Oracle Cloud Infrastructure Documentation

Creating a Load Balancer

Create a load balancer to provide automated traffic distribution from one entry point to multiple servers reachable from your virtual cloud network (VCN).

For prerequisite information, see Load Balancer Management.

    1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.

    2. Choose a Compartment you have permission to work in under List scope.

      Note

      If you select a different compartment in the Management tab (under Advanced options), that compartment contains the load balancer you're creating instead of the compartment specified here.

    3. Click Create load balancer. The Create load balancer dialog box appears. Creating a load balancer consists of the following pages:

      • Add details

      • Choose backends

      • Configure listener

      • Manage logging

      By default, the Add details page appears first. Run each of the following workflows in order. You can return to a previous page by clicking Previous.

    Add details

    Complete the following steps:

    1. Specify the Load balancer name. Accept the default name or enter a friendly name for the load balancer. It does not have to be unique, but it cannot be changed in the Console. You can, however, change it with the API.

    2. Select the Choose visibility type from one of the following options:

      • Public: Choose this option to create a public load balancer. You can use the assigned public IP address as a front end for incoming traffic and to balance that traffic across all backend servers. When you select the public IP address option, you are also prompted to select and complete the public IP address type (see below).

      • Private: Choose this option to create a private load balancer. You can use the assigned private IP address as a front end for incoming internal VCN traffic and to balance that traffic across all backend servers.

    3. (Public IP addresses only) Specify the Choose IP address type:

      • Ephemeral IP address: Choose this option to let Oracle specify an ephemeral IP address for you from the Oracle IP pool. This is the default.

      • Reserved IP address: Choose this option to specify an existing reserved IP address by name, or to create a new reserved IP address by assigning a name and selecting a source IP pool for the address. If you don't select a user-created pool, the default Oracle IP pool is used.

      See Public IP Addresses.

    4. Select the Bandwidth by completing one of the following shape options:

      • Flexible shapes: Specify Minimum bandwidth and Maximum bandwidth values to create an upper and lower size range for the load balancer's bandwidth shape. Possible sizes range from 10 Mbps to 8,000 Mbps. You can use the slider to specify the value or enter it directly into the box to the left of each slider.

        The minimum bandwidth reflects the amount of bandwidth that is always available to provide instant readiness for the workloads.

        The maximum bandwidth is the upper amount of bandwidth the load balancer supports during time of peak workload.

        If you want to specify a fixed shape size, for example 500 Mbps, set the minimum and maximum sliders to the same value.

        If you are creating the load balancer as a paid account user, you can create various shape options based on your limits and later adjust the bandwidth by changing the shape after the load balancer has been created. You can view your service limits and quotas in the Console by navigating to Governance & Administration > Limits, Quotas and Usage. Select "LbaaS" from the Service list. Your bandwidth size options are listed. See Service Limits.

        Billing is per minute for your load balancer base instance, plus a bandwidth usage fee. If the actual usage is below or equal to your specified minimum bandwidth, you are billed for the minimum bandwidth. If actual usage exceeds the minimum bandwidth, you are billed for the actual bandwidth used for that minute.

        The Always Free option is incorporated into your paid account in your home region. The first 10 Mbps of your bandwidth is free, and is indicated as such on your bill.

        Note

        Government accounts using prepaid dynamic (fixed) shape sizes run the risk of overage charges when flexible bandwidth shapes exceed the predetermined size. Update government accounts to the flexible load balancer SKU, with the appropriate bandwidth quantity, in their contract before using the flexible load balancer feature.

        If you are using non-universal credit SKUs, ensure that your contract includes the shape you are updating to so you can prevent incurring overage charges.

      You can adjust the bandwidth shape to a different size after you have completed creating the load balancer. See Changing a Load Balancer's Bandwidth Shape.

    5. Select Enable IPv6 address assignmentif the load balancer supports IPv6 addresses for incoming requests. For more information about Oracle Cloud Infrastructure's IPv6 implementation, see IPv6 Addresses.

      When you create a load balancer, you can optionally choose to have an IPv4/IPv6 dual-stack configuration. When you choose the IPv6 option, the Load Balancing service assigns both an IPv4 and an IPv6 address to the load balancer. The load balancer receives client traffic sent to the assigned IPv6 address. The load balancer uses only IPv4 addresses to communicate with backend servers. The load balancer and the backend servers do not use IPv6 communication.

