Oracle Cloud Infrastructure Documentation

Creating a Network Load Balancer

Create a network load balancer to provide automated traffic distribution from one entry point to multiple servers in a backend set.

For prerequisite information, see Network Load Balancer Management.

    1. Open the navigation menu, click Networking, and then click Load balancers. Click Network load balancer. The Network load balancers page appears.
    2. Choose a Compartment you have permission to work in under List scope.
    3. Click Create network load balancer. The Create network load balancer dialog box appears. Creating a network load balancer leads you through the following sections:

      • Add details

      • Configure listener

      • Choose backends

      • Review and create

      By default, the Add details page appears first. Run each of the following workflows in order. You can return to a previous page by clicking Previous.

    4. Specify the Load balancer name. Enter a name for the network load balancer or accept the default name.Avoid entering confidential information.
    5. Select the Choose visibility type. Specify whether the network load balancer is public or private:

      • Public: Choose this option to create a public network load balancer. You can use the assigned public IP address as a front end for incoming traffic and to balance that traffic across all backend servers. The Public IP address can be either an ephemeral address assigned by Oracle or a reserved IP address you defined earlier.

      • Private: Choose this option to create a private network load balancer. You can use the assigned private IP address as a front end for incoming internal VCN traffic and to balance that traffic across all backend servers.

    6. Select Allow IPv6 address assignment to enable a dual-stack IPv4/IPv6 implementation for your network load balancer.
    7. Assign a public IP address. This is required if you selected the Public option for the network load balancer's visibility type. Select one of the following options:

      • Ephemeral IPv4 address: Automatically assigns an IPv4 address from the Oracle pool. These IP addresses are temporary and only exist for the lifetime of the instance.

      • Reserved IPv4 address: Select an existing reserved IP address or create a new one from one of your IP pools. These IP addresses are persistent and exist beyond the lifetime of the instance to which it's assigned. You can unassign the IP address and later reassign it to another instance at any point.

    8. Continue to the Choose networking section. If the current compartment contains one or more virtual cloud networks (VCNs) that you want to use with the network load balancer, skip to the next step. All available VCNs in the current compartment are displayed in the Virtual cloud network in <compartment> list.

      When the current compartment contains no virtual cloud networks, the list is disabled. The system offers to create a VCN for you. Enter a name for the new VCN in the Virtual cloud network name box. Avoid entering confidential information. If you don't specify a name for the new VCN, the system generates a name for you.

      To use an existing VCN in another compartment, click the Change Compartment link and choose that compartment from the list.

    9. Select a virtual cloud network (VCN) from the Virtual cloud network in <compartment> list. By default, the Console shows a list of VCNs in the compartment you're currently working in. Click the Change compartment link to select a VCN from a different compartment.
    10. Select a subnet from the Subnet in <compartment> list. Select an available subnet. For a public load balancer, you must select a public subnet.

      By default, the Console shows a list of subnets in the compartment you're currently working in. Click Change compartment to select a subnet from a different compartment.

    11. Select Use network security groups to control traffic to add the load balancer to a network security group (NSG). Complete the following steps. For more information about NSGs, see Network Security Groups.

      • Select an NSG from the Network security groups in <compartment> list.

        By default, the Console shows a list of NSGs in the compartment you're currently working in. Click the Change compartment link to select an NSG from a different compartment.

      • Click + Another network security group to add the load balancer to another NSG.

      Tip

      You can change the NSGs that the load balancer belongs to after you create it. On the Network load balancer details page, click the Edit link that appears beside the list of associated network security groups.
    12. Click Show advanced options to access more options.
    13. Click the Management tab to create the network load balancer in the compartment you select from the Create in compartment list. The compartment you select here overrides the compartment listed under Scope selected when first creating the network load balancer.
    14. Click Tagging to apply metadata tags to the network load balancer. See Overview of Tagging for descriptions of this feature and its associated fields. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace.
      Note

      If you're not sure about whether to apply tags, then skip this option (you can apply tags later) or ask an administrator.

      Complete the following:

      • Tag namespace

      • Tag key

      • Value

      Click +Additional tag to add another tag. Click X to remove the associated tag.

