Creating a Load Balancer
Create a load balancer to provide automated traffic distribution from one entry point to multiple servers reachable from your virtual cloud network (VCN).
For prerequisite information, see Load Balancer Management.
- Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.
-
Select a Compartment you have permission to work in under List scope.
Note
If you select a different compartment in the Management tab (under Advanced options), that compartment contains the load balancer you're creating instead of the compartment specified here.
-
Click Create load balancer. The Create load balancer dialog box appears. Creating a load balancer consists of the following pages:
-
Add details
-
Choose backends
-
Configure listener
-
Manage logging
-
Review and Create
By default, the Add details page appears first. Run each of the following workflows in order. You can return to a previous page by clicking Previous.
-
Add Details
Complete the following steps:
-
Load balancer name
Enter the load balancer name. Accept the default name or enter a friendly name for the load balancer. It doesn't have to be unique, but it can't be changed in the Console. You can, however, change it with the API.
-
Visibility
Select the visibility type:
-
Public: Select this option to create a public load balancer. You can use the assigned public IP address as a front end for incoming traffic and to balance that traffic across all backend servers. When you select the public IP address option, you're also prompted to select and complete the public IP address type (see following).
-
Private: Select this option to create a private load balancer. You can use the assigned private IP address as a front end for incoming internal VCN traffic and to balance that traffic across all backend servers.
-
-
IP Address
(Public IP addresses only) Specify the IP address type:
-
Ephemeral IP address: Select this option to let Oracle specify an ephemeral IP address for you from the Oracle IP pool. This is the default.
-
Reserved IP address: Select this option to specify an existing reserved IP address by name, or to create a new reserved IP address by assigning a name and selecting a source IP pool for the address. If you don't select a user-created pool, the default Oracle IP pool is used.
See Public IP Addresses.
-
-
Bandwidth
Select one of the following shape options:
-
Flexible shapes: Specify Minimum bandwidth and Maximum bandwidth values to create an upper and lower size range for the load balancer's bandwidth shape. Possible sizes range from 10 Mbps to 8,000 Mbps. You can use the slider to specify the value or enter it directly into the box on the left side of each slider.
The minimum bandwidth reflects the amount of bandwidth that's always available to provide instant readiness for the workloads.
The maximum bandwidth is the upper amount of bandwidth the load balancer supports during time of peak workload.
To specify a fixed shape size, for example 500 Mbps, set the minimum and maximum sliders to the same value.
If you're creating the load balancer as a paid account user, you can create various shape options based on your limits and later adjust the bandwidth by changing the shape after the load balancer has been created. You can view your service limits and quotas in the Console by navigating to Governance & Administration > Limits, Quotas and Usage. Select "LbaaS" from the Service list. The bandwidth size options are listed. See Service Limits.
Billing is per minute for your load balancer base instance, plus a bandwidth usage fee. If the actual usage is less than or equal to your specified minimum bandwidth, you're billed for the minimum bandwidth. If actual usage exceeds the minimum bandwidth, you're billed for the actual bandwidth used for that minute.
The Always Free option is incorporated into your paid account in your home region. The first 10 Mbps of your bandwidth is free, and is indicated as such on your bill.
Note
Government accounts using prepaid dynamic (fixed) shape sizes run the risk of overage charges when flexible bandwidth shapes exceed the predetermined size. Update government accounts to the flexible load balancer SKU, with the appropriate bandwidth quantity, in their contract before using the flexible load balancer feature.
If you're using non-universal credit SKUs, ensure that your contract includes the shape you're updating to so you can prevent incurring overage charges.
-
Dynamic shapes: We have retired the ability to create new dynamic shape load balancers. If you have an existing load balancer that uses dynamic shapes for its bandwidth, you can continue to use it. See Dynamic Shapes for an explanation of how that bandwidth option works.
You can adjust the bandwidth shape to a different size after you have completed creating the load balancer. You can also switch from a dynamic shape size to a flexible shape. See Changing a Load Balancer's Bandwidth Shape.