      IPv6 address assignment occurs only at load balancer creation. You cannot assign an IPv6 address to an existing load balancer.

    6. Configure Choose networking. If the current compartment contains at least one VCN, the Console provides a list of VCNs from which to choose.

      • Virtual cloud network in <compartment>: Specify a VCN for the load balancer.

        By default, the Console shows a list of VCNs in the compartment you're currently working in. Click the Change compartment link to select a VCN from a different compartment.

      • Subnet in <compartment>: Select an available subnet. For a public load balancer, it must be a public subnet.

        By default, the Console shows a list of subnets in the compartment you're currently working in. Click the Change compartment link to select a subnet from a different compartment.

        In addition to public or private, subnets can be either regional or AD-specific. Oracle recommends using regional subnets. See Overview of VCNs and Subnets.

      • Subnet (2 of 2) in <compartment>: Required for a public load balancer when you specify an AD-specific subnet for Subnet. Select a second public subnet. The second subnet must reside in a separate availability domain from the first subnet.

        If you chose to create a private load balancer under Visibility type, the form prompts you to select only one subnet.

        If you are working in a region that includes only one availability domain, a second subnet is not required. The form prompts you to select only one subnet.

      If the current compartment contains no virtual cloud networks, the Load Balancer service offers to create a VCN for you.

      • Virtual cloud network in <compartment>: When the current compartment contains no virtual cloud networks, the list is disabled. The system offers to create a VCN for you.

        If you want to use an existing VCN in another compartment, click the Change compartment link and choose that compartment from the list.

        Virtual cloud network name: Optional when the system creates a VCN for you. Specify a friendly name for the new cloud network. It doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API).

        If you do not specify a name for the new VCN, the system generates a name for you.

    7. Select Use network security groups to control traffic if you want to add your load balancer to a network security group (NSG). See Network Security Groups.

      • Network security groups in <compartment>: Choose an NSG to add your load balancer to.

        By default, the Console shows a list of NSGs in the compartment you are currently working in. Click the Change compartment link to select an NSG from a different compartment.

      • (Optional) Click + Another network security group to add your load balancer to another NSG.

      You can change the NSGs that your load balancer belongs to after you create it. On your load balancer's Details page, click the Edit link that appears beside the list of associated network security groups.

    8. Click Show advanced options to access more options.

    9. Click the Security tab and complete the following information:

      • Use a web application firewall policy to protect against layer 7 attacks: Select to apply web application firewall policies to the load balancer as a safeguard against attack.

      • Select a web application firewall policy available in the current compartment from the list under Assign in region web application firewall policy. Click Change compartment to access the web application firewall policies in a different compartment.

      For more information about web application firewall policies, see Overview of Web Application Firewall.

    10. Click the Tagging tab to apply tagging to the load balancer. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.

    11. Click the Acceleration tab to select Use a web application acceleration policy to speed up your performance. Select a web application acceleration policy in the current compartment from the list under Assign a web application acceleration policy. Click Change compartment to access the web application acceleration policies in a different compartment.

      For more information about web application acceleration policies, see Overview of Web Application Acceleration.

    12. Click the Management tab to select a different compartment from the list under Create in compartment to host the load balancer. The compartment you select here overrides the compartment listed under Scope selected when first creating the load balancer.

    13. Click Next. The Choose Backends page appears.

      A load balancer distributes traffic to backend servers within a backend set. A backend set is a logical entity defined by a load balancing policy, a list of backend servers (compute instances), and a health check policy.

      The load balancer creation workflow creates one backend set for your load balancer. Optionally, you can add backend sets and backend servers after you create the load balancer.

    Note

    This section describes the Dynamic Shapes feature, which is only available to certain legacy customer accounts:

    Dynamic shapes: Choose one of the following predefined shape sizes:

    • 10 Mbps

    • 100 Mbps

    • 400 Mbps

    • 8,000 Mbps

    If you are creating the load balancer as a paid account user, you can create various shape options based on your limits and later adjust the bandwidth by changing the shape after the load balancer has been created. You can view your service limits and quotas in the Console by navigating to Governance & Administration > Limits, Quotas and Usage. Select "LbaaS" from the Service list. Your bandwidth size options are listed. See Service Limits. You can also select the Always Free option if your one free tier account has not already been used.

