Cloud Docs

Search...

Application Load Balancer

Definition

An Application Load Balancer distributes incoming traffic across multiple servers or virtual machines (VMs), ensuring applications remain fast, reliable, and secure. It helps optimize performance, improve availability, and protect applications by applying rules and security features.

Features

Traffic Distribution

Distributes client requests across multiple backend servers to avoid overload and ensure high availability.

Service Support

Supports multiple protocols (HTTP, HTTPS, TLS, TCP, …) for different application needs.

Managing SSL Certificates

Easily attach and manage SSL certificates for encrypted traffic.
SSL Certificates cannot be added to non-secure load balancers (e.g., HTTP or TCP).

TLS Termination

Provides secure traffic handling by encrypting and decrypting connections directly at the load balancer.

Persistence Methods

Ensures client requests are consistently routed to the same backend server using different methods:

Cookies: Session-based persistence (only for HTTP/HTTPS).
Hash: Consistent routing based on a calculated value (e.g., request content).
Source Address: Routes clients based on their IP address.

Connection Reuse

Optimizes performance by reusing existing connections between the LB and backend servers (up to 1000 reuses, max age 24 hours). Only available for HTTP/HTTPS load balancers.

Security Controls

Firewall Rules: Define incoming and outgoing firewall rules.
Web Application Firewall (WAF): Protects applications against common attacks.
Blocked URIs: Restrict specific paths or endpoints.

Default Certificates for Secure Services

All secure load balancers (HTTPS, TLS, SMTPS, FTPS) are automatically assigned a free self-signed certificate upon creation.

Users can replace this default certificate with their own at any time.

Flexible IP Management

Supports both Public IPs (accessible from the internet with proper firewall rules) and Shared IPs for cross-network communication

Use Cases

High Availability: Keep web applications online by balancing traffic across multiple servers.
Scalability: Seamlessly add backend servers as traffic grows.
Security: Terminate TLS, enforce firewall rules, and block malicious requests with WAF.
Cost Efficiency: Share one LB across multiple applications while managing resources centrally.

Step-by-Step Guide

1. Create an Application Load Balancer

Navigate to Networking → App Load Balancers from the Cloud Portal.

Click Create in the top-right corner.

Fill in the form:

Tenant: Select the tenant.
Business Group: Choose the relevant business group.
Environment: Select the environment.
VPC: Choose the virtual cloud.
Name & Description: Enter details for identification.
Service: Select the service (e.g., HTTP, HTTPS, TLS, TCP).
Virtual IP & Port: Define the VIP and port.

Why it matters: These settings define how traffic reaches your applications.

2. Manage Members Configuration

Open the created Load Balancer.
Go to the Members tab.
Configure the following settings:
1. Member Service: Define the backend service type (e.g., HTTP, HTTPS, TCP).
2. Load Balancing Method: Choose between Round Robin, Least Connections, or Hash.
3. Health Monitor: Choose between TCP, HTTP or PING.
4. Enable/Disable Connection Reuse: Toggle reuse connections for efficiency (not available for all protocols).

3. Manage Security

Firewall Rules: Define incoming and outgoing firewall rules.

WAF: Enable to protect your application from common web attacks such as SQL injection and cross-site scripting. (only for HTTP/HTTPS).

Blocked URIs: Add or remove endpoints to block malicious or unwanted requests. (only for HTTP/HTTPS).

4. Manage Certificates

Secure LBs (HTTPS/TLS) are automatically assigned a free default certificate.

To replace default certificate:

Navigate to the SSL Certificates tab.
Upload or select your own certificate.
Attach it to the load balancer.

⚠️ Certificates cannot be added to non-secure load balancers (HTTP, TCP).

5. Manage Network

You can control how your Load Balancer is reached by assigning the appropriate IP address type:

Public IP Address: Use this if you want the Load Balancer to accept incoming traffic from the internet.
Shared IP Address: Use this if you only need access within the cloud environment or across connected VPCs, without exposing the Load Balancer to the internet.
HTTP Version: configured for HTTPS load balancers only. Using HTTP/2 requires associating SSL certificate, as this version cannot be used with the Site Cloud Default Certificate.

FAQs

Q: Can I edit the service (HTTP/HTTPS/TLS) after creating a Load Balancer?
No, the service type cannot be changed once the LB is created. You must create a new one if the service changes.
Q: Why can’t I attach a certificate to my HTTP or TCP Load Balancer?
Certificates are only supported on secure load balancers (HTTPS, TLS).
Q: What happens if I delete a Load Balancer member?
The load balancer will immediately stop routing traffic to that server.
Q: I want to perform SSL termination on my VM instead of the Load Balancer. How can I do this? Create a TCP Load Balancer. In this mode, the Load Balancer will simply forward encrypted traffic directly to the backend members without decrypting or offloading it at the LB level.
Q: How can I ensure traffic is always encrypted from the client all the way to the VM?
To fully encrypt traffic end-to-end:
1- Client to Load Balancer traffic: Attach an SSL certificate to the Load Balancer so client connections (e.g., from a browser) are encrypted.
2- Load Balancer to Members traffic: From the Members Configuration, set the backend members to use a secure service (e.g., HTTPS or TLS). This ensures the Load Balancer forwards traffic securely to the VMs.