-
-
Enable IPv6 address assignment
Enable this feature if the load balancer supports IPv6 addresses for incoming requests. For more information about Oracle Cloud Infrastructure's IPv6 implementation, see IPv6 Addresses.
When you create a load balancer, you can optionally choose to have an IPv4/IPv6 dual-stack configuration. When you choose the IPv6 option, the Load Balancing service assigns both an IPv4 and an IPv6 address to the load balancer. The load balancer receives client traffic sent to the assigned IPv6 address. The load balancer uses only IPv4 addresses to communicate with backend servers. The load balancer and the backend servers don't use IPv6 communication.
IPv6 address assignment occurs only at load balancer creation. You can't assign an IPv6 address to an existing load balancer.
-
Networking
Configure your load balancer's networking. If the current compartment contains at least one VCN, the Console provides a list of VCNs from which to select.
-
Virtual cloud network in <compartment>: Specify a VCN for the load balancer.
By default, the Console shows a list of VCNs in the compartment you're working in. Click the Change compartment link to select a VCN from a different compartment.
-
Subnet in <compartment>: Select an available subnet. For a public load balancer, it must be a public subnet.
By default, the Console shows a list of subnets in the compartment you're working in. Click the Change compartment link to select a subnet from a different compartment.
In addition to public or private, subnets can be either regional or AD-specific. We recommend using regional subnets. See Overview of VCNs and Subnets.
-
Subnet (2 of 2) in <compartment>: Required for a public load balancer when you specify an AD-specific subnet for Subnet. Select a second public subnet. The second subnet must reside in a separate availability domain from the first subnet.
If you chose to create a private load balancer under Visibility type, the form prompts you to select only one subnet.
If you are working in a region that includes only one availability domain, a second subnet isn't required. The form prompts you to select only one subnet.
If the current compartment contains no virtual cloud networks, the Load Balancer service offers to create a VCN for you.
-
Virtual cloud network in <compartment>: When the current compartment contains no virtual cloud networks, the list is disabled. The system offers to create a VCN for you.
To use an existing VCN in another compartment, click the Change compartment link and select that compartment from the list.
Virtual cloud network name: Optional when the system creates a VCN for you. Specify a friendly name for the new cloud network. It doesn't have to be unique, and it can't be changed later in the Console (but you can change it with the API).
If you don't specify a name for the new VCN, the system generates a name for you.
-
Use network security groups to control traffic: Select to add your load balancer to a network security group (NSG). See Network Security Groups.
Enter the following information:
-
Network security groups in <compartment>: Select an NSG to add your load balancer to.
By default, the Console shows a list of NSGs in the compartment you're working in. Click the Change compartment link to select an NSG from a different compartment.
-
(Optional) Click + Another network security group to add your load balancer to another NSG.
You can change the NSGs that your load balancer belongs to after you create it. On your load balancer's Details page, click the Edit link that appears beside the list of associated network security groups.
-
-
-
Security
Enter the following information:
-
Use a web application firewall policy to protect against layer 7 attacks: Select to apply web application firewall policies to the load balancer as a safeguard against attack.
-
Select a web application firewall policy available in the current compartment from the list under Assign in region web application firewall policy. Click Change compartment to access the web application firewall policies in a different compartment.
For more information about web application firewall policies, see Overview of Web Application Firewall.
-
-
Acceleration
Enter the following information:
-
Use a web application acceleration policy to speed up your performance: Select to apply web application acceleration policies to the load balancer to speed up performance.
-
Select a web application acceleration policy in the current compartment from the list under Assign a web application acceleration policy. Select Change compartment to access the web application acceleration policies in a different compartment.
For more information about web application acceleration policies, see Overview of Web Application Acceleration.
-
-
Management
Enter the following information:
- Create in compartment: Select a different compartment from the list to host the load balancer. The compartment you select here overrides the compartment listed under Scope selected when first creating the load balancer.