    15. Click Next. The Configure Listener page appears.
    16. Enter a unique name for the listener in the Listener Name box. If you don't specify a name, the Network Load Balancer service creates one for you. After the listener is created, you can't change its name.
    17. Specify the type of traffic the listener handles: Specify the protocol to use from the following protocols:

      • Public network load balancers:

        • UDP

        • TCP

        • UDP/TCP

      • Private network load balancers

        • UDP

        • TCP

        • TCP/UDP/ICMP

        • UDP/TCP

    18. Select the IP protocol version from the following options:

      • IPv4

      • IPv6

      This step is required if you enabled the IPv6 Address Assignment option earlier. The load balancer listener and backend set must use the same IP protocol version.
    19. Select the Ingress traffic port to specify the port the listener monitors for ingress traffic depending on the traffic type. Select one of the following options:

      • Public network load balancers:

        • Use any port: This option uses a 0 or wildcard as the port.

        • Select the Port: Enter the port you want to use.

      • Private network load balancers:

        • Use any port: This option uses a 0 or wildcard as the port.

        • Select the Port: (UDP, TCP, and UDP/TCP only) Enter the port you want to use.

    20. Click Next. The Choose Backends page appears.

      A load balancer distributes traffic to backend servers within a backend set. A backend set is a logical entity defined by a load balancing policy, a list of backend servers (compute instances), and a health check policy.

      The load balancer creation workflow creates one backend set for the load balancer. Optionally, you can add backend sets and backend servers after you create the load balancer.

    21. Select the IP protocol version from the following options:

      • IPv4

      • IPv6

      This step is required if you previously enabled the IPv6 Address Assignment option. The load balancer listener and backend set must use the same IP protocol version. You must select the option previously chosen for the listener.
    22. Specify the Backend Set Name. Enter a name for the backend set or accept the default name.Avoid entering confidential information.
    23. Click Add Backends under Select Backends. The Add compute instance backends dialog box appears. Complete the following:

      • Instance in <compartment>: Select the instance you want to include in the load balancer's backend set contained in the selected compartment. To select instances from a different compartment, use the Change Compartment link and choose a compartment from the list.

      • IP address: Select one of the available IP addresses for the instance you selected from the list.

      • Availability domain: Displays the availability domain for the instance you selected.

      • Port: Enter the communication port for the backend server.

      • Weight: Enter the load balancing policy weight number assigned to the server. Backend servers with a higher weight receive a larger proportion of incoming traffic.

      • Click +Another backend to add another backend. Click X to remove a backend entry.

      Click Add backends when have set up all the backends you want to add. The Add compute instance backends dialog box closes.

      After you add instances to the backend set, they appear in the Select backend servers table. You can perform the following tasks:

      • Update the server Port to which the load balancer must direct traffic. The default is port 80.

      • Update the server Weight that specifies the proportion of incoming traffic the backend handles. The higher the number, the more traffic is received.

      • Remove any instance by checking it and clicking Remove. You can also select Remove from the Action menu at the end of an instance entry.

    24. Select Preserve Source IP to preserve the original source and destination header (IP addresses and ports) of each incoming packet all the way to the backend server. See Enabling Source/Destination Preservation for more information on this feature.
    25. Specify the test parameters that confirm the health of the backend servers under Specify Health Check Policy. See Health Check Policies for more information on this feature. Complete the following settings:

      • Protocol: Specify the protocol to use for health check queries:

        • HTTP
        • HTTPS
        • TCP
        • UDP
        • DNS
        Important

        Configure the health check protocol to match the application or service. See Health Check Policies.

        For both TCP and UDP, the provided data must be base64 encoded. Use any base64 encoding tool to convert the plain text strings to based64 encoded strings, and use the encoded strings for the health check configuration. For example, the following plain text string:

        this is the request data for my NLB backend health check

        is encoded as:

        dGhpcyBpcyB0aGUgcmVxdWVzdCBkYXRhIGZvciBteSBOTEIgYmFja2VuZCBoZWFsdGggY2hlY2s

        The encoded string is what undergoes the health check configuration.

