Back to the main page
OCI (Oracle Cloud Infrastructure) Load Balancer
There has been active development, new features are comming all the time, so this applies for say end of 2018 - start of 2019.
OCI has regions, one is Phoenix, TX, USA. Region usually has three Availability Domain (AD), these are just data centres.
They are ~60 miles apart. Virtual Cloud Network (VCN) is regional service.
See picture below, we'll use two ADs, each AD has two subnets for this setup.
Create VCN, Virtual Cloud Network
A VCN is regional service, so for Phoenix region, create new VCN.
From menu, select "Networking - VCN"
- select compartment
- click "create VCN"
- see pop up window
- verify compartment name
- put meaningful name, like ha_vcn_etcfstab
- select "create vcn plus related resources
- create vcn - close
Create SSH keys
Create public/private SSH keys, for launch and ssh into computer instances. Use ssh-keygen command.
Create two compute instances
Create first compute instance
From menu, Compute - Instance - Create instance
Take note of public IP, 22.214.171.124. Private IP is on subnet3, see diagram above.
- name "webone"
- select, verify
- image OL7.6
- type: VM
- shape E2.1
- boot volume, default
- ssh keys: add yours
- VCN: select your ha_vcn_etcfstab
- select your compartment
- subnet: select subnet 3, as per diagram
- click Create
Create second compute instance
Repeat for the second instance, webtwo.
Public IP 126.96.36.199 and private IP is in subnet 4, see diagram above.
Install web servers
- SSH to instances, command is "ssh -i <private-key> opc@public-IP"
- Install Apache: "sudo yum -y install httpd"
- add httpd firewall rule:
- sudo firewall-cmd --permanent --add-port=80/tcp
- sudo firewall-cmd --reload
- Start Apache
- Create some test web page, like /var/www/html/index.html that reads "this is webone", or "webtwo".
Prep work for Load Balancer creation
LB should be in different subnet then instances,
and we'll have ingress (incoming traffic) and egress (outgoing traffic) rules.
Basically, instances are secure in private subnets, and public Internet traffic is allowed to LB in public subnets.
- Create security list, to be used by LB
- VCN - Security list - create security list
- Give name as "lbweb_security_list"
- delete ingress/egress default entries
- click create
- Create route table, to be used by two new subnets, 1 and 2
- VCN details - Route Table - create route table
- Give name as "lbweb_routetable"
- Create two subnets, in different AD, subnet 1 and 2, see diagram
- VCN - Subnets - create subnet
- Give name as "lbweb-subnet1"
- CIDR: 10.0.4.0/24
- route table: lbweb_routetable
- subet access: public
- dhcp: default
- security list: lbweb_security_list
- Repeat for lbweb-subnet2, 10.0.5.0/24
Create Load Balancer
From menu, Networking - Load Balancer
- Give name as lb-myweb
- Shape: 100 Mbps
- Visibility: public
- VCN: ha_vcn_etcfstab
- Subnet: lbweb-subnet1
- Listener: http / 80
- Backend Setup info: Weighted round robin, and add both instances (webone and webtwo)
- Note LB public IP, 188.8.131.52
So, only one LB is created by me, then OCI creates second "LB service" in second subnet, for failover purpose.
Update security list
Basically, each instance has default security list. List has stateful and stateless rules.
- Stateful means that connection tracking is used, for any traffic that matches rule.
When instance receives traffic matching the stateful ingress rule,
the response is tracked and automatically allowed back to the originating host,
regardless of any egress rules applicable to the instance.
- Stateless means that connection tracking is not used for any traffic that matches that rule.
So response traffic is not automatically allowed, but a corresponding stateless egress rule needs to exist.
So default stateful ingress for newly created instance is :
Allow TCP traffic on destination port 22 (SSH) from source 0.0.0.0/0 and any source port.
So you can quickly SSH to it and do work.
Usually when you create ingress rule, things to specify are: stateful or stateless, source stuff and then destination.
Then with egress, you define first destination, then source stuff.
Back to the main page