-
Prevent deletion of the load balancer, listeners and backends when they are still active: Select to avoid accidentally deleting a load balancer, or a listener or backend server contained in a load balancer, when they're configured to accept traffic.
Load balancers are configured to accept traffic when they contain listeners that are configured to accept traffic.
Listeners are configured to accept traffic when they reference a backend set with backend servers that are configured to accept traffic.
Backend servers are configured to accept traffic when they're in a backend set referenced by a listener and the backend server is neither drained nor offline.
-
Tagging
If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
- Click Next. The Choose Backends page appears.
Dynamic Shapes (deprecated) The following describes the Dynamic Shapes feature, which is only available to certain legacy customer accounts:
Dynamic shapes: Select one of the following predefined shape sizes:
-
10 Mbps
-
100 Mbps
-
400 Mbps
-
8,000 Mbps
If you're creating the load balancer as a paid account user, you can create various shape options based on your limits and later adjust the bandwidth by changing the shape after the load balancer has been created. You can view your service limits and quotas in the Console by navigating to Governance & Administration > Limits, Quotas and Usage. Select LbaaS from the Service list. Your bandwidth size options are listed. See Service Limits.
You can adjust the bandwidth shape to a different size after you have completed creating the load balancer. See Changing a Load Balancer's Bandwidth Shape.
If you adjust a dynamic size value to a flexible size using the sliders, you can't revert to a dynamic shape of any size. You can achieve the effect of having a dynamic (fixed) size by setting the minimum and maximum sliders to the same size.
Choose Backend Servers
A load balancer distributes traffic to backend servers within a backend set. A backend set is a logical entity defined by a load balancing policy, a list of backend servers (compute instances), and a health check policy. The load balancer creation workflow creates one backend set for your load balancer. Optionally, you can add backend sets and backend servers after you create the load balancer.
-
Load balancing policies
Select the load balancer policy for the backend set:
-
Weighted round robin: This policy distributes incoming traffic sequentially to each server in a backend set list.
-
IP hash: This policy ensures that requests from a particular client are always directed to the same backend server.
-
Least connections: This policy routes incoming request traffic to the backend server with the fewest active connections.
For more information on these policies, see Load Balancer Policies.
-
-
Backend servers
Enter the following information:
-
Compartment: Accept the current compartment or select another compartment from the list. The compute instances available in the selected compartment appear in the Select instances box.
-
Select instances: Select instances from one compartment at a time. After you add instances from one compartment, you can chance the compartment and select Add backends to add instances from another compartment.
You can't add a backend server marked as Backup to a backend set that uses the IP Hash policy.
After you add instances to the backend set, they appear in the Select instances list. You can perform the following tasks here:
-
Specify the server Port to which the load balancer must direct traffic. The default is port 80.
-
Click the Actions menu () for a server and select Delete to remove it from the backend set.
-
-
Health check policies
Enter the test parameters that confirm the health of your backend servers:
-
Protocol: Specify the protocol to use for health check queries, either HTTP or TCP. Configure your health check protocol to match your application or service. See Health Checks for Load Balancers.
-
Port: Specify the backend server port against which to run the health check. You can enter the value '0' to have the health check use the backend server's traffic port.
-
Force plaintext health checks: (HTTP only) Select to send the health check to the backend server without SSL. This option is only available when the backend server has its protocol is set to HTTP. It has no effect when the backend server doesn't have SSL enabled. When SSL is disabled, health checks are always plaintext.
-
Interval in ms: Specify how often to run the health check, in milliseconds. The default is 10000 (10 seconds).
-
Timeout in ms: Specify the maximum time in milliseconds to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. The default is 3000 (3 seconds).
-
Number of retries: Specify the number of retries before a backend server is considered "unhealthy." This number also applies when recovering a server to the "healthy" state. The default is 3.
-
Status code: (HTTP only) Specify the status code a healthy backend server must return.
-
URL path (URI): (HTTP only) Specify a URL endpoint against which to run the health check.
-
Response body regex: (HTTP only) Provide a regular expression for parsing the response body from the backend server.
