2 Creating Load Balancers

You can create and manage one or more load balancers for your Oracle Public Cloud Infrastructure as a Service (IaaS) environment. The load balancer creation process ensures you have a secure, reliable, and efficient system for routing requests to your applications and services.

Topics

• Typical Workflow for Creating a Load Balancer

• Creating an IP Network

• Creating Virtual NIC Sets

• Creating a Load Balancer

• Importing a Load Balancer Digital Certificate

• Creating Server Pools for a Load Balancer

• Creating Listeners for a Load Balancer

• Creating Policies for a Load Balancer

• Verifying a Load Balancer Configuration

Typical Workflow for Creating a Load Balancer

Each time you create a new load balancer, you perform a set of steps to define the characteristics and behavior of the load balancer.

Step	Description	More Information
Create an IP network	Create an IP network by providing a name, IP address prefix, IP network exchange, and description. The address range of the IP network is determined by the IP address prefix that you specify while creating the IP network.	Creating an IP Network
Identify the servers and applications that you want to load balance.	This workflow assumes you have already created Oracle Cloud Infrastructure Compute Classic instances and have a set of servers and applications that you can assign to a load balancer.	Getting Started with Oracle Compute Cloud Service
Create a vNICset	A vNICset is a collection of one or more vNICs.	Creating Virtual NIC Sets
Create the load balancer and define basic properties	Provide a name and basic properties for the load balancer. When you complete this step, the new load balancer appears on the Balancers page in the Compute console.	Creating a Load Balancer
Obtain and import a digital certificate	If you plan to use a secure, Secure Socket Layer (SSL) connection between the load balancer and the host computers that connect to the load balancer, or between the load balancer and the origin servers, then you must obtain and import a valid digital certificate.	Importing a Load Balancer Digital Certificate
Add any specific policies to the load balancer	Optionally, you can assign policies to the new load balancer. Each policy defines a specific behavior or policy for specific types of requests that the load balancer receives.	Creating Policies for a Load Balancer
Create the server pools for the load balancer	Each server pool identifies a set of servers (or Compute instances). When a load balancer listener receives a request, the load balancer routes the request to the server pool.	Creating Server Pools for a Load Balancer
Create the listeners for the load balancer	The listeners define the virtual host, port, and protocol that the load balancer will use to listen for new requests.	Creating Listeners for a Load Balancer
Add the IP addresses of the load balancer to the Security IP list you created for the Compute instances in the server pool.	The security IP list identifies the IP addresses that can access the Compute instances. You should have already configured your IP network so HTTP requests can be received by the Compute instances, but this step ensures the load balancer IP is recognized by the Compute instances.	Adding the Load Balancer IP Addresses to the IP Security List
Verify the load balancer	After you complete these steps, it’s important to verify that the load balancer has been configured correctly before you put into production service.	Verifying a Load Balancer Configuration

Creating an IP Network

An IP network allows you to define an IP subnet in your account. The address range of the IP network is determined by the IP address prefix that you specify while creating the IP network.

To create an IP network, follow the steps provided in Creating an IP Network in Using Oracle Cloud Infrastructure Compute Classic.

For more information on IP network, see Managing IP Networks in Using Oracle Cloud Infrastructure Compute Classic.

Creating Virtual NIC Sets

A vNIC is a virtualized Network Interface Card. A Virtual NIC Set, or vNICset, is a collection of one or more vNICs. vNICsets are useful when you want to use multiple vNICs for the same action. For example, you use vNICsets to specify multiple vNICs as a source or a destination in a security rule. You can also use vNICsets in routes to specify multiple vNICs as the next hop destination for that route.

To create a vNICset, follow the steps provided in Creating a vNICset in Using Oracle Cloud Infrastructure Compute Classic.

For more information on vNICsets, see Managing vNICsets in Using Oracle Cloud Infrastructure Compute Classic.

Creating a Load Balancer Using QuickStarts

QuickStarts gives you the fastest, easiest way to create a load balancer.

To complete this task, you must have the Oracle Load Balancer Service Administrator role. See About Oracle Load Balancer Cloud Service Roles. If the required role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Click the Network tab in the Oracle Compute Cloud Service console.

2. Click the Load Balancers tab in the left pane, and then click Load Balancers.

   The Load Balancers page displays any existing load balancers you have already created.

   If you created a new load balancer recently and it is not appearing on the Load Balancers page, click to refresh the list of load balancers.

3. To create a new load balancer using QuickStarts, click the QuickStarts button.

   The Create Load Balancer page is displayed.

4. Enter details for the following fields:

   Load Balancer

   • Name - Unique identifier for the load balancer. You must follow these conventions for the Name field:

     • It can contain only alphanumeric characters, hyphens, and underscores.