    You can adjust the bandwidth shape to a different size after you have completed creating the load balancer. See Changing a Load Balancer's Bandwidth Shape.

    If you adjust a dynamic size value to a flexible size using the sliders, you cannot revert to a dynamic shape of any size. You can achieve the effect of having a dynamic (fixed) size by setting the minimum and maximum sliders to the same size.

    Choose backends

    Complete the following:

    1. Choose the load balancer policy for the backend set:

      • Weighted round robin: This policy distributes incoming traffic sequentially to each server in a backend set list.

      • IP hash: This policy ensures that requests from a particular client are always directed to the same backend server.

      • Least connections: This policy routes incoming request traffic to the backend server with the fewest active connections.

      For more information on these policies, see Load Balancer Policies.

    2. Click Add backends to select resources from a list of available compute instances. The Add backends dialog box appears.

      When you add backend servers, the Load Balancer service automatically creates security list rules for you. If you prefer to create security list rules manually, click Show advanced options and choose the option to Manually configure security list rules after the load balancer is created. Complete the following:

      • Add backends: Select the instances you want to include in the load balancer's backend set. To select instances from a different compartment, use the Change compartment link and choose a compartment from the list. After you select the instances you want to add from the current compartment, click Add selected backends.

        You can choose instances from one compartment at a time. After you add instances from one compartment, you can choose Add more backends to add instances from another compartment.

        You cannot add a backend server marked as Backup to a backend set that uses the IP Hash policy.

      After you add instances to the backend set, they appear in the Select backend servers table. You can:

      • Specify the server Port to which the load balancer must direct traffic. The default is port 80.

      • Click the Actions menu (Actions Menu) for a server and choose Delete to remove it from the backend set.

    3. Specify the test parameters that confirm the health of your backend servers:

      • Protocol: Specify the protocol to use for health check queries, either HTTP or TCP. Configure your health check protocol to match your application or service. See Health Checks for Load Balancers.

      • Port: Specify the backend server port against which to run the health check. You can enter the value '0' to have the health check use the backend server's traffic port.

      • Force plaintext health checks: (HTTP only) Select to send the health check to the backend server without SSL. This option is only available when the backend server has its protocol is set to HTTP. It has no effect when the backend server does not have SSL enabled. When SSL is disabled, health checks are always plaintext.

      • Interval in ms: Specify how frequently to run the health check, in milliseconds. The default is 10000 (10 seconds).

      • Timeout in ms: Specify the maximum time in milliseconds to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. The default is 3000 (3 seconds).

      • Number of retries: Specify the number of retries to attempt before a backend server is considered "unhealthy." This number also applies when recovering a server to the "healthy" state. The default is 3.

      • Status code: (HTTP only) Specify the status code a healthy backend server must return.

      • URL path (URI): (HTTP only) Specify a URL endpoint against which to run the health check.

      • Response body regex: (HTTP only) Provide a regular expression for parsing the response body from the backend server.

    4. Select Use SSL to apply SSL to the load balancer backend. If you select this option, complete the following. If optimal security is required, it is your responsibility to always use HTTPS for traffic between the load balancer and the backend set.

      • Certificate resource: Select one of these options from the list:

        • Load balancer service managed certificate: Select the CA bundle or Certificate authority option, and then select your choice from the associated list. Click Change compartment to choose a different compartment from which to select the CA bundle or certificate authority.

        • Load balancer management certificate: Select one of the following:

          • Choose SSL certificate file: Drag and drop the certificate file into the SSL certificate field. Alternatively, click Select Files and navigate your system to where you can select the certificate file for upload. Certificate files must be in PEM format and must have the .pem, .cer, or .crt file extensions.

            If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field.

          • Paste SSL certificate: Copy and paste a certificate directly into this field.

      • Specify CA certificate: (Recommended for backend SSL termination configurations.) Select if you want to provide a CA certificate. See SSL Certificates for Load Balancers.

      • Choose private key file: Drag and drop the private key, in PEM format, into the Private key field. Alternatively, you can choose the Paste private key option to paste a private key directly into this field.

      • Enter private key passphrase: Specify the private key passphrase.

    5. Click Show advanced options to access more options.

    6. Click the Backend set name tab to specify a name for the backend set. It must be unique within the load balancer, and it cannot be changed. If you do not specify a name, the Load Balancer service creates one for you. Use only alphanumeric characters, dashes ("-"), and underscores ("_") for backend set names. Backend set names cannot contain spaces.

