Oracle Cloud Infrastructure Documentation

Creating a Network Load Balancer

Create a network load balancer to provide automated traffic distribution from one entry point to multiple servers in a backend set.

For prerequisite information, see Network Load Balancer Management.

  • On the Network load balancers list page, select Create network load balancer. If you need help finding the list page, see Listing Network Load Balancers.

    Creating a network load balancer consists of the following pages:

    • 1. Add details

    • 2. Configure listener

    • 3. Choose backends

    • 4. Review and Create

    Run each of the following workflows in order. You can return to a previous page by selecting Previous.

    1. Add details

    The Add details page is where you provide the basic information for the network load balancer.

    Enter the following information:

    • Load balancer name: Enter a name for the network load balancer or accept the default name.

    • Choose visibility type: Select whether the network load balancer is public or private:

      • Public: Select this option to create a public network load balancer. You can use the assigned public IP address as a front end for incoming traffic and to balance that traffic across all backend servers. The Public IP address can be either an ephemeral address assigned by Oracle or a reserved IP address you defined earlier.

      • Private: Select this option to create a private network load balancer. You can use the assigned private IP address as a front end for incoming internal VCN traffic and to balance that traffic across all backend servers.

    • Allow IPv6 address assignment: Select to enable a dual-stack IPv4/IPv6 implementation for your network load balancer.

    • Assign a public IP address: Required if you selected the Public option for the network load balancer's visibility type. Select one of the following options:

      • Ephemeral IPv4 address: Automatically assigns an IPv4 address from the Oracle pool. These IP addresses are temporary and only exist for the lifetime of the instance.

      • Reserved IPv4 address: Select an existing reserved IP address or create a new one from one of your IP pools. These IP addresses are persistent and exist beyond the lifetime of the instance to which it's assigned. You can unassign the IP address and later reassign it to another instance at any point.

    Choose networking

    If the current compartment contains one or more virtual cloud networks (VCNs) that you want to use with the network load balancer, skip to the next step.

    • Virtual cloud network in <compartment>: Select a VCN from the list.

      When the current compartment contains no virtual cloud networks, the list is disabled. The system offers to create a VCN for you. Enter a name for the new VCN in the Virtual cloud network name box. If you don't specify a name for the new VCN, the system generates a name for you.

    • Subnet in <compartment> : Select a subnet from the list. For a public load balancer, you must select a public subnet.

    • Use network security groups to control traffic: Select to add the network load balancer to a network security group (NSG). Complete the following steps:

      1. Network security groups in <compartment>: Select an NSG from the list.

      2. + Another network security group: Select to add the network load balancer to another NSG.

      For more information about NSGs, see Network Security Groups.

      Note

      You can change the NSGs that the network load balancer belongs to after you create it. On the Details page, select Edit beside the list of associated network security groups.

    Management

    Select to create the network load balancer in the compartment you select from the Create in compartment list. The compartment you select here overrides the compartment listed under Scope selected when first creating the network load balancer.

    Security

    Select to control access for your resources through the Zero Trust Packet Routing service. See Zero Trust Packet Routing for more information.

    You can configure up to three security attributes for your network load balancer. Enter the following information for each security attribute:

    • Namespace: Select a security attribute namespace from the list. This list contains those security attribute namespaces already configured. See Creating a Security Attribute Namespace for more information.

    • Key: Select a key from the list.

    • Value: Select a value for the corresponding key from the list.

    Tagging

    If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.

    Select Next to advance to the next step.

    2. Configure Listener

    The Configure listener page is where you set up the listener for the network load balancer.

    A listener is a logical entity that checks for incoming traffic on the network load balancer's IP address. To handle TCP, HTTP, and HTTPS traffic, you must configure at least one listener per traffic type. When you create a listener, you must ensure that your VCN's security rules allow the listener to accept traffic. See Security Rules for more information.

    Listener Name: Enter a unique name for the listener. If you don't specify a name, the Network Load Balancer service creates one for you. After the listener is created, you can't change its name.

