Oracle Cloud Infrastructure Documentation

Getting Started with Load Balancing

The Load Balancing service allows you to create highly available load balancers within your VCN. All load balancers come with provisioned bandwidth. You can choose to create a load balancer with either a public or a private IP address. Load balancers support SSL handling for both incoming traffic and traffic with your application servers.

When you create a load balancer with a public IP address you specify two subnets, each in a different availability domain, on which the load balancer can run. The two subnets ensure the high availability of the load balancer. A private load balancer requires only one subnet.

This tutorial is an introduction to Load Balancing. You can follow the steps here to create a public load balancer and verify it with a basic web server application. For complete details about the service and its components, see Overview of Load Balancing.

Before You Begin

To try out the Load Balancing service for this tutorial, you must have these things set up first:

  • A virtual cloud network (VCN) with two subnets (each in a different availability domain) and an internet gateway
  • Two instances running (in different subnets)
  • A web application (such as Apache HTTP Server) running on each instance

If you don't have these items set up yet, you can follow the steps shown here.

Tip

If you need an introduction to VCNs and instances, try the Tutorial - Launching Your First Linux Instance first.

VCN and Instance Setup

The following diagram shows the prerequisite VCN and instances:

Diagram of VCN and prerequisite instances

Create a VCN
Launch two instances
Start a web application on each instance

Tutorial Overview

In this tutorial, you create a public load balancer and verify it. A load balancer requires configuration of several components to be functional, and this tutorial walks you through each step to help you understand these components.

To create and test the load balancer, complete the following steps:

  1. Add two subnets to your VCN to host your load balancer.
  2. Create a load balancer.
  3. Create a backend set with health check.
  4. Add backend servers to your backend set.
  5. Create a listener.
  6. Update the load balancer subnet security list and allow internet traffic to the listener.
  7. Verify your load balancer.
  8. Update rules to protect your backend servers.
  9. Terminate your load balancer.

Add Two Subnets to Your VCN to Host Your Load Balancer

Your load balancer must reside in different subnets from your application instances. This configuration allows you to keep your application instances secured in subnets with stricter access rules, while allowing public internet traffic to the load balancer in the public subnets.

To add the public subnets to your VCN:

Add a Security List
Add a Route Table
Create the first subnet
Create the second subnet

The following figure shows the new components added to the VCN:

Two subnets added with custom security list and routertable

Create the Load Balancer

When you create a public load balancer, you choose its shape (size) and you select two subnets, each in a different availability domain. This configuration ensures that the load balancer is highly available. It is active in only one subnet at a time. This load balancer comes with a public IP address and provisioned bandwidth corresponding to the shape you chose.

Tip

Although the load balancer resides in a subnet, it can direct traffic to backend sets that reside in any of the subnets within the VCN.

  1. Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.

    Ensure that the Sandbox compartment (or the compartment designated for you) is selected on the left.

  2. Click Create Load Balancer.
  3. Enter the following:
    • Name: Enter a name for your load balancer.
    • Shape: Select 100 Mbps. The shape specifies the bandwidth of the load balancer. For the tutorial, use the smallest shape. The shape cannot be changed later.
    • Virtual Cloud Network: Select the virtual cloud network for your load balancer.
    • Visibility: Choose Create Public Load Balancer.
    • Subnet (1 of 2): Select LB Subnet 1.
    • Subnet (2 of 2): Select LB Subnet 2. The second subnet must be in a different availability domain than the first subnet you chose.
  4. Click Create.

When the load balancer is created, you get a public IP address. You route all your incoming traffic to this IP address. The IP address is available from both subnets that you specified, but it is active in only one subnet at a time.

Load balancer added to the load balancer subnets

Create a Backend Set

A backend set is a collection of backend servers to which your load balancer directs traffic. A list of backend servers, a load balancing policy, and a health check script define each backend set. A load balancer can have multiple backend sets, but for this tutorial, you create only one backend set that includes both of your web servers.

In this step, you define the backend set policy and health check. You add your servers in a separate step.

To create the backend set:

  1. Click the name of your load balancer and view its details.
  2. Click Create Backend Set.
  3. In the dialog box, enter:
    1. Name: Give your load balancer backend set a name. The name cannot contain spaces.
    2. Policy: Choose Weighted Round Robin.
    What is a policy?
  4. Enter the Health Check details.

    Load Balancing automatically checks the health of the instances for your load balancer. If it detects an unhealthy instance, it stops sending traffic to the instance and reroutes traffic to healthy instances. In this step, you provide the information required to check the health of servers in the backend set and ensure that they can receive data traffic.

    • Protocol: Select HTTP.
    • Port: Enter 80
    • URL Path (URI): Enter /

    The rest of the fields are optional and can be left blank for this tutorial.

  5. Click Create.

    When the Backend Set is created, the Work Request shows a status of Succeeded. Close the Work Request dialog box.

Add Backends (Servers) to Your Backend Set

After the backend set is created, you can add compute instances (backend servers) to it. To add a backend server, you can enter the OCID for each instance and your application port. The OCID enables the Console to create the security list rules required to enable traffic between the load balancer subnets and the instance subnets.

Tip

Security lists are virtual firewall rules for your VCN that provide ingress and egress rules to specify the types of traffic allowed in and out of a subnet. Update your VCN's security list rules to allow traffic flow between the load balancer subnets and the backend server subnets. In this step, you can have the security lists automatically updated by providing the instance OCIDs.