     • First and last characters cannot be hyphen or underscore.

     • It must not be more than 30 characters.

     • Period is not supported.

   • IP Networks - Select the IP network to be associated with the load balancer. The IP network should be pre-created as described in Creating an IP Network in Using Oracle Cloud Infrastructure Compute Classic.

     Note:

     You can configure your PaaS service instance and load balancer associated with it in same IP network or in the IP networks connected through an IP network exchange. You must create an IP network, create a load balancer in that IP network, and while creating the PaaS service instance choose the same IP network (or some other IP network that's connected through an IP network exchange to the IP network intended to be used for the PaaS instance).

     See Managing IP Network Exchanges in Using Oracle Cloud Infrastructure Compute Classic.

   • Scheme - Select a scheme for the load balancer:

     • Internet-facing - This scheme allows you to create an internet-facing load balancer in a given IP network using Oracle Cloud Infrastructure Load Balancing Classic. This option enables you to add a load balancer to your own IP network, while assigning a internet addressable IP address to the load balancer. This allows your application to be accessible over the internet but at the same time protects the communication between the load balancer and the applications by putting both in the same IP network. In this scheme, the load balancer is typically terminating SSL as well, since the backend traffic is protected inside an IP network, no further encryption is necessary.

     • Internal - This scheme allows you to create an internal load balancer in a given IP network using Oracle Cloud Infrastructure Load Balancing Classic. This option enables you to add a load balancer to your own IP network for the sole consumption of other clients inside the same network. Since in this scheme, end to end communications from the client to the balancer and subsequently to the applications are all inside the same IP network, the traffic is entirely protected from the internet. In this scheme, encryption and SSL termination is no longer necessary.

   Listener

   • Port - The port on which the load balancer is listening.

     Supported port numbers are 1 to 65535, excluding port number 22. The port number cannot be modified after the listener is created.

   • Balancer Protocol - The transport protocol that will be accepted for all incoming requests to the selected load balancer listener.

     • Select HTTP to listen for non-secure HTTP requests.

     • Select HTTPS to listen only for secure HTTP requests sent over SSL or TLS.

   • Security Certificates - The server security certificate. If the balancer protocol is set to HTTPS then at least one security certificate must be specified. If you want to secure the client connections to the load balancer, then import a server security certificate. Click Import Security Certificate and enter details for the fields as described in Importing a Load Balancer Digital Certificate.

   • Server Protocol - The protocol to be used for routing traffic to the origin servers in the server pool. Select an option from the drop-down list.

     Server Protocol	Use this protocol to...
     HTTP	Route HTTP or HTTPS requests to the origin servers using the non-secure HTTP protocol.
     HTTPS	Route HTTP or HTTPS requests to the origin servers using the secure HTTPS protocol. If you select this option, you must also configure a Trusted Certificate Policy. For more information, see About Load Balancer Policies

   • Trusted Certificate - If you want to secure the connections between the load balancer and the origin servers in the server pool, then import a trusted certificate. Click Import Security Certificate and enter details for the fields as described in Importing a Load Balancer Digital Certificate.

   • Virtual Hosts - The listener accepts only URI requests that include the host names listed in this field. These host names must exist in the DNS used to reach the load balancer.

     To initially test your load balancer, enter the value of the Canonical Host Name load balancer property.

     Later, if you map the load balancer canonical host name to a custom domain name, you can update this property with the actual virtual host names to accept on this listener.

   Server Pool

   • Servers - You must add at least one server to the server pool. You can select a server from the list of instances provided in the drop-down list, or you can add the server details manually.

     If you are selecting a server from the drop-down list, you must first select the server instance and then enter the Port the server is listening on.

     If you are adding the server details manually, you must add it in the following format:

     <Host DNS Name>:Port

     or

     <Host IP Address>:Port

     Note:

     After you add servers to the Servers field, you can double-click a server to enable or disable it, or you can right click to display a context menu of operations to perform on the servers in the field.

     Servers can be added to a server pool at any point of time. However, a server pool cannot have more than 20 servers. Servers can be removed from a server pool and can be re-assigned later to another server pool or the same server pool.

5. Click Create.

   A new load balancer is created. If the newly created load balancer does not appear in the Load Balancers tab, click to refresh the list of load balancers.

   If you selected the internal scheme for the load balancer then the newly created load balancer is enabled by default. If you selected the internet-facing scheme for the load balancer then the newly created load balancer is disabled by default. To enable the load balancer, go to the Load Balancers tab and click next to the load balancer that you want to enable. Select the Enable option.

