Oracle Cloud Infrastructure Documentation

Creating a Network Load Balancer

Create a network load balancer to provide automated traffic distribution from one entry point to multiple servers in a backend set.

For prerequisite information, see Network Load Balancer Management.

    1. Open the navigation menu, click Networking, and then click Load balancers. Click Network load balancer. The Network load balancers page appears.
    2. Choose a Compartment you have permission to work in under List scope.
    3. Click Create network load balancer. The Create network load balancer dialog box appears. Creating a network load balancer leads you through the following sections:

      • Add details

      • Configure listener

      • Choose backends

      • Review and create

      By default, the Add details page appears first. Run each of the following workflows in order. You can return to a previous page by clicking Previous.

    Add Details

    1. Load balancer name: Enter a name for the network load balancer or accept the default name.
    2. Choose visibility type: Select whether the network load balancer is public or private:

      • Public: Select this option to create a public network load balancer. You can use the assigned public IP address as a front end for incoming traffic and to balance that traffic across all backend servers. The Public IP address can be either an ephemeral address assigned by Oracle or a reserved IP address you defined earlier.

      • Private: Select this option to create a private network load balancer. You can use the assigned private IP address as a front end for incoming internal VCN traffic and to balance that traffic across all backend servers.

    3. Allow IPv6 address assignment: Select to enable a dual-stack IPv4/IPv6 implementation for your network load balancer.
    4. Assign a public IP address: Required if you selected the Public option for the network load balancer's visibility type. Select one of the following options:

      • Ephemeral IPv4 address: Automatically assigns an IPv4 address from the Oracle pool. These IP addresses are temporary and only exist for the lifetime of the instance.

      • Reserved IPv4 address: Select an existing reserved IP address or create a new one from one of your IP pools. These IP addresses are persistent and exist beyond the lifetime of the instance to which it's assigned. You can unassign the IP address and later reassign it to another instance at any point.

    5. Choose networking: If the current compartment contains one or more virtual cloud networks (VCNs) that you want to use with the network load balancer, skip to the next step.

      Virtual cloud network in <compartment>: Select a VCN from the list.

      When the current compartment contains no virtual cloud networks, the list is disabled. The system offers to create a VCN for you. Enter a name for the new VCN in the Virtual cloud network name box. If you don't specify a name for the new VCN, the system generates a name for you.

    6. Subnet in <compartment> : Select a subnet from the list. For a public load balancer, you must select a public subnet.
    7. Use network security groups to control traffic: Select to add the network load balancer to a network security group (NSG). Complete the following steps.

      1. Network security groups in <compartment>: Select an NSG from the list.

      2. + Another network security group: Click to add the load balancer to another NSG.

      For more information about NSGs, see Network Security Groups.

      Note

      You can change the NSGs that the load balancer belongs to after you create it. On the Details page, click the Edit link that appears beside the list of associated network security groups.
    8. Show advanced options: Click to access more options.
    9. Management tab: Click to create the network load balancer in the compartment you select from the Create in compartment list. The compartment you select here overrides the compartment listed under Scope selected when first creating the network load balancer.
    10. Security tab: Click to control access for your resources through the Zero-trust Packet Routing (ZPR) service. See Zero Trust Packet Routing for more information.

      You can configure up to three security attributes for your network load balancer. Complete the following for each security attribute:

      • Namespace: Select a security attribute namespace from the list. This list contains those security attribute namespaces already configured. See Creating a Security Attribute Namespace for more information.

      • Key: Select a key from the list.

      • Value: Select a value for the corresponding key from the list.

      Click Add security attribute to add another attribute (to a maximum of three). Click X to remove the associated attribute.

      ZPR security attributes added to a network load balancer are always configured as the Enforce mode.

    11. Click Tagging to apply metadata tags to the network load balancer. See Overview of Tagging for descriptions of this feature and its associated fields. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace.
      Note

      If you're not sure about whether to apply tags, then skip this option (you can apply tags later) or ask an administrator.

      Complete the following:

      • Tag namespace

      • Tag key

      • Value

      Click +Additional tag to add another tag. Click X to remove the associated tag.