-
-
SSL Certificate
Enable Use SSL to apply SSL to the load balancer. If the best security is required, it's your responsibility to always use HTTPS for traffic between the load balancer and the backend set.
Select one of the following certificate options under Certificate resource:
-
Certificate service managed certificate: This option uses the Oracle Cloud Infrastructure Certificates service to manage the certificate used by the load balancer. See Overview of Certificates for more information.
Note
We recommend you use the Certificates service for creating and managing certificates for use in load balancers.
Select the CA bundle or Certificate authority option, and then select your choice from the associated list.
-
Load balancer management certificate: This option uses the SSL certificate feature that's part of the Load Balancer service. See SSL Certificates for Load Balancers for more information. Select one of the following options:
-
Certificate resource: Drag or upload the certificate file into the SSL certificate field. Certificate files must be in PEM format and must have the
.pem
,.cer
, or.crt
file extensions.You can also copy and paste the certificate content directly into this box.
If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field.
-
Specify CA certificate: (Recommended for backend SSL termination configurations.) Drag or upload the certificate authority file into the CA certificate field. CA certificate files must be in PEM format and must have the
.pem
,.cer
, or.crt
file extensions.You can also copy and paste the CA certificate content directly into this box.
-
Specify private key: Drag or upload the private key file, in PEM format, into the Private key box.
You can also copy and paste the private key contents directly into this box.
As an option, you can specify the private key passphrase in the Enter private key passphrase box:
-
-
-
Backend set
Enter a name for the backend set. Use only alphanumeric characters, dashes ("-"), and underscores ("_") for backend set names. Backend set names can't contain spaces. The name must be unique within the load balancer, and it can't be changed.
If you don't specify a name, the Load Balancer service creates one for you.
-
Max backend connections
Specify a value within the range of 256–65535 connections.
Setting a limit on the maximum number of backend server connections for this backend set specifies the default maximum connections value for all backend servers in the backend set. Individual backend servers in the backend set can have their own maximum connections value which overrides this default value. See Editing a Backend Set for more information.
-
Security list
Configure subnet security list rules to allow the intended traffic, or to allow the system to create security list rules for you. To learn more about these rules, see Parts of a Security Rule.
Select one of the following options:
-
Manually configure security list rules after the load balancer is created: When you select this option, you must configure security list rules after load balancer creation.
-
Automatically add security list rules: When you select this option, the Load Balancer service creates security list rules for you.
A table for egress rules and a table for ingress rules is displayed. Each table lets you select the security list that applies to the relevant subnet. You can select whether to apply the proposed rules for each affected subnet.
-
-
Session persistance
Specify how the load balancer manages session persistence. See Load Balancer Session Persistence for important information on configuring these settings.
Select one of the following options:
-
Disable session persistence: Disable cookie-based session persistence.
-
Enable application cookie persistence: Enable persistent sessions from a single logical client when the backend application server response includes a
Set-cookie
header with the cookie name you specify.Cookie name: The cookie name used to enable session persistence. Specify * to match any cookie name.
Disable fallback: Disable fallback when the original server is unavailable.
-
Enable load balancer cookie persistence: Enable persistent sessions based on a cookie inserted by the load balancer.
-
Cookie name: Specify the name of the cookie used to enable session persistence. If blank, the default cookie name is
X-Oracle-BMC-LBS-Route
. Ensure that any cookie names used at the backend application servers are different from the cookie name used at the load balancer. -
Disable fallback: Disable fallback when the original server is unavailable.
-
Domain name: Specify the domain in which the cookie is valid. This attribute has no default value. If you do not specify a value, the load balancer doesn't insert the domain attribute into the
Set-cookie
header. -
Path: (Optional) Specify the path in which the cookie is valid. The default value is
/
. -
Expiration period in seconds: Specify the amount of time the cookie remains valid. If blank, the cookie expires at the end of the client session.