Note:

• If you selected the IP networks option when creating the load balancer then two listeners (one HTTP and the other HTTPS on ports 80 and 443 respectively) are created by default.

• If your load balancer was created by Oracle PaaS Service Manager (PSM) then certain parameters of the resources (load balancer, listener, server pool, etc) cannot be modified after the resource creation.

Creating a Load Balancer

When you create a load balancer, you provide a name and the basic properties of the load balancer. Later, you must define server pools, create at least one listener, and optionally define the policies for the load balancer.

To complete this task, you must have the Oracle Load Balancer Service Administrator role. See About Oracle Load Balancer Cloud Service Roles. If the required role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Click the Network tab in the Oracle Compute Cloud Service console.
2. Click the Load Balancers tab in the left pane, and then click Load Balancers.
   The Load Balancers page displays any existing load balancers you have already created.

   If you created a new load balancer recently and it is not appearing on the Load Balancers page, click to refresh the list of load balancers.

3. To create a new load balancer, click the Create Load Balancer button.
   The Create Load Balancer dialog box is displayed.
4. Enter details for the following fields:
   • Name - Unique identifier for the load balancer.
     You must follow these conventions for the Name field:

     • It can contain only alphanumeric characters, hyphens, and underscores.

     • First and last characters cannot be hyphen or underscore.

     • It must not be more than 30 characters.

     • Period is not supported.

   • IP Networks - Select the IP network to be associated with the load balancer. The IP network should be pre-created as described in Creating an IP Network in Using Oracle Cloud Infrastructure Compute Classic.

     Note:

     You can configure your PaaS service instance and load balancer associated with it in same IP network or in the IP networks connected through an IP network exchange. You must create an IP network, create a load balancer in that IP network, and while creating the PaaS service instance choose the same IP network (or some other IP network that's connected through an IP network exchange to the IP network intended to be used for the PaaS instance).

     See Managing IP Network Exchanges in Using Oracle Cloud Infrastructure Compute Classic.

   • Description - A short description for the load balancer. The description must not exceed 1000 characters.

   • Permitted Methods - The permitted HTTP methods for this load balancer. You can select the predefined methods (GET, POST, PUT, PATCH, DELETE, or HEAD) or you can also create your own custom methods. Requests with methods not listed in this field will result in a 403 (unauthorized access) response.

     This option is useful if you want to limit the operations performed on the origin servers in the server pool. For example, for a typical Web server implementation, clients should only need to perform basic HTML methods, such as GET and POST. Additional methods, such as PUT and DELETE can be destructive. To take extra steps to protect your data, you can restrict the load balancer to only accept and route only GET and POST requests.

   • Scheme - Select a scheme for the load balancer:

     • Internet-facing - This scheme allows you to create an internet-facing load balancer in a given IP network using Oracle Cloud Infrastructure Load Balancing Classic. This option enables you to add a load balancer to your own IP Network, while assigning a internet addressable IP address to the load balancer. This allows your application to be accessible over the internet but at the same time protects the communication between the load balancer and the applications by putting both in the same IP network. In this scheme, the load balancer is typically terminating SSL as well, since the backend traffic is protected inside an IP network, no further encryption is necessary.

     • Internal - This scheme allows you to create an internal load balancer in a given IP network using Oracle Cloud Infrastructure Load Balancing Classic. This option enables you to add a load balancer to your own IP network for the sole consumption of other clients inside the same network. Since in this scheme, end to end communications from the client to the balancer and subsequently to the applications are all inside the same IP network, the traffic is entirely protected from the internet. In this scheme, encryption and SSL termination is no longer necessary.

   • SSL Certificate Port Mapping - A certificate name and port number pair which explicitly configures a certificate to be returned.
   • Enabled - Check this option to enable the load balancer.

     Disabling the load balancer results in access getting denied to all clients. For HTTP/HTTPS listeners, disabling results in 503 responses for new requests; existing requests result in 500 responses.

5. Click Create.

   A new load balancer is created. If the newly created load balancer does not appear in the Load Balancers tab, click to refresh the list of load balancers.

   Note:

   • You cannot use a load balancer until you finish the configuration of the load balancer by adding a server pool and a listener. If you selected the IP networks option when creating the load balancer then two listeners (one HTTP and the other HTTPS on ports 80 and 443 respectively) are created by default.

   • If your load balancer was created by Oracle PaaS Service Manager (PSM) then certain parameters of the resources (load balancer, listener, server pool, etc) cannot be modified after the resource creation.

Importing a Load Balancer Digital Certificate

After you obtain a digital certificate, you must import it, so the load balancers you create can access the certificates. This operation uploads the certificate to the server, so it can be listed in the Oracle Compute Cloud Service console.

