current compartment. Select the compartment you want to create the route table in, if not already selected.
    2. Name: Enter a name, for example, "LB Route Table". Avoid entering confidential information.
    3. Target Type: Select Internet Gateway.
    4. Destination CIDR Block: Enter 0.0.0.0/0.
    5. Compartment: Select the compartment that contains your VCN's internet gateway.
    6. Target: Select your VCN's internet gateway.
    7. Tags: Leave as is (you can add tags later if you like).
    8. Click Create Route Table.
Create the first subnet
  1. Under Resources, click Subnets.
  2. Click Create Subnet.
  3. Enter or select the following:
    1. Name: Enter a name, for example, "LB Subnet 1". Avoid entering confidential information.
    2. availability domain: Choose the first availability domain (AD-1).
    3. CIDR Block: Enter 10.0.4.0/24.
    4. Route Table: Select the LB Route Table you created.
    5. Subnet Access: Select Public Subnet.
    6. DNS Resolution: Select Use DNS Hostnames in this Subnet.
    7. DHCP Options: Select Default DHCP Options for LB_Network.
    8. Security Lists: Select the LB Security List you created.
    9. Tags: Leave as is (you can add tags later if you like).
  4. Click Create.
Create the second subnet

Create a second load balancer subnet in a different availability domain.

  1. In the details page of your VCN, click Create Subnet.
  2. Enter the following:
    1. Name: Enter a name, for example, "LB Subnet 2". Avoid entering confidential information.
    2. availability domain: Choose the second availability domain (AD-2).
    3. CIDR Block: Enter 10.0.5.0/24.
    4. Route Table: Select the LB Route Table you created.
    5. Subnet Access: Select Public Subnet.
    6. DNS Resolution: Select Use DNS Hostnames in this Subnet.
    7. DHCP Options: Select Default DHCP Options for LB_Network.
    8. Security Lists: Select the LB Security List you created.
    9. Tags: Leave as is (you can add tags later if you like).
  3. Click Create.

The following figure shows the new components added to the VCN:

Two subnets added with custom security list and route table

Create the Load Balancer

When you create a public load balancer, you choose its shape (size) and you select two subnets, each in a different availability domain. This configuration ensures that the load balancer is highly available. It is active in only one subnet at a time. This load balancer comes with a public IP address and provisioned bandwidth corresponding to the shape you chose.

Tip

Although the load balancer resides in a subnet, it can direct traffic to backend sets that reside in any of the subnets within the VCN.
  1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.

    Ensure that the Sandbox compartment (or the compartment designated for you) is selected on the left.

  2. Click Create Load Balancer.
  3. Enter the following:
    • Name: Enter a name for your load balancer. Avoid entering confidential information.
    • Shape: Select 100 Mbps. The shape specifies the bandwidth of the load balancer. For the tutorial, use the smallest shape. The shape cannot be changed later.
    • Virtual Cloud Network: Select the virtual cloud network for your load balancer.
    • Visibility: Choose Create Public Load Balancer.
    • Subnet (1 of 2): Select LB Subnet 1.
    • Subnet (2 of 2): Select LB Subnet 2. The second subnet must be in a different availability domain than the first subnet you chose.
  4. Click Create.

When the load balancer is created, you get a public IP address. You route all your incoming traffic to this IP address. The IP address is available from both subnets that you specified, but it is active in only one subnet at a time.

Load balancer added to the load balancer subnets

Create a Backend Set

A backend set is a collection of backend servers to which your load balancer directs traffic. A list of backend servers, a load balancing policy, and a health check script define each backend set. A load balancer can have multiple backend sets, but for this tutorial, you create only one backend set that includes both of your web servers.

In this step, you define the backend set policy and health check. You add your servers in a separate step.

To create the backend set:

  1. Click the name of your load balancer and view its details.
  2. Click Create Backend Set.
  3. In the dialog box, enter:
    1. Name: Give your load balancer backend set a name. The name cannot contain spaces. Avoid entering confidential information.
    2. Policy: Choose Weighted Round Robin.
  4. Enter the Health Check details.