-
Attributes:
-
Secure: Specify whether the
Set-cookie
header must contain theSecure
attribute. If selected, the client sends the cookie only using a secure protocol. If you enable this setting, you can't associate the corresponding backend set with an HTTP listener. -
HTTP only: Specify whether the
Set-cookie
header must contain theHttpOnly
attribute. If selected, the cookie is limited to HTTP requests. The client omits the cookie when providing access to cookies through non HTTP APIs such as JavaScript channels.
-
-
-
- Click Next. The Configure listener page appears.
Configure Listener
-
Listener name
Enter a name for the listener. The name must be unique, and can't be changed. If you don't specify a name, the Load Balancer service creates one for you.
-
Traffic type
Select the type of traffic your listener handles:
-
HTTPS
-
HTTP
-
HTTP/2
-
gRPC
-
TCP
-
-
Traffic port
Specify the port your listener monitors for ingress traffic. Here are the defaults values:
-
443 for HTTPS
-
80 for HTTP
-
443 for HTTP/2
-
443 for gRPC
-
22 for TCP
-
-
SSL Certificate
If you chose the HTTPS, HTTP/2, or gRPC protocols, or if you chose the TCP protocol and selected Use SSL, complete the following steps:
Select one of the following certificate options under Certificate resource:
-
Certificate service managed certificate: This option uses the Oracle Cloud Infrastructure Certificates service to manage the certificate used by the load balancer. See Overview of Certificates for more information.
Note
We recommend you use the Certificates service for creating and managing certificates for use in load balancers.
Select the CA bundle or Certificate authority option, and then select your choice from the associated list.
-
Load balancer management certificate: This option uses the SSL certificate feature that's part of the Load Balancer service. See SSL Certificates for Load Balancers for more information. Select one of the following options:
-
Certificate resource: Drag or upload the certificate file into the SSL certificate field. Certificate files must be in PEM format and must have the
.pem
,.cer
, or.crt
file extensions.You can also copy and paste the certificate content directly into this box.
If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field.
-
Specify CA certificate: (Recommended for backend SSL termination configurations.) Drag or upload the certificate authority file into the CA certificate field. CA certificate files must be in PEM format and must have the
.pem
,.cer
, or.crt
file extensions.You can also copy and paste the CA certificate content directly into this box.
-
Specify private key: Drag or upload the private key file, in PEM format, into the Private key box.
You can also copy and paste the private key contents directly into this box.
As an option, you can specify the private key passphrase in the Enter private key passphrase box:
-
-
Enable session resumption: Select to resume the previous encryption session rather than complete a new SSL connection before each request. Enabling session resumption improves performance but provides a lower level of security.
Deselect the feature to force a new SSL connection before each request. Disabling session resumption improves security but reduces performance.
-
-
SSL policy
(HTTPS, HTTP/2, and gRPC only) Specify the type of cipher suite to use.
Enter the following information:
-
TLS version: Specify the Transport Layer Security (TLS) versions:
-
1.0
-
1.1
-
1.2 (recommended)
-
1.3
The HTTP/2 protocol only supports TLS 1.2 and TLS 1.3.
You can select any combination of versions. Select the ones you want from the list.
-
-
Select cipher suite: (Default) Select a predefined set of cipher suites. Pick a choice from the Select cipher suite list. All cipher suites listed have at least one cipher from each of the TLS versions you selected. The HTTP/2 and gRPC protocols only supports a default cipher. You can't change it.
-
Create custom cipher suite: Perform the following steps to add ciphers to a new suite:
-
Enter the name of the customer cipher suite in the Suite name field.
-
Click Choose ciphers. The Select ciphers page appears.
-
Select each cipher that you want to include in the suite. The TLS versions associated with each cipher are listed in the Version column. Ensure that any cipher you select is compatible with the TLS versions you previously chose. Assign at least one cipher to a cipher suite you create. You cannot create a cipher suite that contains no ciphers.
-
Deselect any ciphers you want to exclude.
-
Select Select. Then select that custom cipher suite (or whatever suite you want to use) from the Select cipher suite list.