    12. Click Next. The Configure listener page appears.

    Configure Listener

    1. Listener Name: Enter a unique name for the listener. If you don't specify a name, the Network Load Balancer service creates one for you. After the listener is created, you can't change its name.
    2. Specify the type of traffic the listener handles: Specify the protocol to use from the following protocols:

      • Public network load balancers:

        • UDP

        • TCP

        • UDP/TCP

      • Private network load balancers

        • UDP

        • TCP

        • TCP/UDP/ICMP

        • UDP/TCP

    3. IP protocol version: Select from the following options:

      • IPv4

      • IPv6

      This step is required if you enabled the IPv6 Address Assignment option earlier. The network load balancer listener and backend set must use the same IP protocol version.
    4. Ingress traffic port: Specify the port the listener monitors for ingress traffic depending on the traffic type. Select one of the following options:

      • Public network load balancers:

        • Use any port: Enter 0 or an asterisk ("*") to indicate any port can be used.

        • Select the Port: Enter the port number you want to use.

      • Private network load balancers:

        • Use any port: Enter 0 or an asterisk ("*") to indicate any port can be used.

        • Select the Port: (UDP, TCP, and UDP/TCP only) Enter the port number you want to use.

    5. Click Next. The Choose backends page appears.

      A network load balancer distributes traffic to backend servers within a backend set. A backend set is a logical entity defined by a network load balancing policy, a list of backend servers (compute instances), and a health check policy.

      The network load balancer creation workflow creates one backend set for the load balancer. Optionally, you can add backend sets and backend servers after you create the network load balancer.

    Choose Backends

    1. Select the IP protocol version from the following options:

      • IPv4

      • IPv6

      Note

      This step is required if you enabled the IPv6 Address Assignment option. The network load balancer listener and backend set must use the same IP protocol version. You must select the option chosen for the listener.

    2. Backend Set Name: Enter a name for the backend set or accept the default name.
    3. Add Backends: Click to open the Add compute instance backends dialog box. Complete the following:

      • Instance in <compartment>: Select the instance you want to include in the network load balancer's backend set contained in the selected compartment. To select instances from a different compartment, use the Change Compartment link and select a compartment from the list.

      • IP address: Select one of the available IP addresses for the instance you selected from the list.

      • Availability domain: Displays the availability domain for the instance you selected.

      • Port: Enter the communication port for the backend server.

      • Weight: Enter the load balancing policy weight number assigned to the server. Backend servers with a greater weight receive a larger proportion of incoming traffic.

      • +Another backend: Click to add another backend. Click X to remove a backend entry.

      Click Add backends when have set up all the backends you want to add. The Add compute instance backends dialog box closes.

      After you add instances to the backend set, they appear in the Select backend servers table. You can perform the following tasks:

      • Update the server Port to which the load balancer must direct traffic. The default is port 80.

      • Update the server Weight that specifies the proportion of incoming traffic the backend handles. The higher the number, the more traffic is received.

      • Remove any instance by checking it and clicking Remove. You can also select Remove from the Action menu at the end of an instance entry.

    4. Select Preserve Source IP to preserve the original source and destination header (IP addresses and ports) of each incoming packet all the way to the backend server. See Enabling Source/Destination Preservation for more information on this feature.
    5. Specify Health Check Policy: Specify the test parameters that confirm the health of the backend servers. See Health Check Policies for more information on this feature. Complete the following settings:

      • Protocol: Specify the protocol to use for health check queries:

        • HTTP

        • HTTPS

        • TCP

        • UDP

        • DNS See DNS Health Checking for more information on how to configure your health check policies for the DNS protocol.

        Important

        Configure the health check protocol to match the application or service. See Health Check Policies.

        For both TCP and UDP, the provided data must be base64 encoded. Use any base64 encoding tool to convert the plain text strings to based64 encoded strings, and use the encoded strings for the health check configuration. For example, the following plain text string:

        this is the request data for my NLB backend health check

        is encoded as:

        dGhpcyBpcyB0aGUgcmVxdWVzdCBkYXRhIGZvciBteSBOTEIgYmFja2VuZCBoZWFsdGggY2hlY2s

        The encoded string is what undergoes the health check configuration.