To add a server to your backend set:

  1. On the details page of your load balancer, click Backend Sets. The backend set you just created is displayed.
  2. Click the name of the backend set and view its details.
  3. Click Edit Backends.

In the dialog:

  1. Ensure that Help me create proper security list rules is checked.

    What rules are added to my security lists?
  2. OCID: Paste the OCID of the first instance (Webserver1).

    How do I get the OCID of an instance?

  3. Port: Enter 80.
  4. Weight: Leave blank to weight the servers evenly.

  5. Repeat Steps 2 through 4, pasting in the OCID for the second instance (Webserver2).
  6. Click Create Rules.

The following figure shows the components created in this task:

Load balancer setup highlighting backend set and updated security lists

Create the Listener for Your Load Balancer

A listener is an entity that checks for connection requests. The load balancer listener listens for ingress client traffic using the port you specify within the listener and the load balancer's public IP.

In this tutorial, you define a listener that accepts HTTP requests on port 80.

Note

Listening on Multiple Ports

A listener can listen on one port. To listen on more ports (such as 443 for SSL), create another listener. For information on enabling SSL for your load balancer, see Managing SSL Certificates.

To create a listener:

  1. On your Load Balancer Details page, click Listeners.
  2. Click Create Listener.
  3. Enter the following:
    • Name: Enter a friendly name.
    • Protocol: Select HTTP.
    • Port: Enter 80 as the port on which to listen for incoming traffic.
    • Backend Set: Select the backend set you created.
  4. Click Create.

Update Load Balancer Security Lists and Allow Internet Traffic to the Listener

When you create a listener, you must also update your VCN's security list to allow traffic to that listener.

Allow the Listener to Accept Traffic

The subnets where the load balancer resides must allow the listener to accept traffic. To enable the traffic to get to the listener, update the load balancer subnet's security list.

To update the security list to allow the listener to accept traffic:

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    The list of VCNs in the current compartment is displayed.

  2. Click Security Lists.
    A list of the security lists in the cloud network is displayed.
  3. Click the LB Security List.
    The details are displayed.
  4. Click Edit All Rules.
  5. Under Allow Rules for Ingress, click Add Rule.
  6.  Enter the following ingress rule:
    • Source Type: Select CIDR
    • Source CIDR: Enter 0.0.0.0/0
    • IP Protocol: Select TCP
    • Destination Port Range: Enter 80 (the listener port).
  7. Click Save Security List Rules.

If you created other listeners, add an ingress rule for each listener port to allow traffic to the listener. For example, if you created a listener on port 443, repeat the previous steps using Destination Port Range: 443.

The following figure shows the component created in this task:

Allow Internet traffic to the load balancer for distibution to the backend set

Verify Your Load Balancer

To test your load balancer's functionality, you can open a web browser and navigate to its public IP address (listed on the load balancer's detail page). If the load balancer is properly configured, you can see the name of one of the web server instances:

  1. Open a web browser.
  2. Enter the load balancer public IP address.

    The index.htm page of one of your web servers appears.

    This image shows the WebServer1 page displayed in a browser

  3. Refresh the web page.

    The index.htm page of the other web server now appears.

    This image shows the Webserver2 page displayed in a browser

Because you configured the load balancer backend set policy as Round Robin, refreshing the page alternates between the two web servers.

Update Rules to Limit Traffic to Backend Servers

Update the default security list and the default route table to limit traffic to your backend servers. If you used the Create Virtual Cloud Network Plus Related Resources option to create your VCN and you are not going to terminate this load balancer immediately, these actions are important.

To delete the default route table rule:

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

  2. Click the name of your VCN and review its details.
  3. Under Resources, click Route Tables.
  4. Click the Default Route Table for the VCN.
  5. Click Edit Route Rules.
  6. Click the X next to the route rule, and then click Save.

There are now no Route Rules for the default route table.

To edit the default security list rules:

  1. Go to your Virtual Cloud Network Details page.

  2. Under Resources, click Security Lists.
  3. Click the Default Security List for the VCN.
  4. Click Edit All Rules.
  5. Under Allow Rules for Ingress, delete the following rules:

    Action Source CIDR IP Protocol Destination Port Range
    Delete 0.0.0.0/0 TCP 22
    Delete 0.0.0.0/0 ICMP 3,4
    Delete 10.0.0.0/16 ICMP 3
  6. Under Allow rules for Egress, delete the rule. There can be no Egress Rules.

Now your instances can receive data traffic from, and direct traffic to, only the load balancer subnets. You no longer can connect directly to your instance's public IP address.

Delete Your Load Balancer

When your load balancer becomes available, you are billed for each hour that you keep it running. Once you no longer need a load balancer, you can delete it. When the load balancer is deleted, you stop incurring charges for it. Deleting a load balancer does not affect the backend servers or subnets used by the load balancer.

To delete your load balancer:

  1. Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.

  2. Choose the Compartment that contains your load balancer.

  3. Next to your load balancer, click the Actions icon (three dots), and then click Terminate.

  4. Confirm when prompted.

If you want to delete the instances and VCN you created for this tutorial, follow the instructions in Cleaning Up Resources from the Tutorial.