    Load Balancer automatically checks the health of the instances for your load balancer. If it detects an unhealthy instance, it stops sending traffic to the instance and reroutes traffic to healthy instances. In this step, you provide the information required to check the health of servers in the backend set and ensure that they can receive data traffic.

    • Protocol: Select HTTP.
    • Port: Enter 80
    • URL Path (URI): Enter /

    The rest of the fields are optional and can be left blank for this tutorial.

  5. Click Create.

    When the Backend Set is created, the Work Request shows a status of Succeeded. Close the Work Request dialog box.

What is a policy?

The policy determines how traffic is distributed to your backend servers.

  • Round Robin - This policy distributes incoming traffic sequentially to each server in a backend set list. When each server has received a connection, the load balancer repeats the list in the same order.
  • IP Hash - This policy uses an incoming request's source IP address as a hashing key to route non-sticky traffic to the same backend server. The load balancer routes requests from the same client to the same backend server as long as that server is available.
  • Least Connections - This policy routes incoming non-sticky request traffic to the backend server with the fewest active connections.

Add Backends (Servers) to Your Backend Set

After the backend set is created, you can add compute instances (backend servers) to it. To add a backend server, you can enter the OCID for each instance and your application port. The OCID enables the Console to create the security list rules required to enable traffic between the load balancer subnets and the instance subnets.

Tip

Security lists are virtual firewall rules for your VCN that provide ingress and egress rules to specify the types of traffic allowed in and out of a subnet. Update your VCN's security list rules to allow traffic flow between the load balancer subnets and the backend server subnets. In this step, you can have the security lists automatically updated by providing the instance OCIDs.

To add a server to your backend set:

  1. On the details page of your load balancer, click Backend Sets. The backend set you just created is displayed.
  2. Click the name of the backend set and view its details.
  3. Click Edit Backends.

In the dialog:

  1. Ensure that Help me create proper security list rules is checked.

  2. OCID: Paste the OCID of the first instance (Webserver1).
  3. Port: Enter 80.
  4. Weight: Leave blank to weight the servers evenly.
  5. Repeat Steps 2 through 4, pasting in the OCID for the second instance (Webserver2).
  6. Click Create Rules.

The following figure shows the components created in this task:

Load balancer setup highlighting backend set and updated security lists

What rules are added to my security lists?

The system updates the security list used by your load balancer subnets to allow egress traffic from the load balancer to each backend server's subnet:

  • Updates to the security list for your load balancer subnets:
    • Allow egress traffic to the backend server 1 subnet (for example, Public-Subnet-AD1)
    • Allow egress traffic to the backend server 2 subnet (for example, Public-Subnet-AD2)

    Image shows egress rules added to the load balancer's subnets' security list

The system updates the security list used by your backend server subnets to allow ingress traffic from the load balancer subnets:

  • Updates to the security list for your backend server subnets:
    • Allow ingress traffic from load balancer subnet 1
    • Allow ingress traffic from load balancer subnet 2

    Image showing ingress rules created for the default security list

How do I get the OCID of an instance?

The OCID (Oracle Cloud Identifier) is displayed when you view the instance, on the instance details page.

  1. In the dialog, right-click View Instances and select a browser option to open the link in a new tab.

    Image highlighting the View Instances link in the Edit Backends dialog

    A new Console browser tab launches, displaying the instances in the current compartment.

  2. In the tab that just opened, if your instances are not in the current compartment, select the compartment to which the instance belongs. (Select from the list on the left side of the page.)

    A shortened version of the OCID is displayed next to each instance.

  3. Click the instance that you're interested in.

    A shortened version of the OCID is displayed on the instance details page.

  4. Click Copy to copy the OCID. You can then paste it into the Instance ID field.

Create the Listener for Your Load Balancer

A listener is an entity that checks for connection requests. The load balancer listener listens for ingress client traffic using the port you specify within the listener and the load balancer's public IP.

In this tutorial, you define a listener that accepts HTTP requests on port 80.

Note

Listening on Multiple Ports

A listener can listen on one port. To listen on more ports (such as 443 for SSL), create another listener. For information on enabling SSL for your load balancer, see SSL Certificates for Load Balancers.