    Specify the type of traffic the listener handles: Specify the protocol to use from the following protocols:

    • Public network load balancers:

      • UDP

      • TCP

      • UDP/TCP

    • Private network load balancers

      • UDP

      • TCP

      • TCP/UDP/ICMP

      • UDP/TCP

    IP protocol version: Select from the following options:

    • IPv4

    • IPv6

    This step is required if you enabled the IPv6 Address Assignment option earlier. The network load balancer listener and backend set must use the same IP protocol version.

    Ingress traffic port: Specify the port the listener monitors for ingress traffic depending on the traffic type. Select one of the following options:

    • Public network load balancers:

      • Use any port: Enter 0 or an asterisk ("*") to indicate any port can be used.

      • Select the Port: Enter the port number you want to use.

    • Private network load balancers:

      • Use any port: Enter 0 or an asterisk ("*") to indicate any port can be used.

      • Select the Port: (UDP, TCP, and UDP/TCP only) Enter the port number you want to use.

    Select Next to advance to the next step.

    2. Choose backends

    The Choose backends page is where you set up your backend servers and backend sets.

    A network load balancer distributes traffic to backend servers within a backend set. A backend set is a logical entity defined by a network load balancing policy, a list of backend servers (compute instances), and a health check policy.

    The network load balancer creation workflow creates one backend set for the network load balancer. Optionally, you can add backend sets and backend servers after you create the network load balancer.

    IP protocol version: Select from the following options:

    • IPv4

    • IPv6

    Note

    This step is required if you enabled the IPv6 Address Assignment option. The network load balancer listener and backend set must use the same IP protocol version. You must select the option chosen for the listener.

    Backend Set Name: Enter a name for the backend set or accept the default name.

    Add Backends: Select to open the Add compute instance backends dialog box. Complete the following:

    Select backends

    Add Backends: Select to open the Add compute instance backends dialog box. Enter the following information:

    • Instance in <compartment>: Select the instance you want to include in the network load balancer's backend set contained in the selected compartment. To select instances from a different compartment, use the Change Compartment link and select a compartment from the list.

    • IP address: Select one of the available IP addresses for the instance you selected from the list.

    • Availability domain: Displays the availability domain for the instance you selected.

    • Port: Enter the communication port for the backend server.

    • Weight: Enter the load balancing policy weight number assigned to the server. Backend servers with a greater weight receive a larger proportion of incoming traffic.

    Select Add backends when have set up all the backends you want to add.

    After you add instances to the backend set, they appear in the Select backend servers table. You can perform the following tasks:

    • Update the server Port to which the network load balancer must direct traffic. The default is port 80.

    • Update the server Weight that specifies the proportion of incoming traffic the backend handles. The higher the number, the more traffic that is received.

    • Remove any instance by checking it and selecting Remove. You can also select Remove from the Action menu at the end of an instance entry.

    Preserve Source IP: Select to preserve the original source and destination header (IP addresses and ports) of each incoming packet all the way to the backend server. See Enabling Source/Destination Preservation for more information on this feature.

    Specify health check policy

    Specify the test parameters that confirm the health of the backend servers. See Health Check Policies for more information on this feature.

    Enter the following information:

    • Protocol: Specify the protocol to use for health check queries:

      • HTTP

      • HTTPS

      • TCP

      • UDP

      • DNS See DNS Health Checking for more information on how to configure your health check policies for the DNS protocol.

      Important

      Configure the health check protocol to match the application or service. See Health Check Policies.

      For both TCP and UDP, the provided data must be base64 encoded. Use any base64 encoding tool to convert the plain text strings to based64 encoded strings, and use the encoded strings for the health check configuration. For example, the following plain text string:

      this is the request data for my NLB backend health check

      is encoded as:

      dGhpcyBpcyB0aGUgcmVxdWVzdCBkYXRhIGZvciBteSBOTEIgYmFja2VuZCBoZWFsdGggY2hlY2s

      The encoded string is what undergoes the health check configuration.