        The supported maximum length of the string before base64 encoding is 1024 bytes. If the string exceeds the limit, the configuration call fails with an HTTP status code 400.

      • Transport protocol: (DNS only) Specify the transport protocol used to send traffic when DNS is selected as the protocol:

        • UDP

        • TCP

      • Port: Specify the backend server port against which to run the health check. You can enter the value '0' to have the health check use the backend server's traffic port.

      • Interval in MS: Specify how often to run the health check, in milliseconds. The default is 10000 (10 seconds).

      • Timeout in MS: Specify the maximum time in milliseconds to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. The default is 3000 (3 seconds).

      • Number of retries: Specify the number of retries to try before a backend server is considered "unhealthy." This number also applies when recovering a server to the "healthy" state. The default is 3.

      • Request Data: (Required for UDP, and optional for TCP only) Enter the request message included in the request. This request data is included in the single request to the backend server. The request data is compared against the response data

      • Response Data: (Required for UDP, and optional for TCP only) Enter the response message against which the health check feature sends a single request to the backend server is compared. If a match, the health check passes.

      • Status code: (HTTP and HTTPS only) Specify the status code a healthy backend server must return.

      • URL path (URI): (HTTP and HTTPS only) Specify a URL endpoint against which to run the health check.

      • Response body (regular expression): Provide a regular expression for parsing the response body from the backend server.

      • Query name: (DNS only) Provide a DNS domain name for the query.

      • Query class: (DNS only) Select from the following options:

        • IN: Internet (default)

        • CH: Chaos

      • Query type: (DNS only) Select from the following options:

        • A: Indicates a hostname corresponding IPv4 address. (default)

        • AAAA: Indicates a hostname corresponding IPv6 address.

        • TXT: Indicates a text field.

      • Acceptable response codes: Select one or more from the following options:

        • RCODE:0 NOERROR DNS query completed successfully.

        • RCODE:2 SERVFAIL Server failed to complete the DNS request.

        • RCODE:3 NXDOMAIN Domain name doesn't exist.

        • RCODE:5 REFUSED The server refused to answer for the query.

      • Fail open: (Optional) Select to have the network load balancer continue to move traffic to the backend servers in this backend set using the current configuration, even if all the backend servers' states becomes unhealthy.

      • Enable instant failover: (Required for DNS, optional for all other protocols) Select to redirect existing traffic to a healthy backend server if the current backend server becomes unhealthy. This feature doesn't work if Fail open is enabled and all backend servers become unhealthy.

    26. Click Show advanced options to access more options.
    27. Click the Security list tab to choose to manually configure subnet security list rules to allow the intended traffic or allow the system to create security list rules for you. To learn more about these rules, see Parts of a Security Rule.

      Choose one of the following options:

      • Manually configure security list rules after the load balancer is created: When you choose this option, you must configure security list rules after the network load balancer creation.

      • Automatically add security list rules: Default. When you choose this option, the Load Balancer service creates security list rules for you.

        The system displays a table for egress rules and a table for ingress rules. Each table lets you choose the security list that applies to the relevant subnet.

        You can choose whether to apply the proposed rules for each affected subnet.

    28. Click the Load balancing policy tab. Select one of the following load balancing policies:

      • 5-Tuple hash: Routs incoming traffic based on 5-Tuple (source IP and port, destination IP and port, protocol) hash.

      • 3-Tuple hash: Routs incoming traffic based on 3-Tuple (source IP, destination IP, protocol) hash.

      • 2-Tuple hash: Routs incoming trafficr based on 2-Tuple (source IP Destination, destination IP) hash.

    29. Click Next. The Review and create page appears.
    30. Review the contents of the Review and create page. Edit settings or return to previous screens to add information. When the settings are fully verified, click Create network load balancer.

    The network load balancer you created appears in the Network load balancer page.

  • Use the oci nlb network-load-balancer create command and required parameters to create a network load balancer:

    oci nlb network-load-balancer create --compartment-id compartment_ocid --display-name display_name --subnet-id subnet_ocid [OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Run the CreateNetworkLoadBalancer operation to create a network load balancer.