To create a listener:

  1. On your Load Balancer Details page, click Listeners.
  2. Click Create Listener.
  3. Enter the following:
    • Name: Enter a friendly name. Avoid entering confidential information.
    • Protocol: Select HTTP.
    • Port: Enter 80 as the port on which to listen for incoming traffic.
    • Backend Set: Select the backend set you created.
  4. Click Create.

Update Load Balancer Security Lists and Allow Internet Traffic to the Listener

When you create a listener, you must also update your VCN's security list to allow traffic to that listener.

Allow the Listener to Accept Traffic

The subnets where the load balancer resides must allow the listener to accept traffic. To enable the traffic to get to the listener, update the load balancer subnet's security list.

To update the security list to allow the listener to accept traffic:

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.

    The list of VCNs in the current compartment is displayed.

  2. Click Security Lists. A list of the security lists in the cloud network is displayed.
  3. Click the LB Security List. The details are displayed.
  4. Click Edit All Rules.
  5. Under Allow Rules for Ingress, click Add Rule.
  6.  Enter the following ingress rule:
    • Source Type: Select CIDR
    • Source CIDR: Enter 0.0.0.0/0
    • IP Protocol: Select TCP
    • Destination Port Range: Enter 80 (the listener port).
  7. Click Save Security List Rules.

If you created other listeners, add an ingress rule for each listener port to allow traffic to the listener. For example, if you created a listener on port 443, repeat the previous steps using Destination Port Range: 443.

The following figure shows the component created in this task:

Allow Internet traffic to the load balancer for distribution to the backend set

Verify Your Load Balancer

To test your load balancer's functionality, you can open a web browser and navigate to its public IP address (listed on the load balancer's detail page). If the load balancer is properly configured, you can see the name of one of the web server instances:

  1. Open a web browser.
  2. Enter the load balancer public IP address.

    The index.htm page of one of your web servers appears.

    This image shows the WebServer1 page displayed in a browser

  3. Refresh the web page.

    The index.htm page of the other web server now appears.

    This image shows the Webserver2 page displayed in a browser

Because you configured the load balancer backend set policy as Round Robin, refreshing the page alternates between the two web servers.

Update Rules to Limit Traffic to Backend Servers

Update the default security list and the default route table to limit traffic to your backend servers. If you used the Create Virtual Cloud Network Plus Related Resources option to create your VCN and you are not going to terminate this load balancer immediately, these actions are important.

To delete the default route table rule:

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the name of your VCN and review its details.
  3. Under Resources, click Route Tables.
  4. Click the Default Route Table for the VCN.
  5. Click Edit Route Rules.
  6. Click the X next to the route rule, and then click Save.

There are now no Route Rules for the default route table.

To edit the default security list rules:

  1. Go to your Virtual Cloud Network Details page.

  2. Under Resources, click Security Lists.
  3. Click the Default Security List for the VCN.
  4. Click Edit All Rules.
  5. Under Allow Rules for Ingress, delete the following rules:

    Action Source CIDR IP Protocol Destination Port Range
    Delete 0.0.0.0/0 TCP 22
    Delete 0.0.0.0/0 ICMP 3,4
    Delete 10.0.0.0/16 ICMP 3
  6. Under Allow rules for Egress, delete the rule. There can be no Egress Rules.

Now your instances can receive data traffic from, and direct traffic to, only the load balancer subnets. You no longer can connect directly to your instance's public IP address.

Delete Your Load Balancer

When your load balancer becomes available, you are billed for each hour that you keep it running. Once you no longer need a load balancer, you can delete it. When the load balancer is deleted, you stop incurring charges for it. Deleting a load balancer does not affect the backend servers or subnets used by the load balancer.

To delete your load balancer:

  1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.
  2. Choose the Compartment that contains your load balancer.

  3. Next to your load balancer, click the Actions menu (Actions Menu), and then click Terminate.

  4. Confirm when prompted.

If you want to delete the instances and VCN you created for this tutorial, follow the instructions in Cleaning Up Resources from the Tutorial.