        The supported maximum length of the string before base64 encoding is 1024 bytes. If the string exceeds the limit, the configuration call fails with an HTTP status code 400.

      • Transport protocol: (DNS only) Specify the transport protocol used to send traffic when DNS is selected as the protocol:

        • UDP

        • TCP

      • Port: Specify the backend server port against which to run the health check. You can enter the value '0' to have the health check use the backend server's traffic port.

      • Interval in MS: Specify how often to run the health check, in milliseconds. The default is 10000 (10 seconds).

      • Timeout in MS: Specify the maximum time in milliseconds to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. The default is 3000 (3 seconds).

      • Number of retries: Specify the number of retries to try before a backend server is considered "unhealthy." This number also applies when recovering a server to the "healthy" state. The default is 3.

      • Request Data: (Required for UDP, and optional for TCP only) Enter the request message included in the request. This request data is included in the single request to the backend server. The request data is compared against the response data

      • Response Data: (Required for UDP, and optional for TCP only) Enter the response message against which the health check feature sends a single request to the backend server is compared. If a match, the health check passes.

      • Status code: (HTTP and HTTPS only) Specify the status code a healthy backend server must return.

      • URL path (URI): (HTTP and HTTPS only) Specify a URL endpoint against which to run the health check.

      • Response body (regular expression): Provide a regular expression for parsing the response body from the backend server.

      • Query name: (DNS only) Provide a DNS domain name for the query.

      • Query class: (DNS only) Select from the following options:

        • IN: Internet (default)

        • CH: Chaos

      • Query type: (DNS only) Select from the following options:

        • A: Indicates a hostname corresponding IPv4 address. (default)

        • AAAA: Indicates a hostname corresponding IPv6 address.

        • TXT: Indicates a text field.

      • Acceptable response codes: Select one or more from the following options:

        • RCODE:0 NOERROR DNS query completed successfully.

        • RCODE:2 SERVFAIL Server failed to complete the DNS request.

        • RCODE:3 NXDOMAIN Domain name doesn't exist.

        • RCODE:5 REFUSED The server refused to answer for the query.

      • Fail open: (Optional) Select to have the network load balancer continue to move traffic to the backend servers in this backend set using the current configuration, even if all the backend servers' states becomes unhealthy.

      • Enable instant failover: (Required for DNS, optional for all other protocols) Select to redirect existing traffic to a healthy backend server if the current backend server becomes unhealthy. This feature doesn't work if Fail open is enabled and all backend servers become unhealthy.

    6. Show advanced options: Select to access more options.
    7. Security list tab: Select to manually configure subnet security list rules to allow the intended traffic or allow the system to create security list rules for you. To learn more about these rules, see Parts of a Security Rule.

      Select one of the following options:

      • Manually configure security list rules after the load balancer is created: When you select this option, you must configure security list rules after the network load balancer creation.

      • Automatically add security list rules: Default. When you select this option, the Load Balancer service creates security list rules for you.

        The system displays a table for egress rules and a table for ingress rules. Each table lets you select the security list that applies to the relevant subnet.

        You can decide whether to apply the proposed rules for each affected subnet.

    8. Load balancing policy tab. Select one of the following load balancing policies:

      • 5-Tuple hash: Routs incoming traffic based on 5-Tuple (source IP and port, destination IP and port, protocol) hash.

      • 3-Tuple hash: Routs incoming traffic based on 3-Tuple (source IP, destination IP, protocol) hash.

      • 2-Tuple hash: Routs incoming trafficr based on 2-Tuple (source IP Destination, destination IP) hash.

    9. Click Next. The Review and create page appears.

    Review and Create

    1. Review the contents of the Review and create page. Edit settings or return to previous screens to add information. When the settings are fully verified.
    2. Click Create network load balancer.

    The network load balancer you created appears in the Network load balancer page.

  • Use the --defined-tags option when running the oci nlb network-load-balancer update command to tag a network load balancer when you are updating it:
    oci nlb network-load-balancer create --compartment-id compartment_ocid --display-name display_name --subnet-id subnet_ocid [OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateNetworkLoadBalancer operation to create a network load balancer.