To import a digital certificate:

1. Go to the Network page in the Oracle Compute Cloud Service console.
2. Click Load Balancers in the left pane, and then select the Digital Certificates.
   The existing digital certificates are displayed.
3. Click Import Digital Certificate.
   The Importing Digital Certificate Dialog page is displayed.
4. Enter details for the following fields:

   • Certificate Type - Select the type of certificate that you want to import. You can import a Server Certificate or a Trusted Certificate:

     • If you are importing a certificate to secure the client connections to the load balancer, then select Server Certificate.

     • If you are importing a certificate to secure the connections between the load balancer and the origin servers in the server pool, then select Trusted Certificate.

     See About Load Balancer Digital Certificates.

   • Name - Specify a name for the certificate. Name can contain only alphanumeric characters, periods, hyphens and be at most 30 characters long.

   • Certificate - The PEM encoded body of the server certificate. A .pem format file begins with this line:

     ----BEGIN CERTIFICATE----

     and ends with this line:

     ----END CERTIFICATE----

     A .pem format file supports multiple digital certificates (for example, a certificate chain can be included). The order of certificates within the file is important.

   • Private Key - This field displays only for server certificates. Specify the PEM encoded body of the private key.

   • Certificate Chain - Specify the PEM encoded bodies of all certificates in the chain up to and including the CA certificate. This is not need when the certificate is self signed.

5. Click Import.

   A new certificate is imported. If the newly imported certificate is not appearing in the Digital Certificates tab, click to refresh the list of imported digital certificates.

   Note:

   A digital certificate is an immutable entity and its attributes cannot be modified once the certificate is imported. To renew a digital certificate, the listener needs to be updated with a different certificate entity which has been created with the renewed certificate. A digital certificate can be deleted only when it is not referenced by any listeners. Attempting to delete a digital certificate when it is referenced by one or more listeners will result in the 400 error code.

Creating Server Pools for a Load Balancer

Before you can use a load balancer, you must define one or more servers (also known as origin servers) to which the load balancer routes its requests. This set of origin servers is called a server pool. When a request is received on one of the load balancer listeners, the load balancer routes that request to an origin server in the pool.

Before you can add a server pool, you must create a load balancer, as described in Creating a Load Balancer.

To complete this task, you must have at least the Oracle Load Balancer Service Read Write Privileges role. See About Oracle Load Balancer Cloud Service Roles. If the required role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Go to the Network tab in the Oracle Compute Cloud Service console.
2. Click Load Balancers in the left pane, and then select Load Balancers.

   The console displays any existing load balancers on the Load Balancers page.

3. Click next to the load balancer you want to modify. Select the Update option.

   The Overview tab of the selected load balancer is displayed.

4. Click the Server Pools tab in the left pane.
   The Server Pools page lists any server pools already created for this load balancer.
5. Click Create Server Pool.

   The Create Server Pool dialog box is displayed.

6. Enter details for the following fields:

   • Name - Unique identifier for the server pool.

     You must follow these conventions for the Name field:

     • It can contain only alphanumeric characters, hyphens, and underscores.

     • First and last characters cannot be hyphen or underscore.

     • It must not be more than 30 characters.

     Note that the name cannot be modified after the server pool is created.

   • Servers - You must add at least one server to the server pool. You can select a server from the list of instances provided in the drop-down list, or you can add the server details manually.

     If you are selecting a server from the drop-down list, you must first select the server instance and then enter the Port the server is listening on.

     If you are adding the server details manually, you must add it in the following format:

     <Host DNS Name>:Port

     or

     <Host IP Address>:Port

     Note:

     After you add servers to the Servers field, you can double-click a server to enable or disable it, or you can right click to display a context menu of operations to perform on the servers in the field.

     Servers can be added to a server pool at any point of time. However, a server pool cannot have more than 20 servers. Servers can be removed from a server pool and can be re-assigned later to another server pool or the same server pool.

   • vNICSet - Select the vNICset that has the vNICs of the servers in this pool. This is required only if the servers are attached to IP networks. This vNICSet is used to set the appropriate ACLs to allow egress traffic from the load balancer.
   • Enabled - Check this option to enable the server pool.

     Disabling the server pool results in no new connections being distributed to this server pool from the listener. The server pool is automatically disabled when all member servers are disabled. When at least one of the servers is re-enabled the server pool must be explicitly enabled.

