Network Load Balancer

A network load balancer, which is present on a public subnet, enables you to connect to a DB system over the internet. However, it is a security risk to make the DB system accessible over the internet. You must restrict the authorized public IP addresses to a single IP address or a small range of IP addresses, and use in-transit encryption. It is recommended to use a VPN connection.

Connecting to a DB System

Use the network load balancer, which is present on a public subnet, to connect to the DB system over the internet.

Using the Console

Use the Console to create a network load balancer that enables you to connect to a DB system over the internet.

Do the following to connect to a DB system over the internet, that is, using a public IP address:

Create a network security group in the VCN to allow traffic from your local machine to the network load balancer. See Creating a Network Security Group.
Create a network load balancer to redirect traffic to the DB system. See Creating a Network Load Balancer.
Configure the backend of the load balancer to route traffic to the DB system. See Configuring the Backend of the Network Load Balancer.
Do not add more than one DB system in the backend of the load balancer. Writing data to multiple backends results in having inconsistent data across DB systems. If you need public access to more DB systems, create one load balancer for each DB system.
Add ingress rules to the public security list of the VCN to allow traffic to the MySQL port. See Adding Ingress Rules for a Network Load Balancer.
If the DB system is in a different subnet, add ingress rules to that subnet. You can view the subnet of your DB system in the DB system details page. Also, ensure you configure Source CIDR to include the load balancer IP address and specify the correct port in Destination port range.
Connect to the DB system using the public IP address of the network load balancer using a command-line client such as MySQL Shell:
```
mysqlsh <UserName>@<NLBPublicIPAddress>
```
Optionally, you can add another listener and backend to the MySQL X Protocol port. The default port is 33060. Configure an equivalent listener, backend, and security rules for the X Protocol port.

Creating a Network Security Group

Create a network security group(NSG) to allow traffic from your local machine to the network load balancer.

Using the Console

Use the Console to create a network security group.

Open the navigation menu, select Networking, and then select Virtual cloud networks.
Select the compartment from the List scope.
From the list of VCNs, click the name of the VCN to open the Virtual cloud network details page.
In the Virtual cloud network details page, select Network security groups from the Resources section.
Click Create network security group.
In the Create network security group panel, under Basic info, provide the following information:
- Name: Specify a name of the network security group. For example, MySQLNSG
- Create in compartment: Select the compartment where you want to create the network security group.
Click Next.
Under Add security rules, provide the following information:
- Stateless: Do not select.
- Direction: Select Ingress.
- Source type: Select CIDR.
- Source CIDR: Specify the IP address of the machine from where you want to connect to the DB system. You should narrow down the range to more specific IP addresses. For example:
  - 120.0.0.0/24: Allows traffic from 120.0.0.0 to 120.0.0.255 IP addresses, that is, a total of 256 IP addresses.
  - 120.0.2.24/32: Allows traffic from 120.0.2.24 IP address only.
- IP protocol: Select TCP.
- Source port range: Enter All.
- Destination port range: Enter 3306,33060.
- Description: (Optional) Specify a description of the network security group.
Click Create.

A network security group, MySQLNSG is created.

Creating a Network Load Balancer

Create a network load balancer on the public subnet to redirect traffic to the DB system.

Using the Console

Use the Console to create a network load balancer.

Open the navigation menu, select Networking, and then select Load balancers.
Choose your compartment from the List scope.
Click Create load balancer, select Network load balancer, and then click Create load balancer.
In the Create network load balancer panel, on the Add details section, provide the following details:
- Load balancer name: Specify a name for the network load balancer.
- Choose visibility type: Select Public.
- Assign a public IP address: Select Reserved IPv4 address, and select one of the following:
  - Select existing reserved IP address: Select an existing reserved IP address.
  - Create new reserved IP address: Create a new reserved IP address from one of your IP pools.
    - Public IP name: Specify the IP address from your IP pools.
    - Create in compartment: Select the compartment where you want to create the network load balancer.
    - Create in IP Pool in <Compartment>: Select the IP pool.
- Choose Networking:
  - Virtual cloud network in <Compartment>: Select the same VCN as the DB system. You can view the VCN details in the DB system details page.
  - Subnet in <Compartment>: Select the public subnet of the VCN. The subnet need not be same as the DB system.
  - Use network security groups to control traffic: Select the check box, and select the network security group you had created earlier, MySQLNSG.
Click Next.
Configure listener:
- Listener name: Specify a listener name.
- Specify the type of traffic your listener handles: Select TCP.
- Ingress traffic port: Select Specify the port. Enter 3306.
Click Next.
Choose backends:
- Backend set name: Specify a backend set name.
- Select backend servers:
  - Add backends: Do not add backend servers.
  - Preserve source IP: Unselect the check box.
- Specify health check policy:
  - Protocol: Select TCP.
  - Port: Enter 3306.
  - You do not need to change the default value of other fields.
Click Next.
Review your settings, and click Create network load balancer.

Once the network load balancer is created, ensure that the Overall health and Backend sets health is OK (green).

Related Topics

Reserved Public IPs

Configuring the Backend of the Network Load Balancer

Configure the backend of the network load balancer to route traffic to the DB system. Do not add more than one DB system in the backend of the load balancer. Writing data to multiple backends results in having inconsistent data across DB systems. If you need public access to more DB systems, create one load balancer for each DB system.

Using the Console

Use the Console to configure the backend of the load balancer.

Open the navigation menu, select Networking, and then select Load balancers.
Choose your compartment from the List scope.
From the list of load balancers, click the name of your load balancer to open the Load balancer details page.
In the Load balancer details page, under Resources, click Backend sets.
Click the name of the backend set, which you had created earlier, to open the Backend sets page.
Under Resources, click Backends.
Click Add backends.
In the Add backends panel, provide the following information:
- Backend type: Select IP addresses.
- IP address: Specify the private IP address of the DB system. You can find the private IP address of the DB system and the port details under Endpoint section of the DB system details page.
  Note
  
  Do not add a read replica load balancer endpoint as a backend server.
- Port: Specify the MySQL port. The default port is 3306.
- Weight: Specify a weight for the backend server. Backend servers with a higher weight receive a larger proportion of incoming traffic. For example, a server weighted 3 receives 3 times the number of new connections as a server weighted 1.
Click Add backends.

Oracle Cloud Infrastructure Documentation Try Free Tier