    7. Click the Security list tab to choose to manually configure subnet security list rules to allow the intended traffic or allow the system to create security list rules for you. To learn more about these rules, see Parts of a Security Rule. Select one of the following options:

      • Manually configure security list rules after the load balancer is created: When you choose this option, you must configure security list rules after load balancer creation.
      • Automatically add security list rules: When you choose this option, the Load Balancer service creates security list rules for you.

      The system displays a table for egress rules and a table for ingress rules. Each table lets you choose the security list that applies to the relevant subnet. You can choose whether to apply the proposed rules for each affected subnet.

    8. Click the Session persistence tab to specify how the load balancer manages session persistence. See Load Balancer Session Persistence for important information on configuring these settings.

      • Disable session persistence: Choose this option to disable cookie-based session persistence.

      • Enable application cookie persistence: Choose this option to enable persistent sessions from a single logical client when the backend application server response includes a Set-cookie header with the cookie name you specify.

        Cookie name: The cookie name used to enable session persistence. Specify * to match any cookie name.

        Disable fallback: Select to disable fallback when the original server is unavailable.

      • Enable load balancer cookie persistence: Choose this option to enable persistent sessions based on a cookie inserted by the load balancer.

        • Cookie name: Specify the name of the cookie used to enable session persistence. If blank, the default cookie name is X-Oracle-BMC-LBS-Route. Ensure that any cookie names used at the backend application servers are different from the cookie name used at the load balancer.

        • Disable fallback: Select to disable fallback when the original server is unavailable.

        • Domain name: Specify the domain in which the cookie is valid. This attribute has no default value. If you do not specify a value, the load balancer does not insert the domain attribute into the Set-cookie header.

        • Path: Optional. Specify the path in which the cookie is valid. The default value is /.

        • Expiration period in seconds: Specify the amount of time the cookie remains valid. If blank, the cookie expires at the end of the client session.

          :

        • Attributes

          • Secure: Specify whether the Set-cookie header must contain the Secure attribute. If selected, the client sends the cookie only using a secure protocol. If you enable this setting, you cannot associate the corresponding backend set with an HTTP listener.

          • HTTP only: Specify whether the Set-cookie header must contain the HttpOnly attribute. If selected, the cookie is limited to HTTP requests. The client omits the cookie when providing access to cookies through non-HTTP APIs such as JavaScript channels.

    9. Click Next. The Configure listener page appears.

    Configure listener

    Complete the following:

    1. Enter a name for the listener. The name must be unique, and cannot be changed. If you do not specify a name, the Load Balancer service creates one for you.

    2. Specify the type of traffic your listener handles:

      • HTTPS

      • HTTP

      • HTTP/2

      • TCP

    3. Specify the port your listener monitors for ingress traffic. The defaults values are the following:

      • 443 for HTTPS

      • 80 for HTTP

      • 443 for HTTP/2

      • 22 for TCP

    4. If you chose the HTTPS or HTTP/2 protocols, or if you chose the TCP protocol and selected Use SSL, complete the following steps:

      • Use SSL: Select to apply SSL to the load balancer backend. If you select this option, complete the following. If optimal security is required, it is your responsibility to always use HTTPS for traffic between the load balancer and the backend set.

        • Certificate resource: Select one of these options from the list:

          • Load balancer service managed certificate: Select the CA bundle or Certificate authority option, and then select your choice from the associated list. Click Change compartment to choose a different compartment from which to select the CA bundle or certificate authority.

          • Load balancer management certificate: Select one of the following:

            • Choose SSL certificate file: Drag and drop the certificate file into the SSL certificate field. Alternatively, click Select Files and navigate your system to where you can select the certificate file for upload. Certificate files must be in PEM format and must have the .pem, .cer, or .crt file extensions.

              If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field.

            • Paste SSL certificate: Copy and paste a certificate directly into this field.

        • Specify CA certificate: (Recommended for backend SSL termination configurations.) Select if you want to provide a CA certificate. See SSL Certificates for Load Balancers.

        • Choose private key file: Drag and drop the private key, in PEM format, into the Private key field. Alternatively, you can choose the Paste private key option to paste a private key directly into this field.

        • Enter private key passphrase: Specify the private key passphrase.