7. Health Check - The load balancer can perform regular health checks of the origin servers and route inbound traffic to the healthy origin servers. This feature is not enabled automatically when an origin server pool is created and must be enabled explicitly either during the origin server pool creation or update.
   • Type - Select the health check mechanism to use to test the origin servers:

     • HTTP - If HTTP is selected then the load balancer will send an HTTP HEAD request to the origin servers. The HTTP request path is defined in the Path field. The origin server is considered healthy if the HTTP response status code matches the ones defined in the Accept Return Codes field.

   • Path - The path of the HTTP health check requests. If unspecified then / i.e., all paths is assumed. The Path parameter is valid only if the health check Type is set to HTTP.

   • Accepted Return Codes - The HTTP response status codes that indicate the origin server is healthy. The Accepted Return Codes field is valid only if the health check Type is set to HTTP. Accepted return codes can be one or more of the 2xx, 3xx, 4xx, or 5xx codes. If no code is specified then all 2xx and 3xx status codes are considered healthy. If the HTTP health check response status code is one of the values defined in the Accepted Return Codes field, the origin server is considered healthy.

   • Health Check Enabled - The health check feature is disabled by default. Check this option to enable the health check feature.

   • Interval - The approximate interval, in seconds, that the load balancer will wait before sending the target request to each origin server.

   • Timeout - The amount of time, in seconds, that the load balancer will wait without a response before identifying the origin server as unavailable. The timeout value must be less than the interval value and it should range between 2 to 60.

   • Healthy Threshold - The number of consecutive successful health checks required before moving the origin server to the healthy state. The value of healthy threshold ranges from 2 to 6. If no value is specified then 6 is considered as the healthy threshold value by default.

   • Unhealthy Threshold - The number of consecutive health check failures required before moving the origin server to the unhealthy state. The value of unhealthy threshold ranges from 2 to 10. If no value is specified then 3 is considered as the unhealthy threshold value by default.

8. Click Create.

   A new server pool is created. If the newly created server pool is not appearing on the Server Pools page, then click to refresh the list of server pools.

   Note:

   You cannot use a load balancer until you finish the configuration of the load balancer by adding a server pool and a listener.

Creating Listeners for a Load Balancer

A listener defines a virtual host, port that the load balancer is listening on. It also defines the protocol accepted on the listening port. At least one enabled listener is required for a load balancer. You can configure multiple listeners on a single load balancer.

Before you can add a listener, you must create a load balancer, as described in Creating a Load Balancer.

To complete this task, you must have at least the Oracle Load Balancer Service Operations role. See About Oracle Load Balancer Cloud Service Roles. If the required role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Click the Network tab in the Oracle Compute Cloud Service console.
2. Click the Load Balancers tab in the left pane, and then click Load Balancers.
   The Load Balancers page displays any existing load balancers you have already created.

   If you created a new load balancer recently and it is not appearing on the Load Balancers page, click to refresh the list of load balancers.

3. Click next to the load balancer that you want to modify. Select the Update option.
   The Overview page of the load balancer is displayed.
4. Click the Listeners tab in the left pane.
   The Listeners page with a list of existing listeners is displayed.
5. Click the Create Listener button.
   The Create Listener page is displayed.
6. Enter details for the following fields:
   • Name - Unique identifier for the listener.
     You must follow these conventions for the Name field:

     • It can contain only alphanumeric characters, hyphens, and underscores.

     • First and last characters cannot be hyphen or underscore.

     • It must not be more than 30 characters.

     Note that listener name must be unique within the set of load balancers for a compute region in the identity domain in which the load balancer was created.. The name cannot be modified after the listener is created.

   • Port - The port on which the load balancer is listening.

     Supported port numbers are 1 to 65535, excluding port number 22. The port number cannot be modified after the listener is created.

   • Balancer Protocol - The transport protocol that will be accepted for all incoming requests to the selected load balancer listener.

     • Select HTTP to listen for non-secure HTTP requests.

     • Select HTTPS to listen only for secure HTTP requests sent over SSL or TLS.

   • Server Protocol - The protocol to be used for routing traffic to the origin servers in the server pool. Select an option from the drop-down list.

     Server Protocol	Use this protocol to...
     HTTP	Route HTTP or HTTPS requests to the origin servers using the non-secure HTTP protocol.
     HTTPS	Route HTTP or HTTPS requests to the origin servers using the secure HTTPS protocol. If you select this option, you must also configure a Trusted Certificate Policy. For more information, see About Load Balancer Policies

   • Server Pool - The server pool to which the load balancer distributes requests. See Creating Server Pools for a Load Balancer

     Note that you can define a single, common server pool for all listeners for a load balancer by updating the properties of the load balancer. Alternatively, you can define a server pool for each listener. If you do not specify the server pool for the listener then the server pool defined in the Load Balancer properties will be used. If the server pool is specified in the listener, then the server pool for the load balancer will be ignored for this listener.

