How does the Load Balancer distribute incoming application traffic across multiple bare metal compute instances?
The Load Balancer checks for incoming traffic on the load balancer’s IP address and distributes incoming traffic to a list of backend servers based on a load balancing policy, and a health check policy you define in a logical entity called a Backend Set. The backend set determines how the load balancer directs traffic to the collection of backend servers.
What Load Balancing Policies can I define?
You can define Load Balancing Policies that tell the load balancer how to distribute incoming traffic to the backend servers. Currently, we support the following load balancer policies:
- Round robin
- Least connections
- IP hash
What Health Check Policies can I define?
You can confirm the availability of your backend servers via request or connection attempts based on a time-interval you specify. Currently, we support the following TCP-level or HTTP-level health checks for your backend servers:
- TCP-level health checks attempt to make a TCP connection with the backend servers and validate the response based on the connection status.
- HTTP-level health checks send requests to the backend servers at a specific URI and validate the response based on the status code or entity data (body) returned.
Alternatively, you can determine the health of a load balancer instance in relation to its backend servers in a programmatic way via the load balancer health API.
What is the Load Balancer Health API?
The load balancer health API is a programmatic mechanism for determining the health of a load balancer instance in relation to its backend servers.
When should I use the Load Balancer Health API?
You should use the health API when you wish to build your own notification and monitoring system or integrate with a system you are currently using.
For which components of the Load Balancer can I retrieve health status via the Health API?
Programmatically polling the load balancer health API, you can obtain a 3-state health status (ok, warning, critical) indicating the health of each backend server or, as an aggregate of all backend servers in a backend set, the entire backend set.
What incoming Protocols does the Load Balancer support?
The Load Balancer Listener which is a logical entity that checks for incoming traffic on the load balancers IP address. You configure a listener's protocol and port number, and the optional SSL settings.
Currently supported protocols include:
Can the Load Balancer handle TCP, HTTP and HTTPS traffic at the same time?
Yes, the Load Balancer can handle TCP, HTTP and HTTPS traffic at the same time. To do so, you must configure multiple listeners.
What TCP ports can I load balance?
You can load balance for any port between 1-65535.
Can I specify a range of TCP ports to load balance?
No. Load Balancer currently only supports IPv4 traffic.
Does the Load Balancer support IPv6 traffic?
No. Load Balancer currently only supports IPv4 traffic.
Can I provide pre-provisioned load balancing capacity (bandwidth)?
Yes, you can provide pre-provisioned load balancing capacity (bandwidth) by selecting a load balancer shape. A load balancer shape is a template that determines the load balancer's total pre-provisioned maximum capacity (bandwidth) for ingress plus egress traffic. Currently available shapes include 100 Mbps, 400 Mbps, and 8000 Mbps.
NOTE: Pre-provisioned maximum capacity applies to aggregated connections, not to a single client attempting to use the full bandwidth.
Can I change the shape of my load balancer?
Currently, you cannot change the shape of your load balancer once you created the load balancer. To change the shape of your load balancer (e.g. to increase or decrease the pre-provisioned bandwidth for ingress plus egress traffic), you can use the Console or API to create another load balancer with the new shape and update the DNS A-record associated with you load balancer’s IP address.
Does the Load Balancer support SSL termination?
Yes, you can optionally terminate SSL at the load balancer. To use SSL with your load balancer, you must add one or more certificate bundles to your system. The certificate bundle you upload includes the public certificate, the corresponding private key, and any associated Certificate Authority certificates. To terminate SSL at the load balancer, you must create a listener at a default port such as 443, and then associate an uploaded certificate bundle with the listener.
Does the Load Balancer support end-to-end termination?
Yes, you can optionally implement end-to-end SSL. To use SSL with your load balancer, you must add one or more certificate bundles to your system. The certificate bundle you upload includes the public certificate, the corresponding private key, and any associated Certificate Authority certificates. For end to end SSL, you must associate uploaded certificate bundles with both the listener and the backend set.
Does the Load Balancer support SSL tunneling?
Yes, you can optionally implement SSL tunneling for your TCP load balancer and tunnel incoming SSL connections to your application servers.
Which Transport Layer Security protocol and ciphers does the load balancer support?
The Load Balancing Service supports the TLS 1.2 protocol with a default setting of strong cipher strength. The default supported ciphers include:
Does the Load Balancer support session persistence (“Sticky Sessions”)?
Yes, you can enable for your HTTP load balancer server-side, cookie-driven session persistence.
Does the Load Balancer support custom HTTP header manipulation?
Yes, you can you can add, alter, or remove HTTP headers with Listener rule sets feature. A rule set is a named set of rules associated with a load balancer and applied to one or more listeners on that load balancer. Rules are objects that represent actions applied to requests or responses at a load balancer listener. Examples of how rule sets can help you enhance site security include:
- Adding the "strict-transport-security" header, with a proper value, to responses. This header helps guarantee that access to your site is HTTPS only.
- Adding the "x-xss-protection" header with a proper value. This header helps you enforce the cross-site scripting (XSS) protection built into modern browsers.
- Adding the "x-content-type" header with a proper value. This header helps you prevent attacks based on content type shifting.
- Removing debug headers, such as "Server", sent by backend servers. This action helps you hide the implementation details of your backend.
Can I limit access to the Load Balancing Service via an IAM Policy?
Yes, you can limit access to the Load Balancing Service via a policy written by an administrator.