    5. Click Show advanced options to access more options.

    6. Click the Timeout tab to specify the maximum idle time in seconds. The maximum value is 7200 seconds. See Load Balancer Timeout Connection Settings.

    7. (HTTPS and HTTP/2 only) Click the SSL policy tab to specify the type of cipher suite to use. Complete the following information:

      • TLS version: Specify the Transport Layer Security (TLS) versions:

        • 1.0

        • 1.1

        • 1.2 (recommended)

        • 1.3

        The HTTP/2 protocol only supports TLS 1.2 and TLS 1.3.

        You can select any combination of versions. Choose the ones you want from the list.

      • Specify the cipher suite: Choose one of the following options:

        • Select cipher suite: Select a predefined set of cipher suites. (default). Pick a choice from the Select cipher suite list. All cipher suites listed have at least one cipher from each of the TLS versions you selected. The HTTP/2 protocol only supports a default cipher. You can't change it.

        • Create custom cipher suite: Perform the following steps to add ciphers to a new suite:

          1. Enter the name of the customer cipher suite in the Suite name field.

          2. Click Choose ciphers. The Select ciphers page appears.

          3. Select each cipher that you want to include in the suite. The TLS versions associated with each cipher are listed in the Version column. Ensure that any cipher you choose is compatible with the TLS versions you previously chose. Assign at least one cipher to a cipher suite you create. You cannot create a cipher suite that contains no ciphers.

          4. Deselect any ciphers you want to exclude.

          5. Click Select. Then select that custom cipher suite (or whatever suite you want to use) from the Select cipher suite list.

        • Click Show cipher suite details to display what ciphers the selected cipher suite contains.

      Select Enable under Server order preference to give preference to the server ciphers over the client.

    8. Click Next. The Manage logging page appears.

    Manage logging

    Enabling error and access logs are optional, but recommended. Reviewing these logs can help you with diagnosing and fixing issues with your backend servers. Standard limits, restrictions, and rates apply when enabling the logging feature. See Logging for Load Balancers for general information on how the Load Balancer service uses logging.

    Complete the following:

    1. Enable Error logs and complete the following information:

      • Compartment: Select the compartment within which the log file resides from the list.

      • Log group: Select an existing log group from the list or click Create New Group where you can enter the name and description of a new logging group within which your log resides.

      • Log name: Enter the name of the log.

      • Log retention: Select the time period in months each error logging entry is to be retained from the list.

      For more information on log and log groups, including naming syntax guidelines, see Logs and Log Groups.

      By default, error logging is enabled. Disable this feature if you do not want to pay the associated fees.

    2. Enable Access logs and enter the following information:

      • Compartment: Select the compartment within which the log file resides from the list.

      • Log group: Select an existing log group from the list or click Create New Group where you can enter the name and description of a new logging group within which your log resides.

      • Log name: Enter the name of the log.

      • Log retention: Select the time period in months each access logging entry is to be retained from the list.

      For more information on log and log groups, including naming syntax guidelines, see Logs and Log Groups.

    3. Click Submit.

    After the system provisions the load balancer, details appear in the list in the Load balancer page. To view more details, click the load balancer name.

    Note

    The following describes the Dynamic Shapes feature, which is only available to certain legacy customer accounts:

    Dynamic shapes: Choose one of the following predefined shape sizes:

    • 10 Mbps

    • 100 Mbps

    • 400 Mbps

    • 8,000 Mbps

    If you are creating the load balancer as a paid account user, you can create various shape options based on your limits and later adjust the bandwidth by changing the shape after the load balancer has been created. You can view your service limits and quotas in the Console by navigating to Governance & Administration > Limits, Quotas and Usage. Select "LbaaS" from the Service list. Your bandwidth size options are listed. See Service Limits.

    You can adjust the bandwidth shape to a different size after you have completed creating the load balancer. See Changing a Load Balancer's Bandwidth Shape.

    If you adjust a dynamic size value to a flexible size using the sliders, you cannot revert to a dynamic shape of any size. You can achieve the effect of having a dynamic (fixed) size by setting the minimum and maximum sliders to the same size.

  • Use the oci lb load-balancer create command and required parameters to create a load balancer:

    oci lb load-balancer create --compartment-id compartment_id --display-name display_name --shape-name shape_name --subnet-id subnet_id [OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateLoadBalancer operation to create a load balancer.