   • Security Certificate - The server security certificate. If the balancer protocol is set to either HTTPS or SSL then you must select a server certificate. See About Load Balancer Digital Certificates.

   • Policies - List of the load balancer policies application to the listener.

     The policies may be applicable to the client side (for example proxy protocol behavior, SSL negotiation) or the server side interaction (for example, security policies) or behavior of certain routing capability (for example, HTTP request header injections) .

     Note:

     If you set the Server Pool protocol to HTTPS or SSL, then you must select and configure the Trusted Certificate Policy. See Creating Policies for a Load Balancer

   • Virtual Hosts - The listener accepts only URI requests that include the host names listed in this field.

     To initially test your load balancer, enter the value of the Canonical Host Name load balancer property. See Verifying a Load Balancer Configuration.

     Later, if you map the load balancer canonical host name to a custom domain name/vanity URL, you can update this property with the actual virtual host names to accept on this listener.

   • Path Prefixes - Use this field to configure the listener to accept only requests that are targeted to a specific path within the URI of the request.

     If unspecified, then the listener will accept all request URIs that meet the other criteria of the listener.

   • Tags - Collection of tags for this listener.

   • Enabled - Check this option to enable the listener.

     Disabling the listener results in access getting denied to all clients. For HTTP/HTTPS listeners, disabling results in 503 responses with standardized HTML content for new requests; existing requests result in 500 responses.

7. Click Create.

   A new listener is created. If the newly created listener is not appearing in the Listeners tab, click to refresh the list of listeners.

   Note:

   You cannot use a load balancer until you finish the configuration of the load balancer by adding a server pool and a listener.

Creating Policies for a Load Balancer

Oracle Load Balancer Cloud Service provides advanced features that you can configure by attaching specific policies to the load balancer.

After you create a load balancer as described in Creating a Load Balancer, you can add policies to the load balancer.

To complete this task, you must have at least the Oracle Load Balancer Service Read Write Privileges role. See About Oracle Load Balancer Cloud Service Roles. If the required role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Click the Network tab in the Oracle Compute Cloud Service console.
2. Click the Load Balancers tab in the left pane, and then click Load Balancers.
   The Load Balancers page displays any existing load balancers you have already created.

   If you created a new load balancer recently and it is not appearing on the Load Balancers page, click to refresh the list of load balancers.

3. Click next to the load balancer to which you want you modify. Select the Update option.
   The Overview page of the load balancer is displayed.
4. Click the Policies tab in the left pane.
   The Policies page with a list of any existing policies is displayed.
5. Click Create Policy.
   The Create Policy dialog displays.
6. Enter details for the following fields:
   • Policy Type - Select a policy type from the drop-down list:

     • Application Cookie Stickiness Policy

     • CloudGate Policy

     • Load Balancer Cookie Stickiness Policy

     • Load Balancing Mechanism Policy

     • Rate Limiting Request Policy

     • Redirect Policy

     • Resource Access Control Policy

     • Set Request Header Policy

     • SSL Negotiation Policy

     • Trusted Certificate Policy

     For information about these policies, see About Load Balancer Policies.

   • Name - Unique identifier for the policy.
     You must follow these conventions for the Name field:

     • It can contain only alphanumeric characters, hyphens, and underscores.

     • First and last characters cannot be hyphen or underscore.

     • It must not be more than 30 characters.

     Note that you cannot change the name of a policy after you create it.

   • Depending on the policy type you select, you may need to provide additional information as follows:

     • Application Cookie Stickiness Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • App Cookie Name - Name of the application cookie used to control how long the load balancer will continue to route requests to the same origin server.

     • CloudGate Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Virtual Hostname for Policy Attribution - Host name needed by CloudGate to enforce OAuth policies.

     • Load Balancer Cookie Stickiness Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Cookie Expiration Period - The time period, in seconds, after which the cookie should be considered stale. If the value is zero or negative the stickiness session lasts for the duration of the browser session.

     • Load Balancing Mechanism Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Load Balancing Mechanism - Select the type of load balancing mechanism for distributing client requests across multiple origin servers:

         • Round Robin - In Round Robin mechanism the load balancer forwards requests sequentially to the available origin servers—the first request to the first origin server in the pool, the second request to the next origin server, and so on. After it sends a request to the last origin server in the pool, it starts again with the first origin server.

         • IP Hash - In IP Hash mechanism a hash-function is used to determine which server should be selected for the next request based on the client’s IP address. This can be used to achieve IP based session stickiness.

         • Least Connections - In Least Connections mechanism when a client request is processed, the load balancer assesses the number of connections that are currently active for each origin server, and forwards the request to the origin server with the least number of active connections.