-
-
Select Show cipher suite details to display what ciphers the selected cipher suite contains.
-
Enable Server order preference: Enable to give preference to the server ciphers over the client.
-
-
Advanced SSL
(HTTP and TCP only) Select a CA bundle or Certificate Authority for use with the listener. Then select CA bundle or Certificate Authority from the corresponding list. Change compartments if you can't find the item you want in your current compartment.
-
Timeout
Specify the maximum idle time in seconds. The maximum value is 7200 seconds. See Load Balancer Timeout Connection Settings for more information.
-
Proxy Protocol
(TCP only) Enable and configure proxy protocol on the load balancer. See Proxy Protocol for more information on this feature.
Enter the following:
-
Select Enable Proxy Protocol to enable this feature.
-
Select which proxy protocol version you want to use:
-
Version 1: Supports a human-readable header (text) format and is typically a single line of a log entry. Use this option for debugging during the early adoption stage when few implementations exist.
-
Version 2: Combines support for the human-readable header from Version 1 with a binary encoding of the header for greater efficiency in producing and parsing. Use this option for IPv6 addresses, which are difficult to generate and parse in ASCII form. Version 2 also better supports custom extensions. By default, PP2 Type Authority is selected as the only Version 2 option available.
See Proxy Protocol for more information on this feature.
-
-
- Click Next. The Manage logging page appears.
Manage Logging
Enabling error and access logs are optional, but recommended. Reviewing these logs can help you with diagnosing and fixing issues with your backend servers. Standard limits, restrictions, and rates apply when enabling the logging feature. See Logging for Load Balancers for general information on how the Load Balancer service uses logging.
-
Error logs
Note
Error logs are enabled by default. Disable this feature if you don't want to pay the associated fees.
Enter the following information:
-
Compartment: Select the compartment within which the log file resides from the list.
-
Log group: Select an existing log group from the list or click Create New Group where you can enter the name and description of a new logging group within which your log resides.
-
Log name: Enter the name of the log.
-
Log retention: Select the time period in months each error logging entry is to be retained from the list.
For more information on log and log groups, including naming syntax guidelines, see Logs and Log Groups.
-
-
Access logs
Enable Access logs and enter the following information:
-
Compartment: Select the compartment within which the log file resides from the list.
-
Log group: Select an existing log group from the list or click Create New Group where you can enter the name and description of a new logging group within which your log resides.
-
Log name: Enter the name of the log.
-
Log retention: Select the time period in months each access logging entry is to be retained from the list.
For more information on log and log groups, including naming syntax guidelines, see Logs and Log Groups.
-
-
Request ID
The Request ID can help you with tracking and managing a request by providing a unique request identifier exposed in HTTP request and response headers.
To use a request ID, switch the toggle to Enabled. The default header name
X-Request-Id
is included in the HTTP request header from the load balancer to the backend and HTTP header responses. If not enabled, the load balancer won't add this unique request ID header to the request passed through to the load balancer backend or to the response returned. You can enter a different header name instead of using the default. Any custom header name must start with "X-
".See Load Balancer Headers for more information.
-
Click Submit.
After the system provisions the load balancer, details appear in the list in the Load balancer page. To view more details, click the load balancer name.
Review and Create
Enabling error and access logs are optional, but recommended. Reviewing these logs can help you with diagnosing and fixing issues with your backend servers. Standard limits, restrictions, and rates apply when enabling the logging feature. See Logging for Load Balancers for general information on how the Load Balancer service uses logging.
- Review the load balancer's configuration. Select the Previous and Next buttons to access any setting you want to change.
- Click Submit.
After the system provisions the load balancer, details appear in the list in the Load balancer page. To view more details, click the load balancer name.
Use the oci lb load-balancer create command and required parameters to create a load balancer:
oci lb load-balancer create --compartment-id compartment_id --display-name display_name --shape-name shape_name --subnet-id subnet_id [OPTIONS]
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the CreateLoadBalancer operation to create a load balancer.