1. Concepts Guide
  2. Network Load Balancing Overview
  3. Backend Configuration

Backend Configuration

In the context of network load balancers, the term backend refers to the components that receive, process, and respond to forwarded client requests. Backend servers are grouped into backend sets; they receive client requests based on the configured load balancing policy. Health checks ensure that traffic only goes to healthy backend servers.

Backend Sets

The backend set in a network load-balancer configuration consists of a list of backend servers, a network load balancing policy, and a health check script. Backend sets help to group backend servers together and make them easier to configure and manage form a network load balancer perspective.

A backend set must be associated with one or more listeners.

Backend Servers

When creating a Network Load Balancer (NLB), you must specify the backend servers to include in each backend set. Backend servers can be set up as individual compute instances or as instance pools. You can add and remove backend servers without disrupting traffic.

TCP is the transport protocol of a backend server and is configured as part of the backend set.

When you add backend servers to a backend set, you specify either the instance OCID or an IP address for the server to add. An instance with multiple VNICs attached can have multiple IP addresses pointing to it. If you identify a backend server by OCID, the NLB uses the primary VNIC's primary private IP address. If you identify the backend servers to add to a backend set by their IP addresses, it is possible to point to the same instance more than once.

The NLB routes incoming traffic to the backend servers based on the configured load balancing policy. To route traffic to a backend server, the NLB requires the IP address of the compute instance and the relevant application port. If the backend server resides within the same VCN as the NLB, Oracle recommends that you specify the compute instance's private IP address. The private IP address also works if a local peering gateway enables traffic between the NLB's VCN and the backend server's VCN. If the backend server and NLB reside in different VCNs without a peering connection, you must specify the public IP address of the compute instance. You must also ensure that the VCN security rules allow external traffic.

To enable backend traffic, your backend server subnets must have appropriate ingress and egress security rules. When you add backend servers to a backend set, you can specify the applicable network security groups (NSGs). If you prefer to use security lists for your VCN, you can configure them through the Networking service.

Note:

To accommodate high-volume traffic, Oracle strongly recommends that you use stateless security rules for your load balancer subnets. See Virtual Firewall in the chapter Virtual Networking Overview.

Network Load Balancer Health Checks

Network Load Balancer (NLB) health checks are tests to confirm the availability of backend servers. These tests occur in the form of an attempt to make a TCP connection with the backend servers and validate the response based on the connection status.

The health check policy includes a time interval you specify, to ensure that the backend servers are continuously monitored. If a server fails a health check, the NLB takes the server temporarily out of rotation. If the server later passes the health check, the NLB returns it to the rotation.

The health check policy is configured when you create a backend set.

The TCP handshake can succeed and indicate that the service is up even when the HTTP service is incorrectly configured or having other issues. Although the health check returns no errors, you might experience transaction failures.

The service provides application-specific health check capabilities to help you increase availability and reduce your application maintenance window.

Health status indicators are used to report the general health of an NLB and its backend servers/sets. The possible statuses are: ok, warning, critical, unknown. Health status is updated every three minutes. No finer granularity is available. Historical health data is not provided.