         If no option is specified, the Round Robin mechanism is selected by default.

     • Rate Limiting Request Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Zone Name - Name of the shared memory zone.

       • Requests Per Second - Maximum number of requests per second.

       • Burst Size - The number of requests that can be delayed until it exceeds the maximum number specified as burst size in which case the request is terminated with an error 503 (Service Temporarily Unavailable).

         Note:

         Burst size should be a positive integer value between 1 and 10.

       • Delay Excessive Requests - Select this option if you don't want to delay excessive requests while requests are being limited.

       • Logging Level - Select the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing:

         • Info

         • Notice

         • Warn

         • Error

         If no option is specified, the logging level is set to Warn by default.

       • Rate Limiting Criteria - Select the criteria based on which requests will be throttled:

         • Server - can be used to limit the requests processed by the virtual server.

         • Remote Address - can be used to limit the processing rate of requests coming from a single IP address.

         Note:

         Rate limiting criteria is immutable. It cannot be modified once the policy is created.

       • HTTP Error Code - The status code to return in response to rejected requests. You can specify any status code between 405 to 599. The HTTP error code is set to 503 by default.

       • Zone Memory Size (MB) - Size of the shared memory occupied by the zone. The default value for zone memory size is 10 MB.

     • Redirect Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Redirect URI - When this policy is attached to a listener, all requests served by that listener will be redirected to the specified URI.

       • Response Code - The exact 3xx response code to use when redirecting.

     • Resource Access Control Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Disposition - The fundamental disposition of security rules.

       • Permitted Clients - Set of IP address or CIDR ranges identifying clients from which requests must be accepted by the load balancer.

       • Denied Clients - Set of IP address or CIDR ranges identifying clients from which requests must be denied by the load balance.

     • Set Request Header Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Header Name - The name of the HTTP header to be added to the request before proxying to the origin servers. The header name must conform to relevant HTTP RFC guidelines. You can specify any header including standard headers like HOST. Header names are not case-sensitive.

       • Value - The header value to be added to the request. If multi-valued, multi-line, or special formatting values are used, then appropriate custom transport encoding should also be used. The value is set as-is in the header. The header value must conform to the length restrictions as per HTTP RFC guidelines.

       • Action When Header Exists - Select an action to be taken when a header exists in the request:

         • NOOP - Take no action if the header exists already.

         • Prepend - Add the provided header value to the existing header, but insert it before the existing header content.

         • Append - Add the provided header value to the existing header, but insert it after the existing header content.

         • Overwrite - Remove any existing value in the header and replace it with the provided header information.

         • Clear - Clear any existing header information from the request.

         If no action is specified, the Overwrite action is performed.

       • Action When Header Value Is - The specified action is taken only when the header exists in the request and the value of the header matches the value in this field.

       • Action When Header Value Is Not - The specified action is taken only when the header exists in the request and the value of the header does not match the value in this field.

     • SSL Negotiation Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • SSL Protocol - Click this field and select the specific security protocols supported for incoming secure client connections to the selected listener.

       • SSL Cipher - Click this field and select the SSL ciphers supported for incoming secure client connections to the selected listener. The server certificate you are using for this listener should have been created using a signing algorithm based on the ciphers selected in this field. See About Load Balancer Digital Certificates.

       • Port - The load balancer port for the the SSL protocols and the SSL ciphers. Supported port numbers are 1 to 65535, excluding port number 22.

       • Server Order Preference - Use this option to enable or disable the server order preference for secure connections to this listener.

         During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client's list that matches any one of the load balancer's ciphers is selected for the SSL connection.

         If Server Order Preference is not enabled, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer. If the Server Order Preference is enabled, then the load balancer selects the first cipher in its list that is in the client's list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. The default policy has Server Order Preference enabled.

     • Trusted Certificate Policy

       • Name - Enter a unique name for this policy, so you can easily identify it in the list of load balancer policies or reference it in a REST API call.

       • Trusted Certificate URI - Select a trusted certificate from the drop-down menu.

         The list in the drop-down menu contains the trusted certificates you have obtained or created and imported so they are available to the load balancer.

         This policy is required when you are configuring a secure connection between the load balancer and the origin servers in the server pool. In this scenario, you have configured the application server or Web server software on the origin servers to accept only secure HTTPS or SSL connections.

         See About Load Balancer Digital Certificates.

7. Click Create.

   A new policy is created. If the newly created policy is not appearing in the Policies tab, click to refresh the list of policies.

Configuring Load Balancer General Properties

When you create a load balancer, you change the name of the load balancer and set some general properties of the load balancer.