      The supported maximum length of the string before base64 encoding is 1024 bytes. If the string exceeds the limit, the configuration call fails with an HTTP status code 400.

    • Transport protocol: (DNS only) Specify the transport protocol used to send traffic when DNS is selected as the protocol:

      • UDP

      • TCP

    • Port: Specify the backend server port against which to run the health check. You can enter the value '0' to have the health check use the backend server's traffic port.

    • Interval in MS: Specify how often to run the health check, in milliseconds. The default is 10000 (10 seconds).

    • Timeout in MS: Specify the maximum time in milliseconds to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. The default is 3000 (3 seconds).

    • Number of retries: Specify the number of retries to try before a backend server is considered "unhealthy." This number also applies when recovering a server to the "healthy" state. The default is 3.

    • Request Data: (Required for UDP, and optional for TCP only) Enter the request message included in the request. This request data is included in the single request to the backend server. The request data is compared against the response data

    • Response Data: (Required for UDP, and optional for TCP only) Enter the response message against which the health check feature sends a single request to the backend server is compared. If a match, the health check passes.

    • Status code: (HTTP and HTTPS only) Specify the status code a healthy backend server must return.

    • URL path (URI): (HTTP and HTTPS only) Specify a URL endpoint against which to run the health check.

    • Response body (regular expression): Provide a regular expression for parsing the response body from the backend server.

    • Query name: (DNS only) Provide a DNS domain name for the query.

    • Query class: (DNS only) Select from the following options:

      • IN: Internet (default)

      • CH: Chaos

    • Query type: (DNS only) Select from the following options:

      • A: Indicates a hostname corresponding IPv4 address. (default)

      • AAAA: Indicates a hostname corresponding IPv6 address.

      • TXT: Indicates a text field.

    • Acceptable response codes: Select one or more from the following options:

      • RCODE:0 NOERROR DNS query completed successfully.

      • RCODE:2 SERVFAIL Server failed to complete the DNS request.

      • RCODE:3 NXDOMAIN Domain name doesn't exist.

      • RCODE:5 REFUSED The server refused to answer for the query.

    • Fail open: (Optional) Select to have the network load balancer continue to move traffic to the backend servers in this backend set using the current configuration, even if all the backend servers' states becomes unhealthy.

    • Enable instant failover: (Required for DNS, optional for all other protocols) Select to redirect existing traffic to a healthy backend server if the current backend server becomes unhealthy. This feature doesn't work if Fail open is enabled and all backend servers become unhealthy.

    Security list

    Select to manually configure subnet security list rules to allow the intended traffic or allow the system to create security list rules for you. To learn more about these rules, see Parts of a Security Rule.

    Select one of the following options:

    • Manually configure security list rules after the network load balancer is created: When you select this option, you must configure security list rules after the network load balancer creation.

    • Automatically add security list rules: When you select this option, the Network Load Balancer service creates security list rules for you.

      The system displays a table for egress rules and a table for ingress rules. Each table lets you select the security list that applies to the relevant subnet.

      You can decide whether to apply the proposed rules for each affected subnet.

    Load balancing policy

    Select one of the following load balancing policies:

    • 5-Tuple hash: Routs incoming traffic based on 5-Tuple (source IP and port, destination IP and port, protocol) hash.

    • 3-Tuple hash: Routs incoming traffic based on 3-Tuple (source IP, destination IP, protocol) hash.

    • 2-Tuple hash: Routs incoming traffic based on 2-Tuple (source IP Destination, destination IP) hash.

    Select Next to advance to the next step.

    4. Review and create

    Review the contents of the Review and create page. Edit settings or return to previous screens to add information. When the settings are fully verified, select Create network load balancer.

    The network load balancer you created appears in the Network load balancer list page.

  • Use the --defined-tags option when running the oci nlb network-load-balancer update command to tag a network load balancer when you are updating it:
    oci nlb network-load-balancer create --compartment-id compartment_ocid --display-name display_name --subnet-id subnet_ocid [OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateNetworkLoadBalancer operation to create a network load balancer.