To complete this task, you must have at least the Oracle Load Balancer Service Read Write Privileges role. See About Oracle Load Balancer Cloud Service Roles. If the required role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

To configure the load balancer general properties:

1. Click the Network tab in the Oracle Compute Cloud Service console.
2. Click the Load Balancers tab in the left pane, and then click Load Balancers.
   The Load Balancers page displays any existing load balancers you have already created.

   If you created a new load balancer recently and it is not appearing on the Load Balancers page, click to refresh the list of load balancers.

3. Click next to the load balancer that you want to modify. Select the Update option.
   The Overview page of the load balancer is displayed.
4. Scroll down and expand the General section of the Overview page.
   The list of general properties appears.
5. Use the following table to update the properties:

   Option	Description
   Name	Unique identifier for the load balancer. This name will appear in the list of load balancers in the console, and you can use this name when referencing the load balancer in REST API calls. You must follow these conventions for field: It can contain only alphanumeric characters, hyphens, and underscores. First and last characters cannot be hyphen or underscore. It must not be more than 30 characters.
   Description	A short description for the load balancer. This description appears in the list of load balancers in the console. The description must not exceed 1000 characters.
   Permitted Methods	The permitted HTTP methods on this load balancer. You can select the predefined methods (GET, POST, PUT, PATCH, DELETE, or HEAD) or you can also create your own custom methods. Requests with methods not listed in this field will result in a 403 (unauthorized access) response. This property is useful if you want to limit the operations performed on the origin servers in the server pool. For example, for a typical Web server implementation, clients should need to perform only basic HTML methods, such as GET and POST. Additional methods, such as PUT and DELETE can be destructive. To take extra steps to protect your data, you can restrict the load balancer to accept and route only GET and POST requests. Note that the method names are case-sensitive.
   Server Pool	Specify the server pool for this listener. Note that you can also specific server pools to each load balancer listener. If you specify a listener for a listener, the server pool designation on the listener overrides this setting on the load balancer. See Creating Listeners for a Load Balancer
   Permitted Clients	The list of permitted client IP addresses or CIDR ranges which can connect to this load balancer on the configured listener ports. If the list is empty all connections are permitted.
   Tags	Collection of tags for this load balancer.
   Enabled	Check this option to enable the load balancer. Disabling the load balancer results in access getting denied to all clients. For HTTP/HTTPS listeners, disabling results in 503 responses for new requests; existing requests result in 500 responses.

6. Click Update.

Adding the Load Balancer IP Addresses to the IP Security List

The security IP list identifies the IP addresses that can access the Compute instances in your server pool. Before a load balancer can route requests to the Compute instances, you must modify the security IP list for the compute instances so it includes the IP addresses of the load balancer.

You should have already configured your IP network so HTTP requests can be received by the Compute instances, but this step ensures the load balancer IP addresses are recognized by the Compute instances. See Managing Security IP Lists in Using Oracle Compute Cloud Service (IaaS).

For more information about the load balancer IP addresses, see About the Load Balancer IP Addresses and Canonical Host Name.

1. Locate and note the IP addresses assigned to the Load Balancer.
   1. Go to the Network tab in the Oracle Compute Cloud Service console.
   2. Click Load Balancers in the left pane and select the Load Balancers option.
      The existing load balancers are displayed.
   3. Go to the load balancer that you want to view and click
   4. In the Information section of the page, note the IP values in the Virtual Load Balancer IP addresses field.
2. Add both of the Load Balancer IP addresses to the security IP list for the compute instances in the Server pool.

Verifying a Load Balancer Configuration

When you finish initially configuring a new load balancer, it is important to verify that the load balancer is working properly and routing requests to the origin servers, based on your configuration settings.

To verify a load balancer you just configured, open your browser and enter one of the virtual host URLs that you created the load balancer listeners. Verify that the URL returns the files or applications it should. If you receive an error, review the log files for specific errors.

1. Click the Network tab in the Oracle Compute Cloud Service console.
2. Click the Load Balancers tab in the left pane, and then click Load Balancers.
   The Load Balancers page displays any existing load balancers you have already created.

   If you created a new load balancer recently and it is not appearing on the Load Balancers page, click to refresh the list of load balancers.

3. Click next to the load balancer that you want to modify. Select the Update option.
   The Overview page of the load balancer is displayed.
4. In the Information section of the page, make a note of the Canonical Host Name of the load balancer.
5. In a browser window, enter the Canonical Host Name of the load balancer as the URL, followed by the port or path identified in the listener.

   For example:

   http://canonical_host_name:7777/

   Based on the settings in the load balancer listener, you should see the appropriate HTML page of your Web server or the appropriate application, served from one of the Compute instances in the load balancer server pool.